diff --git a/Makefile b/Makefile index ec7b5cba8..2431fcd29 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule SEMOD_PKG ?= $(tc_usrbindir)/semodule_package SEMOD_LNK ?= $(tc_usrbindir)/semodule_link SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand +SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen LOADPOLICY ?= $(tc_usrsbindir)/load_policy SETFILES ?= $(tc_sbindir)/setfiles XMLLINT ?= $(BINDIR)/xmllint @@ -250,7 +251,7 @@ seusers := $(appconf)/seusers appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts snapperd_contexts) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -365,7 +366,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ $(verbose) cat $@.in >> $@ - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ @@ -609,15 +610,17 @@ resetlabels: # Clean everything # bare: clean - rm -f $(polxml) - rm -f $(layerxml) - rm -f $(modxml) - rm -f $(tunxml) - rm -f $(boolxml) - rm -f $(mod_conf) - rm -f $(booleans) - rm -fR $(htmldir) - rm -f $(tags) + echo "hehe kde jsem asi tak" + pwd + #rm -f $(polxml) + #rm -f $(layerxml) + #rm -f $(modxml) + #rm -f $(tunxml) + #rm -f $(boolxml) + #rm -f $(mod_conf) + #rm -f $(booleans) + #rm -fR $(htmldir) + #rm -f $(tags) # don't remove these files if we're given a local root ifndef LOCAL_ROOT rm -f $(fcsort) diff --git a/Rules.modular b/Rules.modular index 313d8375b..1e92c7d5d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp # Build module packages # $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" + @echo "Compiling $(NAME) $(@F) module" @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ @@ -168,6 +168,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true ######################################## # @@ -201,6 +203,7 @@ validate: $(base_pkg) $(mod_pkgs) @echo "Validating policy linking." $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output @echo "Success." ######################################## diff --git a/Rules.monolithic b/Rules.monolithic index 808a5398a..77f71cd95 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -155,6 +155,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true ######################################## # diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts index 881a292e3..80110a432 100644 --- a/config/appconfig-mcs/staff_u_default_contexts +++ b/config/appconfig-mcs/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:crond_t:s0 staff_r:staff_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts new file mode 100644 index 000000000..b8fda9543 --- /dev/null +++ b/config/appconfig-mcs/sysadm_u_default_contexts @@ -0,0 +1,12 @@ +system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 +system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0 +system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 +system_r:crond_t:s0 sysadm_r:sysadm_t:s0 +system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts new file mode 100644 index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-mcs/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts index cacbc939f..4f59f9401 100644 --- a/config/appconfig-mcs/user_u_default_contexts +++ b/config/appconfig-mcs/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context index d387b428b..150f281d1 100644 --- a/config/appconfig-mcs/virtual_domain_context +++ b/config/appconfig-mcs/virtual_domain_context @@ -1 +1,2 @@ system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts index 881a292e3..80110a432 100644 --- a/config/appconfig-mls/staff_u_default_contexts +++ b/config/appconfig-mls/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 staff_r:cronjob_t:s0 +system_r:crond_t:s0 staff_r:staff_t:s0 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff --git a/config/appconfig-mls/systemd_contexts b/config/appconfig-mls/systemd_contexts new file mode 100644 index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-mls/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts index cacbc939f..4f59f9401 100644 --- a/config/appconfig-mls/user_u_default_contexts +++ b/config/appconfig-mls/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 system_r:sshd_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 user_r:user_t:s0 system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts index c2a5ea871..f63999e77 100644 --- a/config/appconfig-standard/staff_u_default_contexts +++ b/config/appconfig-standard/staff_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t system_r:remote_login_t staff_r:staff_t system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t -system_r:crond_t staff_r:cronjob_t +system_r:crond_t staff_r:staff_t system_r:xdm_t staff_r:staff_t staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts new file mode 100644 index 000000000..b8fda9543 --- /dev/null +++ b/config/appconfig-standard/sysadm_u_default_contexts @@ -0,0 +1,12 @@ +system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 +system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0 +system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 +system_r:crond_t:s0 sysadm_r:sysadm_t:s0 +system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts new file mode 100644 index 000000000..ff32accd1 --- /dev/null +++ b/config/appconfig-standard/systemd_contexts @@ -0,0 +1 @@ +runtime=system_u:object_r:systemd_runtime_unit_file_t:s0 diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts index f5bfac34a..639555b9a 100644 --- a/config/appconfig-standard/user_u_default_contexts +++ b/config/appconfig-standard/user_u_default_contexts @@ -1,7 +1,7 @@ system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t system_r:sshd_t user_r:user_t -system_r:crond_t user_r:cronjob_t +system_r:crond_t user_r:user_t system_r:xdm_t user_r:user_t user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context index c049e104b..150f281d1 100644 --- a/config/appconfig-standard/virtual_domain_context +++ b/config/appconfig-standard/virtual_domain_context @@ -1 +1,2 @@ -system_u:system_r:svirt_t +system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 deleted file mode 100644 index 5bebd82d4..000000000 --- a/man/man8/ftpd_selinux.8 +++ /dev/null @@ -1,65 +0,0 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" -.SH "NAME" -.PP -ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. -.SH "DESCRIPTION" -.PP -Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. -.SH FILE_CONTEXTS -.PP -SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. -.TP -Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. -.PP -.B -semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" -.TP -.B -restorecon -F -R -v /var/ftp -.TP -Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. -.PP -.B -semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" -.TP -.B -restorecon -F -R -v /var/ftp/incoming - -.SH BOOLEANS -.PP -SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. -.TP -Allow ftp servers to read and write files with the public_content_rw_t file type. -.PP -.B -setsebool -P allow_ftpd_anon_write on -.TP -Allow ftp servers to read or write files in the user home directories. -.PP -.B -setsebool -P ftp_home_dir on -.TP -Allow ftp servers to read or write all files on the system. -.PP -.B -setsebool -P allow_ftpd_full_access on -.TP -Allow ftp servers to use cifs for public file transfer services. -.PP -.B -setsebool -P allow_ftpd_use_cifs on -.TP -Allow ftp servers to use nfs for public file transfer services. -.PP -.B -setsebool -P allow_ftpd_use_nfs on -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -.PP -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -.PP - -selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 deleted file mode 100644 index e9c43b190..000000000 --- a/man/man8/git_selinux.8 +++ /dev/null @@ -1,109 +0,0 @@ -.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation" -.de EX -.nf -.ft CW -.. -.de EE -.ft R -.fi -.. -.SH "NAME" -git_selinux \- Security Enhanced Linux Policy for the Git daemon. -.SH "DESCRIPTION" -Security-Enhanced Linux secures the Git server via flexible mandatory access -control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. -Policy governs the access daemons have to these files. -SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible. -.PP -The following file contexts types are by default defined for Git: -.EX -git_system_content_t -.EE -- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users. -.EX -git_session_content_t -.EE -- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type. -.SH BOOLEANS -SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible. -.PP -Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. -.EX -sudo setsebool -P git_system_enable_homedirs 1 -.EE -.PP -Allow the Git system daemon to read system shared repositories on NFS shares. -.EX -sudo setsebool -P git_system_use_nfs 1 -.EE -.PP -Allow the Git system daemon to read system shared repositories on Samba shares. -.EX -sudo setsebool -P git_system_use_cifs 1 -.EE -.PP -Allow the Git session daemon to read users personal repositories on NFS mounted home directories. -.EX -sudo setsebool -P use_nfs_home_dirs 1 -.EE -.PP -Allow the Git session daemon to read users personal repositories on Samba mounted home directories. -.EX -sudo setsebool -P use_samba_home_dirs 1 -.EE -.PP -To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories. -.EX -sudo setsebool -P git_system_enable_homedirs 1 -.EE -.PP -To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports. -.EX -sudo setsebool -P git_session_bind_all_unreserved_ports 1 -.EE -.SH GIT_SHELL -The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t). -.PP -To add a new Linux user and map him to this Git shell user domain automatically: -.EX -sudo useradd -Z git_shell_u joe -.EE -.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS -Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content. -.PP -To add a new Git system repository type, for example "project1" create a file named project1.te and add to it: -.EX -policy_module(project1, 1.0.0) -git_content_template(project1) -.EE -Next create a file named project1.fc and add a file context specification for the new repository type to it: -.EX -/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0) -.EE -Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository: -.EX -make -f /usr/share/selinux/devel/Makefile project.pp -sudo semodule -i project1.pp -sudo restorecon -R -v /srv/git/project1 -.EE -To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following: -.EX -policy_module(project1user, 1.0.0) -git_role_template(project1user) -git_content_delegation(project1user_t, git_project1_content_t) -gen_user(project1user_u, user, project1user_r, s0, s0) -.EE -Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user: -.EX -make -f /usr/share/selinux/devel/Makefile project1user.pp -sudo semodule -i project1user.pp -sudo useradd -Z project1user_u jane -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dominick Grift . -.SH "SEE ALSO" -selinux(8), git(8), chcon(1), semodule(8), setsebool(8) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 deleted file mode 100644 index 16e8b1323..000000000 --- a/man/man8/httpd_selinux.8 +++ /dev/null @@ -1,120 +0,0 @@ -.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" -.de EX -.nf -.ft CW -.. -.de EE -.ft R -.fi -.. -.SH "NAME" -httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the httpd server via flexible mandatory access -control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. -Policy governs the access daemons have to these files. -SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. -.PP -The following file contexts types are defined for httpd: -.EX -httpd_sys_content_t -.EE -- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. -.EX -httpd_sys_script_exec_t -.EE -- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. -.EX -httpd_sys_content_rw_t -.EE -- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. -.EX -httpd_sys_content_ra_t -.EE -- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. -.EX -httpd_unconfined_script_exec_t -.EE -- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. - -.SH NOTE -With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. - -.SH SHARING FILES -If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: - -.EX -setsebool -P allow_httpd_anon_write=1 -.EE - -or - -.EX -setsebool -P allow_httpd_sys_script_anon_write=1 -.EE - -.SH BOOLEANS -SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -.PP -httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this - -.EX -setsebool -P httpd_enable_cgi 1 -.EE - -.PP -SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. - -.EX -setsebool -P httpd_enable_homedirs 1 -chcon -R -t httpd_sys_content_t ~user/public_html -.EE - -.PP -SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. - -.EX -setsebool -P httpd_tty_comm 1 -.EE - -.PP -httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. - -.EX -setsebool -P httpd_unified 0 -.EE - -.PP -SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. - -.EX -setsebool -P httpd_can_sendmail 1 -.PP -httpd can be configured to turn off internal scripting (PHP). PHP and other -loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. - -.EX -setsebool -P httpd_builtin_scripting 0 -.EE - -.PP -SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. -This would prevent a hacker from breaking into you httpd server and attacking -other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. - -.EX -setsebool -P httpd_can_network_connect 1 -.EE - -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), httpd(8), chcon(1), setsebool(8) - - diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 deleted file mode 100644 index a8f81c8e7..000000000 --- a/man/man8/kerberos_selinux.8 +++ /dev/null @@ -1,28 +0,0 @@ -.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation" -.de EX -.nf -.ft CW -.. -.de EE -.ft R -.fi -.. -.SH "NAME" -kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the system via flexible mandatory access -control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. -.SH BOOLEANS -.PP -You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. -.EX -setsebool -P allow_kerberos 1 -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), kerberos(1), chcon(1), setsebool(8) diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 deleted file mode 100644 index fce0b4815..000000000 --- a/man/man8/named_selinux.8 +++ /dev/null @@ -1,30 +0,0 @@ -.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" -.de EX -.nf -.ft CW -.. -.de EE -.ft R -.fi -.. -.SH "NAME" -named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the named server via flexible mandatory access -control. -.SH BOOLEANS -SELinux policy is customizable based on least access required. So by -default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. -.EX -setsebool -P named_write_master_zones 1 -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), named(8), chcon(1), setsebool(8) - - diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 deleted file mode 100644 index 8e30c4c65..000000000 --- a/man/man8/nfs_selinux.8 +++ /dev/null @@ -1,31 +0,0 @@ -.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" -.SH "NAME" -nfs_selinux \- Security Enhanced Linux Policy for NFS -.SH "DESCRIPTION" - -Security Enhanced Linux secures the NFS server via flexible mandatory access -control. -.SH BOOLEANS -SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: - -.TP -setsebool -P nfs_export_all_ro 1 -.TP -If you want to share files read/write you must set the nfs_export_all_rw boolean. -.TP -setsebool -P nfs_export_all_rw 1 - -.TP -These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. - -.TP -If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: -.TP -setsebool -P use_nfs_home_dirs 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), chcon(1), setsebool(8) diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8 deleted file mode 100644 index 6271c951f..000000000 --- a/man/man8/nis_selinux.8 +++ /dev/null @@ -1 +0,0 @@ -.so man8/ypbind_selinux.8 diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 deleted file mode 100644 index ad9ccf5cd..000000000 --- a/man/man8/rsync_selinux.8 +++ /dev/null @@ -1,52 +0,0 @@ -.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" -.de EX -.nf -.ft CW -.. -.de EE -.ft R -.fi -.. -.SH "NAME" -rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the rsync server via flexible mandatory access -control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. -Policy governs the access daemons have to these files. -If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you -would need to label the directory with the chcon tool. -.TP -chcon -t public_content_t /var/rsync -.TP -.TP -To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: -.TP -semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" -.TP -This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: -.TP -/var/rsync(/.*)? system_u:object_r:publix_content_t:s0 -.TP -Run the restorecon command to apply the changes: -.TP -restorecon -R -v /var/rsync/ -.EE - -.SH SHARING FILES -If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: - -.EX -setsebool -P allow_rsync_anon_write=1 -.EE - -.SH BOOLEANS -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 deleted file mode 100644 index ca702c799..000000000 --- a/man/man8/samba_selinux.8 +++ /dev/null @@ -1,56 +0,0 @@ -.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" -.SH "NAME" -samba_selinux \- Security Enhanced Linux Policy for Samba -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the Samba server via flexible mandatory access -control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. -Policy governs the access daemons have to these files. -If you want to share files other than home directories, those files must be -labeled samba_share_t. So if you created a special directory /var/eng, you -would need to label the directory with the chcon tool. -.TP -chcon -t samba_share_t /var/eng -.TP -To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: -.TP -semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" -.TP -This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: -.TP -/var/eng(/.*)? system_u:object_r:samba_share_t:s0 -.TP -Run the restorecon command to apply the changes: -.TP -restorecon -R -v /var/eng/ - -.SH SHARING FILES -If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: - -setsebool -P allow_smbd_anon_write=1 - -.SH BOOLEANS -.br -SELinux policy is customizable based on least access required. So by -default SELinux policy turns off SELinux sharing of home directories and -the use of Samba shares from a remote machine as a home directory. -.TP -If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. -.br - -setsebool -P samba_enable_home_dirs 1 -.TP -If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean. -.br - -setsebool -P use_samba_home_dirs 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. - -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), samba(7), chcon(1), setsebool(8), semanage(8) diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 deleted file mode 100644 index 5061a5f04..000000000 --- a/man/man8/ypbind_selinux.8 +++ /dev/null @@ -1,19 +0,0 @@ -.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" -.SH "NAME" -ypbind_selinux \- Security Enhanced Linux Policy for NIS. -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the system via flexible mandatory access -control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. -.SH BOOLEANS -.TP -You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. -.TP -setsebool -P allow_ypbind 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" -selinux(8), ypbind(8), chcon(1), setsebool(8) diff --git a/policy/constraints b/policy/constraints index 3a45f236b..225034c75 100644 --- a/policy/constraints +++ b/policy/constraints @@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } or ( t1 == process_uncond_exempt ) ); +constrain process dyntransition +( + u1 == u2 + or ( t1 == can_change_process_identity and t2 == process_user_target ) +); + +constrain process dyntransition +( + r1 == r2 + or ( t1 == can_change_process_identity and t2 == process_user_target ) +); + # These permissions do not have ubac constraints: # fork # setexec @@ -130,6 +142,7 @@ exempted_ubac_constraint(fd, ubacfd) exempted_ubac_constraint(socket, ubacsock) exempted_ubac_constraint(tcp_socket, ubacsock) +exempted_ubac_constraint(sctp_socket, ubacsock) exempted_ubac_constraint(udp_socket, ubacsock) exempted_ubac_constraint(rawip_socket, ubacsock) exempted_ubac_constraint(netlink_socket, ubacsock) @@ -150,6 +163,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock) exempted_ubac_constraint(appletalk_socket, ubacsock) exempted_ubac_constraint(dccp_socket, ubacsock) exempted_ubac_constraint(tun_socket, ubacsock) +exempted_ubac_constraint(netlink_iscsi_socket, ubacsock) +exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock) +exempted_ubac_constraint(netlink_connector_socket, ubacsock) +exempted_ubac_constraint(netlink_netfilter_socket, ubacsock) +exempted_ubac_constraint(netlink_generic_socket, ubacsock) +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock) +exempted_ubac_constraint(netlink_rdma_socket, ubacsock) +exempted_ubac_constraint(netlink_crypto_socket, ubacsock) constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index a94b16980..e16707c3f 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -20,6 +20,7 @@ common file relabelfrom relabelto append + map unlink link rename @@ -47,6 +48,7 @@ common socket relabelfrom relabelto append + map # socket-specific bind connect @@ -120,6 +122,60 @@ common x_device destroy } +# +# Define a common for capability access vectors. +# +common cap +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the cap2 common. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +common cap2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog + wake_alarm + block_suspend + audit_read +} + # # Define the access vectors. # @@ -329,8 +385,14 @@ class process execheap setkeycreate setsockcreate + ptrace_child } +class process2 +{ + nnp_transition + nosuid_transition +} # # Define the access vector interpretation for ipc-related objects @@ -379,6 +441,7 @@ class security setsecparam setcheckreqprot read_policy + validate_trans } @@ -393,62 +456,30 @@ class system syslog_mod syslog_console module_request + module_load + halt + reboot + status + undefined + enable + disable + reload + kill } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} +inherits cap -class capability2 +class capability2 +inherits cap2 { - mac_override # unused by SELinux - mac_admin # unused by SELinux - syslog - wake_alarm - block_suspend + epolwakeup + compromise_kernel } - # # Define the access vector interpretation for controlling # changes to passwd information. @@ -690,6 +721,8 @@ class nscd shmemhost getserv shmemserv + getnetgrp + shmemnetgrp } # Define the access vector interpretation for controlling @@ -831,6 +864,38 @@ inherits socket attach_queue } +class binder +{ + impersonate + call + set_context_mgr + transfer +} + +class netlink_iscsi_socket +inherits socket + +class netlink_fib_lookup_socket +inherits socket + +class netlink_connector_socket +inherits socket + +class netlink_netfilter_socket +inherits socket + +class netlink_generic_socket +inherits socket + +class netlink_scsitransport_socket +inherits socket + +class netlink_rdma_socket +inherits socket + +class netlink_crypto_socket +inherits socket + class x_pointer inherits x_device @@ -859,9 +924,166 @@ inherits database set_value } +class infiniband_pkey +{ + access +} + +class infiniband_endport +{ + manage_subnet +} + class db_language inherits database { implement execute } + +class service +{ + start + stop + status + reload + enable + disable + kill + load +} + +class proxy +{ + read +} + +# +# Define the access vector interpretation for controlling capabilities +# in user namespaces +# +class cap_userns +inherits cap + +class cap2_userns +inherits cap2 + +# +# Define the access vector interpretation for the new socket classes +# enabled by the extended_socket_class policy capability. +# + +# +# The next two classes were previously mapped to rawip_socket and therefore +# have the same definition as rawip_socket (until further permissions +# are defined). +# +class sctp_socket +inherits socket +{ + node_bind + name_connect + association +} + +class icmp_socket +inherits socket +{ + node_bind +} + +# +# The remaining network socket classes were previously +# mapped to the socket class and therefore have the +# same definition as socket. +# + +class ax25_socket +inherits socket + +class ipx_socket +inherits socket + +class netrom_socket +inherits socket + +class bridge_socket +inherits socket + +class atmpvc_socket +inherits socket + +class x25_socket +inherits socket + +class rose_socket +inherits socket + +class decnet_socket +inherits socket + +class atmsvc_socket +inherits socket + +class rds_socket +inherits socket + +class irda_socket +inherits socket + +class pppox_socket +inherits socket + +class llc_socket +inherits socket + +class ib_socket +inherits socket + +class mpls_socket +inherits socket + +class can_socket +inherits socket + +class tipc_socket +inherits socket + +class bluetooth_socket +inherits socket + +class iucv_socket +inherits socket + +class rxrpc_socket +inherits socket + +class isdn_socket +inherits socket + +class phonet_socket +inherits socket + +class ieee802154_socket +inherits socket + +class caif_socket +inherits socket + +class alg_socket +inherits socket + +class nfc_socket +inherits socket + +class vsock_socket +inherits socket + +class kcm_socket +inherits socket + +class qipcrtr_socket +inherits socket + +class smc_socket +inherits socket diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 14a479911..0e057ded1 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,14 +121,79 @@ class kernel_service class tun_socket +class binder + +# Updated netlink classes for more recent netlink protocols. +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket + # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace +# Infiniband +class infiniband_pkey +class infiniband_endport + # More Database stuff class db_schema # userspace class db_view # userspace class db_sequence # userspace class db_language # userspace +# systemd services +class service + +# gssd services +class proxy + + +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns + +class process2 + +# New socket classes introduced by extended_socket_class policy capability. +# These two were previously mapped to rawip_socket. +class sctp_socket +class icmp_socket +# These were previously mapped to socket. +class ax25_socket +class ipx_socket +class netrom_socket +class bridge_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class ib_socket +class mpls_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket + # FLASK diff --git a/policy/global_booleans b/policy/global_booleans index 66e85ea54..d02654d7f 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -6,7 +6,7 @@ ## ##

-## Enabling secure mode disallows programs, such as +## disallow programs, such as ## newrole, from transitioning to administrative ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables index 4705ab618..b82865c43 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -4,54 +4,61 @@ # file should be used. # +## +##

+## Deny any process from ptracing or debugging any other processes. +##

+##
+gen_tunable(deny_ptrace, false) + ## ##

## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

##
-gen_tunable(allow_execheap,false) +gen_tunable(selinuxuser_execheap,false) ## ##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ##

##
-gen_tunable(allow_execmem,false) +gen_tunable(deny_execmem,false) ## ##

-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t ##

##
-gen_tunable(allow_execmod,false) +gen_tunable(selinuxuser_execmod,false) ## ##

-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

##
-gen_tunable(allow_execstack,false) +gen_tunable(selinuxuser_execstack,false) ## ##

## Enable polyinstantiated directory support. ##

##
-gen_tunable(allow_polyinstantiation,false) +gen_tunable(polyinstantiation_enabled,false) ## ##

## Allow system to run with NIS ##

##
-gen_tunable(allow_ypbind,false) +gen_tunable(nis_enabled,false) ## ##

## Allow logging in and using the system from /dev/console. ##

##
-gen_tunable(console_login,true) +gen_tunable(login_console_enabled,true) ## ##

@@ -66,15 +73,6 @@ gen_tunable(console_login,true) ## gen_tunable(global_ssp,false) -## -##

-## Allow email client to various content. -## nfs, samba, removable devices, and user temp -## files -##

-##
-gen_tunable(mail_read_content,false) - ## ##

## Allow any files/directories to be exported read/write via NFS. @@ -103,6 +101,20 @@ gen_tunable(use_nfs_home_dirs,false) ## gen_tunable(use_samba_home_dirs,false) +## +##

+## Support ecryptfs home directories +##

+##
+gen_tunable(use_ecryptfs_home_dirs,false) + +## +##

+## Support fusefs home directories +##

+##
+gen_tunable(use_fusefs_home_dirs,false) + ## ##

## Allow users to run TCP servers (bind to ports and accept connection from @@ -110,4 +122,20 @@ gen_tunable(use_samba_home_dirs,false) ## and may change other protocols. ##

##
-gen_tunable(user_tcp_server,false) +gen_tunable(selinuxuser_tcp_server,false) + +## +##

+## Allow users to run UDP servers (bind to ports and accept connection from +## the same domain and outside users) disabling this may break avahi +## discovering services on the network and other udp related services. +##

+##
+gen_tunable(selinuxuser_udp_server,false) + +## +##

+## Allow the mount commands to mount any directory or file. +##

+##
+gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs index 216b3d125..ba9e2ee16 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ ifdef(`enable_mcs',` +default_range dir_file_class_set target low; + # # Define sensitivities # @@ -69,58 +71,61 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain fifo_file { open } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and ( t2 == domain ))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain key { create link read search setattr view write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or + ( t1 != mcs_constrained_type )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain { file lnk_file fifo_file } { create relabelto } + (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # @@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); +mlsconstrain context contains + (( h1 dom h2 ) and ( l1 domby l2)); + # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); @@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network node which is acting as the object +mlsconstrain { node } { recvfrom sendto } + (( l1 dom l2 ) or (t1 != mcs_constrained_type)); + +mlsconstrain { packet peer } { recv } + (( l1 dom l2 ) or + ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type))); + +# the netif ingress/egress ops, the ingress permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network interface which is acting as the object +mlsconstrain { netif } { egress ingress } + (( l1 dom l2 ) or (t1 != mcs_constrained_type)); + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls index f11e5e2b7..c862bbe89 100644 --- a/policy/mls +++ b/policy/mls @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } # new file labels must be dominated by the relabeling subjects clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); + (( h1 dom h2 ) or + (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfilewrite )); # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } @@ -156,21 +158,18 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # these access vectors have no MLS restrictions # filesystem { transition associate } - - - # # MLS policy for the socket classes # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto ( h1 dom h2 ); # the socket "read+write" ops # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), # require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } (( l1 eq l2 ) or (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )) and @@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -191,14 +190,15 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock ( t1 == mlsnetread )); # the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); + ( t1 == mlsnetwrite ) or + ( t2 == mlstrustedobject )); # used by netlabel to restrict normal domains to same level connections -mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom (( l1 eq l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -219,13 +219,13 @@ mlsconstrain unix_dgram_socket sendto ( t2 == mlstrustedobject )); # these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind } # -# { tcp_socket udp_socket rawip_socket } node_bind +# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind # -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } +# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom } # -# tcp_socket name_connect +# { tcp_socket sctp_socket } name_connect # # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write # @@ -252,6 +252,11 @@ mlsconstrain msg receive (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsipcread )); +mlsconstrain key { create link read search setattr view write } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsprocwrite )); + # the ipc "write" ops (implicit single level) mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } (( l1 eq l2 ) or @@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv } (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); - - - # # MLS policy for the process class # @@ -763,13 +765,14 @@ mlsconstrain context contains # # make sure these database classes are "single level" -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } +mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto } ( l2 eq h2 ); + mlsconstrain { db_tuple } { insert relabelto } ( l2 eq h2 ); # new database labels must be dominated by the relabeling subjects clearance -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } +mlsconstrain { db_database db_schema db_table db_column } { relabelto } ( h1 dom h2 ); # the database "read" ops (note the check is dominance of the low level) @@ -833,7 +836,7 @@ mlsconstrain { db_tuple } { use select } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -# the "single level" file "write" ops +# the "single level" database "write" ops mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } (( l1 eq l2 ) or (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 2626ebf95..5745bb240 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,11 +1,16 @@ +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) - -/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index cc8df9d7d..90467f3af 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') +###################################### +## +## Execute bootloader in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`bootloader_exec',` + gen_require(` + type bootloader_exec_t; + ') + + can_exec($1, bootloader_exec_t) +') + ######################################## ## ## Execute bootloader interactively and do @@ -38,16 +56,18 @@ interface(`bootloader_domtrans',` # interface(`bootloader_run',` gen_require(` + type bootloader_t; attribute_role bootloader_roles; ') bootloader_domtrans($1) roleattribute $2 bootloader_roles; + ') ######################################## ## -## Execute bootloader in the caller domain. +## Read the bootloader configuration file. ## ## ## @@ -55,36 +75,37 @@ interface(`bootloader_run',` ## ## # -interface(`bootloader_exec',` +interface(`bootloader_read_config',` gen_require(` - type bootloader_exec_t; + type bootloader_etc_t; ') - corecmd_search_bin($1) - can_exec($1, bootloader_exec_t) + allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## ## -## Read the bootloader configuration file. +## Read and write the bootloader +## configuration file. ## ## ## ## Domain allowed access. ## ## +## # -interface(`bootloader_read_config',` +interface(`bootloader_rw_config',` gen_require(` type bootloader_etc_t; ') - allow $1 bootloader_etc_t:file read_file_perms; + allow $1 bootloader_etc_t:file rw_file_perms; ') ######################################## ## -## Read and write the bootloader +## Manage the bootloader ## configuration file. ## ## @@ -94,12 +115,12 @@ interface(`bootloader_read_config',` ## ## # -interface(`bootloader_rw_config',` +interface(`bootloader_manage_config',` gen_require(` type bootloader_etc_t; ') - allow $1 bootloader_etc_t:file rw_file_perms; + manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) ') ######################################## @@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',` ') files_search_tmp($1) - allow $1 bootloader_tmp_t:file rw_file_perms; + allow $1 bootloader_tmp_t:file rw_inherited_file_perms; ') ######################################## @@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ') + +######################################## +## +## Type transition files created in /etc +## +## +## +## Domain allowed access. +## +## +# +interface(`bootloader_filetrans_config',` + gen_require(` + type bootloader_etc_t; + ') + + files_etc_filetrans($1,bootloader_etc_t,file, "grub") + files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 0fd5c5f2e..a14addb41 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -20,13 +20,20 @@ type bootloader_t; type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; +role system_r types bootloader_t; + +type bootloader_var_run_t; +files_pid_file(bootloader_var_run_t) + +type bootloader_var_lib_t; +files_type(bootloader_var_lib_t) # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # type bootloader_etc_t alias etc_bootloader_t; -files_type(bootloader_etc_t) +files_config_file(bootloader_etc_t) # # The temp file is used for initrd creation; @@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; @@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) +manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) +manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) +files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) + +manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) +manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) +manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) +files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file }) + kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t) fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) +fs_list_hugetlbfs(bootloader_t) +fs_list_tmpfs(bootloader_t) fs_read_tmpfs_symlinks(bootloader_t) #Needed for ia64 fs_manage_dos_files(bootloader_t) @@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) term_getattr_all_ttys(bootloader_t) +term_getattr_all_ptys(bootloader_t) term_dontaudit_manage_pty_dirs(bootloader_t) +term_dontaudit_getattr_generic_ptys(bootloader_t) +term_use_unallocated_ttys(bootloader_t) corecmd_exec_all_executables(bootloader_t) @@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) +files_manage_kernel_modules(bootloader_t) files_read_etc_files(bootloader_t) files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) files_read_kernel_modules(bootloader_t) +files_read_kernel_symbol_table(bootloader_t) # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab @@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) + +init_read_state(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) @@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) +libs_exec_ld_so(bootloader_t) -logging_send_syslog_msg(bootloader_t) -logging_rw_generic_logs(bootloader_t) +auth_use_nsswitch(bootloader_t) -miscfiles_read_localization(bootloader_t) +logging_send_syslog_msg(bootloader_t) +logging_manage_generic_logs(bootloader_t) modutils_domtrans_insmod(bootloader_t) seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) -seutil_dontaudit_search_config(bootloader_t) -userdom_use_user_terminals(bootloader_t) +userdom_getattr_user_tmp_files(bootloader_t) +userdom_use_inherited_user_terminals(bootloader_t) userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` @@ -173,6 +199,10 @@ ifdef(`distro_redhat',` ') ') +optional_policy(` + devicekit_dontaudit_read_pid_files(bootloader_t) +') + optional_policy(` fstools_exec(bootloader_t) ') @@ -182,6 +212,14 @@ optional_policy(` hal_write_log(bootloader_t) ') +optional_policy(` + gpm_getattr_gpmctl(bootloader_t) +') + +optional_policy(` + fsadm_manage_pid(bootloader_t) +') + optional_policy(` kudzu_domtrans(bootloader_t) ') @@ -194,18 +232,19 @@ optional_policy(` ') optional_policy(` - modutils_exec_insmod(bootloader_t) - modutils_read_module_deps(bootloader_t) - modutils_read_module_config(bootloader_t) modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) modutils_exec_update_mods(bootloader_t) + modutils_domtrans_insmod_uncond(bootloader_t) + modutils_list_module_config(bootloader_t) + modutils_read_module_deps(bootloader_t) + modutils_read_module_config(bootloader_t) ') optional_policy(` - nscd_use(bootloader_t) + rpm_rw_pipes(bootloader_t) ') optional_policy(` - rpm_rw_pipes(bootloader_t) + udev_read_pid_files(bootloader_t) ') diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc index b7f053bf6..5d4fc3188 100644 --- a/policy/modules/admin/consoletype.fc +++ b/policy/modules/admin/consoletype.fc @@ -1,2 +1,4 @@ /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) + +/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if index 0f57d3bc0..655d07f01 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, consoletype_exec_t, consoletype_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit consoletype_t $1:socket_class_set { read write }; - ') ') ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index cd5e005ce..247259ac4 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) type consoletype_t; type consoletype_exec_t; -init_domain(consoletype_t, consoletype_exec_t) -init_system_domain(consoletype_t, consoletype_exec_t) +application_domain(consoletype_t, consoletype_exec_t) +role system_r types consoletype_t; ######################################## # @@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t) mls_file_read_all_levels(consoletype_t) mls_file_write_all_levels(consoletype_t) -term_use_all_terms(consoletype_t) +term_use_all_inherited_terms(consoletype_t) +term_use_ptmx(consoletype_t) init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) init_use_script_fds(consoletype_t) init_rw_script_pipes(consoletype_t) +init_rw_inherited_script_tmp_files(consoletype_t) -userdom_use_user_terminals(consoletype_t) +userdom_use_inherited_user_terminals(consoletype_t) ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(consoletype_t) @@ -79,16 +81,14 @@ optional_policy(` ') optional_policy(` - files_read_etc_files(consoletype_t) - firstboot_use_fds(consoletype_t) - firstboot_rw_pipes(consoletype_t) + devicekit_dontaudit_read_pid_files(consoletype_t) + devicekit_dontaudit_rw_log(consoletype_t) ') optional_policy(` - hal_dontaudit_use_fds(consoletype_t) - hal_dontaudit_rw_pipes(consoletype_t) - hal_dontaudit_rw_dgram_sockets(consoletype_t) - hal_dontaudit_write_log(consoletype_t) + files_read_etc_files(consoletype_t) + firstboot_use_fds(consoletype_t) + firstboot_rw_pipes(consoletype_t) ') optional_policy(` @@ -114,6 +114,7 @@ optional_policy(` optional_policy(` userdom_use_unpriv_users_fds(consoletype_t) + userdom_dontaudit_rw_dgram_socket(consoletype_t) ') optional_policy(` diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc index d6cc2d970..0685b190d 100644 --- a/policy/modules/admin/dmesg.fc +++ b/policy/modules/admin/dmesg.fc @@ -1,2 +1,4 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) + +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 72bc6d815..bb4a6f0d7 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -9,6 +9,10 @@ type dmesg_t; type dmesg_exec_t; init_system_domain(dmesg_t, dmesg_exec_t) +ifdef(`enable_mls',` + init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh) +') + ######################################## # # Local policy @@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config; allow dmesg_t self:process signal_perms; +kernel_read_system_state(dmesg_t) kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) +kernel_dontaudit_write_kernel_sysctl(dmesg_t) dev_read_sysfs(dmesg_t) +dev_read_kmsg(dmesg_t) +dev_read_raw_memory(dmesg_t) fs_search_auto_mountpoints(dmesg_t) @@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t) logging_send_syslog_msg(dmesg_t) logging_write_generic_logs(dmesg_t) -miscfiles_read_localization(dmesg_t) +miscfiles_read_hwdata(dmesg_t) userdom_dontaudit_use_unpriv_user_fds(dmesg_t) -userdom_use_user_terminals(dmesg_t) +userdom_use_inherited_user_terminals(dmesg_t) + +optional_policy(` + abrt_rw_inherited_cache(dmesg_t) +') optional_policy(` seutil_sigchld_newrole(dmesg_t) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 407078f4b..1a09bead7 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -1,15 +1,22 @@ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) -/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) + +/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index c6ca761c9..6edd67420 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -42,6 +42,7 @@ interface(`netutils_run',` ') netutils_domtrans($1) + allow $1 netutils_t:process { signal sigkill }; role $2 types netutils_t; ') @@ -99,6 +100,7 @@ interface(`netutils_domtrans_ping',` corecmd_search_bin($1) domtrans_pattern($1, ping_exec_t, ping_t) + allow $1 ping_exec_t:file map; ') ######################################## @@ -161,6 +163,7 @@ interface(`netutils_run_ping',` netutils_domtrans_ping($1) role $2 types ping_t; + allow $1 ping_t:process { signal sigkill }; ') ######################################## @@ -183,13 +186,14 @@ interface(`netutils_run_ping',` interface(`netutils_run_ping_cond',` gen_require(` type ping_t; - bool user_ping; + bool selinuxuser_ping; ') role $2 types ping_t; - if ( user_ping ) { + if ( selinuxuser_ping ) { netutils_domtrans_ping($1) + allow $1 ping_t:process { signal sigkill }; } ') @@ -254,6 +258,7 @@ interface(`netutils_run_traceroute',` ') netutils_domtrans_traceroute($1) + allow $1 traceroute_t:process { signal sigkill }; role $2 types traceroute_t; ') @@ -277,13 +282,14 @@ interface(`netutils_run_traceroute',` interface(`netutils_run_traceroute_cond',` gen_require(` type traceroute_t; - bool user_ping; + bool selinuxuser_ping; ') role $2 types traceroute_t; - if( user_ping ) { + if( selinuxuser_ping ) { netutils_domtrans_traceroute($1) + allow $1 traceroute_t:process { signal sigkill }; } ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index c44c3592a..982e33e1c 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) ## ##

-## Control users use of ping and traceroute +## Allow confined users the ability to execute the ping and traceroute commands. ##

##
-gen_tunable(user_ping, false) +gen_tunable(selinuxuser_ping, false) type netutils_t; type netutils_exec_t; @@ -33,25 +33,29 @@ init_system_domain(traceroute_t, traceroute_exec_t) # # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; +allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; -allow netutils_t self:packet_socket create_socket_perms; +# For tcpdump. +allow netutils_t self:netlink_netfilter_socket create_socket_perms; +allow netutils_t self:packet_socket { create_socket_perms map }; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; +allow netutils_t self:bluetooth_socket create_stream_socket_perms; allow netutils_t self:socket create_socket_perms; +allow netutils_t self:netlink_socket create_socket_perms; manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) -kernel_read_network_state(netutils_t) kernel_read_all_sysctls(netutils_t) +kernel_read_network_state(netutils_t) +kernel_request_load_module(netutils_t) -corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) corenet_tcp_sendrecv_generic_if(netutils_t) corenet_raw_sendrecv_generic_if(netutils_t) @@ -66,6 +70,10 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) +dev_read_usbmon_dev(netutils_t) +dev_write_usbmon_dev(netutils_t) +dev_map_usbmon_dev(netutils_t) +dev_rw_generic_usb_dev(netutils_t) fs_getattr_xattr_fs(netutils_t) @@ -80,12 +88,12 @@ init_use_script_ptys(netutils_t) auth_use_nsswitch(netutils_t) -logging_send_syslog_msg(netutils_t) +libs_use_ld_so(netutils_t) -miscfiles_read_localization(netutils_t) +logging_send_syslog_msg(netutils_t) term_dontaudit_use_console(netutils_t) -userdom_use_user_terminals(netutils_t) +userdom_use_inherited_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) optional_policy(` @@ -110,11 +118,11 @@ allow ping_t self:capability { setuid net_raw }; allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:rawip_socket create_socket_perms; +allow ping_t self:packet_socket create_socket_perms; allow ping_t self:netlink_route_socket create_netlink_socket_perms; +allow ping_t self:icmp_socket create_socket_perms; -corenet_all_recvfrom_unlabeled(ping_t) corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) @@ -124,6 +132,9 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) +fs_dontaudit_rw_anon_inodefs_files(ping_t) + +dev_read_urand(ping_t) domain_use_interactive_fds(ping_t) @@ -131,14 +142,14 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) +kernel_read_network_state(ping_t) +kernel_request_load_module(ping_t) auth_use_nsswitch(ping_t) -logging_send_syslog_msg(ping_t) - -miscfiles_read_localization(ping_t) +init_rw_inherited_script_tmp_files(ping_t) -userdom_use_user_terminals(ping_t) +logging_send_syslog_msg(ping_t) ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) @@ -146,13 +157,28 @@ ifdef(`hide_broken_symptoms',` optional_policy(` nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_pipes(ping_t) + nagios_dontaudit_write_pipes_nrpe(ping_t) ') ') +term_use_all_inherited_terms(ping_t) + +tunable_policy(`selinuxuser_ping',` + term_use_all_ttys(ping_t) + term_use_all_ptys(ping_t) +',` + term_dontaudit_use_all_ttys(ping_t) + term_dontaudit_use_all_ptys(ping_t) +') + optional_policy(` munin_append_log(ping_t) ') +optional_policy(` + nagios_rw_inerited_tmp_files(ping_t) +') + optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') @@ -161,6 +187,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') +optional_policy(` + openshift_rw_inherited_content(ping_t) + openshift_dontaudit_rw_inherited_fifo_files(ping_t) +') + +optional_policy(` + zabbix_read_tmp(ping_t) +') + ######################################## # # Traceroute local policy @@ -168,13 +203,18 @@ optional_policy(` allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket create_socket_perms; +allow traceroute_t self:packet_socket { create_socket_perms map }; allow traceroute_t self:udp_socket create_socket_perms; +allow traceroute_t self:sctp_socket create_socket_perms; +allow traceroute_t self:icmp_socket create_socket_perms; +allow traceroute_t self:dccp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) +kernel_read_net_sysctls(traceroute_t) +kernel_request_load_module(traceroute_t) +kernel_search_network_sysctl(traceroute_t) -corenet_all_recvfrom_unlabeled(traceroute_t) corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) @@ -198,6 +238,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) +files_read_usr_files(traceroute_t) files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) @@ -206,11 +247,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) -miscfiles_read_localization(traceroute_t) - -userdom_use_user_terminals(traceroute_t) #rules needed for nmap dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) -files_read_usr_files(traceroute_t) + +term_use_all_inherited_terms(traceroute_t) + +tunable_policy(`selinuxuser_ping',` + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +',` + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc index 688abc2ae..3d89250a6 100644 --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc @@ -3,3 +3,4 @@ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 03ec5cafe..06bcbf4a5 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; + allow $1_su_t self:netlink_selinux_socket create_socket_perms; # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) @@ -58,6 +59,7 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; + kernel_getattr_core_if($1_su_t) kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) @@ -86,10 +88,10 @@ template(`su_restricted_domain_template', ` # Write to utmp. init_rw_utmp($1_su_t) init_search_script_keys($1_su_t) + init_getattr_initctl($1_su_t) logging_send_syslog_msg($1_su_t) - miscfiles_read_localization($1_su_t) ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora @@ -119,11 +121,6 @@ template(`su_restricted_domain_template', ` userdom_spec_domtrans_unpriv_users($1_su_t) ') - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $2:socket_class_set { read write }; - ') - optional_policy(` cron_read_pipes($1_su_t) ') @@ -171,15 +168,9 @@ template(`su_role_template',` domain_interactive_fd($1_su_t) role $2 types $1_su_t; - allow $3 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:key { search write }; + allow $1_su_t self:netlink_selinux_socket create_socket_perms; + allow $3 $1_su_t:process signal; allow $1_su_t $3:key search; # Transition from the user domain to this domain. @@ -194,125 +185,16 @@ template(`su_role_template',` allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - - # needed for pam_rootok - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_rw_faillog($1_su_t) - - corecmd_search_bin($1_su_t) + kernel_dontaudit_getattr_core_if($1_su_t) - domain_use_interactive_fds($1_su_t) + auth_use_pam($1_su_t) - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dirs($1_su_t) - - init_dontaudit_use_fds($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) + init_dontaudit_getattr_initctl($1_su_t) mls_file_write_all_levels($1_su_t) logging_send_syslog_msg($1_su_t) - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - - ifdef(`distro_rhel4',` - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) - - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) - - # Relabel ttys and ptys. - term_relabel_all_ttys($1_su_t) - term_relabel_all_ptys($1_su_t) - # Close and re-open ttys and ptys to get the fd into the correct domain. - term_use_all_ttys($1_su_t) - term_use_all_ptys($1_su_t) - - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) - - if(secure_mode) { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - - optional_policy(` - unconfined_domtrans($1_su_t) - unconfined_signal($1_su_t) - ') - ') - - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - - tunable_policy(`allow_polyinstantiation',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs($1_su_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_search_cifs($1_su_t) - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') - - optional_policy(` - kerberos_use($1_su_t) - ') - - optional_policy(` - # used when the password has expired - usermanage_read_crack_db($1_su_t) - ') - - # Modify .Xauthority file (via xauth program). - optional_policy(` - xserver_user_home_dir_filetrans_user_xauth($1_su_t) - xserver_domtrans_xauth($1_su_t) - ') ') ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 85bb77e05..a4302332a 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -9,3 +9,82 @@ attribute su_domain_type; type su_exec_t; corecmd_executable_file(su_exec_t) + +allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; +dontaudit su_domain_type self:capability sys_tty_config; +allow su_domain_type self:process { setexec setsched setrlimit }; +allow su_domain_type self:fifo_file rw_fifo_file_perms; +allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; +allow su_domain_type self:key { search write }; + +kernel_read_kernel_sysctls(su_domain_type) +kernel_search_key(su_domain_type) +kernel_link_key(su_domain_type) + +# for SSP +dev_read_urand(su_domain_type) +dev_dontaudit_getattr_all(su_domain_type) + +fs_search_auto_mountpoints(su_domain_type) + +# needed for pam_rootok +selinux_compute_access_vector(su_domain_type) + +corecmd_search_bin(su_domain_type) + +domain_use_interactive_fds(su_domain_type) + +files_read_etc_files(su_domain_type) +files_read_etc_runtime_files(su_domain_type) +files_search_var_lib(su_domain_type) +files_dontaudit_getattr_tmp_dirs(su_domain_type) + +init_dontaudit_use_fds(su_domain_type) +# Write to utmp. +init_rw_utmp(su_domain_type) +init_read_state(su_domain_type) + +userdom_use_user_terminals(su_domain_type) +userdom_search_user_home_dirs(su_domain_type) +userdom_search_admin_dir(su_domain_type) + +ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora + auth_domtrans_upd_passwd(su_domain_type) + + optional_policy(` + locallogin_search_keys(su_domain_type) + ') +') + +tunable_policy(`polyinstantiation_enabled',` + fs_mount_xattr_fs(su_domain_type) + fs_unmount_xattr_fs(su_domain_type) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(su_domain_type) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(su_domain_type) +') + +optional_policy(` + cron_read_pipes(su_domain_type) +') + +optional_policy(` + kerberos_use(su_domain_type) +') + +optional_policy(` + # used when the password has expired + usermanage_read_crack_db(su_domain_type) +') + +# Modify .Xauthority file (via xauth program). +optional_policy(` + xserver_user_home_dir_filetrans_user_xauth(su_domain_type) + xserver_domtrans_xauth(su_domain_type) +') diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02a4..6083c590e 100644 --- a/policy/modules/admin/sudo.fc +++ b/policy/modules/admin/sudo.fc @@ -1,2 +1,6 @@ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) + +/var/log/sudo-io(/.*)? gen_context(system_u:object_r:sudo_log_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 096019932..b6debf340 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` gen_require(` type sudo_exec_t; + type sudo_db_t; attribute sudodomain; ') @@ -45,28 +46,15 @@ template(`sudo_role_template',` domain_interactive_fd($1_sudo_t) domain_role_change_exemption($1_sudo_t) role $2 types $1_sudo_t; + userdom_home_manager($1_sudo_t) - ############################## - # - # Local Policy - # + type $1_sudo_tmp_t; + files_tmp_file($1_sudo_tmp_t) - # Use capabilities. - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; - allow $1_sudo_t self:fifo_file rw_fifo_file_perms; - allow $1_sudo_t self:shm create_shm_perms; - allow $1_sudo_t self:sem create_sem_perms; - allow $1_sudo_t self:msgq create_msgq_perms; - allow $1_sudo_t self:msg { send receive }; - allow $1_sudo_t self:unix_dgram_socket create_socket_perms; - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:key manage_key_perms; + allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) + allow $1_sudo_t $3:dir search_dir_perms;; allow $1_sudo_t $3:key search; # Enter this derived domain from the user domain @@ -75,88 +63,33 @@ template(`sudo_role_template',` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) + userdom_domtrans_user_home($1_sudo_t, $3) + userdom_domtrans_user_tmp($1_sudo_t, $3) + domain_entry_file($3, sudo_exec_t) + domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) + allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; - kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) - kernel_link_key($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) - corecmd_exec_all_executables($1_sudo_t) - - dev_getattr_fs($1_sudo_t) - dev_read_urand($1_sudo_t) - dev_rw_generic_usb_dev($1_sudo_t) - dev_read_sysfs($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) - domain_getattr_all_entry_files($1_sudo_t) - - files_read_etc_files($1_sudo_t) - files_read_var_files($1_sudo_t) - files_read_usr_symlinks($1_sudo_t) - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) - files_list_tmp($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - - selinux_validate_context($1_sudo_t) - selinux_compute_relabel_context($1_sudo_t) - - term_getattr_pty_fs($1_sudo_t) - term_relabel_all_ttys($1_sudo_t) - term_relabel_all_ptys($1_sudo_t) + seutil_libselinux_linked($1_sudo_t) auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) auth_use_nsswitch($1_sudo_t) - init_rw_utmp($1_sudo_t) - - logging_send_audit_msgs($1_sudo_t) logging_send_syslog_msg($1_sudo_t) - miscfiles_read_localization($1_sudo_t) - - seutil_search_default_contexts($1_sudo_t) - seutil_libselinux_linked($1_sudo_t) - - userdom_spec_domtrans_all_users($1_sudo_t) - userdom_create_all_users_keys($1_sudo_t) - userdom_manage_user_home_content_files($1_sudo_t) - userdom_manage_user_home_content_symlinks($1_sudo_t) - userdom_manage_user_tmp_files($1_sudo_t) - userdom_manage_user_tmp_symlinks($1_sudo_t) - userdom_use_user_terminals($1_sudo_t) - # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) - userdom_dontaudit_search_user_home_dirs($1_sudo_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_sudo_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_sudo_t) - ') + term_use_generic_ptys($1_sudo_t) + term_setattr_generic_ptys($1_sudo_t) optional_policy(` - dbus_system_bus_client($1_sudo_t) + mta_role($2, $1_sudo_t) ') optional_policy(` - fprintd_dbus_chat($1_sudo_t) + kerberos_manage_host_rcache($1_sudo_t) + kerberos_read_config($1_sudo_t) ') ') @@ -178,3 +111,41 @@ interface(`sudo_sigchld',` allow $1 sudodomain:process sigchld; ') + +####################################### +## +## Allow execute sudo in called domain. +## This interfaces is added for nova-stack policy. +## +## +## +## Domain allowed access. +## +## +# +interface(`sudo_exec',` + gen_require(` + type sudo_exec_t; + ') + + can_exec($1, sudo_exec_t) +') + +###################################### +## +## Allow to manage sudo database in called domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sudo_manage_db',` + gen_require(` + type sudo_db_t; + ') + + manage_dirs_pattern($1, sudo_db_t, sudo_db_t) + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index d9fce57ab..5c11b48e1 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,118 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) + +type sudo_db_t; +files_type(sudo_db_t) +mls_trusted_object(sudo_db_t) + +type sudo_log_t; +logging_log_file(sudo_log_t) + +manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t) +manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t) + +manage_dirs_pattern(sudodomain, sudo_log_t, sudo_log_t) +manage_files_pattern(sudodomain, sudo_log_t, sudo_log_t) +logging_log_filetrans(sudodomain, sudo_log_t, dir, "sudo-io") + +############################## +# +# Local Policy +# + +# Use capabilities. +allow sudodomain self:capability { chown fowner setuid setgid dac_read_search dac_override sys_nice sys_resource }; +dontaudit sudodomain self:capability net_admin; +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow sudodomain self:process { setexec setrlimit }; +allow sudodomain self:fd use; +allow sudodomain self:fifo_file rw_fifo_file_perms; +allow sudodomain self:shm create_shm_perms; +allow sudodomain self:sem create_sem_perms; +allow sudodomain self:msgq create_msgq_perms; +allow sudodomain self:msg { send receive }; +allow sudodomain self:unix_dgram_socket create_socket_perms; +allow sudodomain self:unix_stream_socket create_stream_socket_perms; +allow sudodomain self:unix_dgram_socket sendto; +allow sudodomain self:unix_stream_socket connectto; +allow sudodomain self:key manage_key_perms; +allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_getattr_core_if(sudodomain) +kernel_link_key(sudodomain) +kernel_read_kernel_sysctls(sudodomain) + +corecmd_read_bin_symlinks(sudodomain) +corecmd_exec_all_executables(sudodomain) + +dev_getattr_fs(sudodomain) +dev_read_urand(sudodomain) +dev_rw_generic_usb_dev(sudodomain) +dev_read_sysfs(sudodomain) +dev_dontaudit_getattr_all(sudodomain) + +domain_use_interactive_fds(sudodomain) +domain_sigchld_interactive_fds(sudodomain) +domain_getattr_all_entry_files(sudodomain) + +files_read_etc_files(sudodomain) +files_read_var_files(sudodomain) +files_read_usr_files(sudodomain) +# for some PAM modules and for cwd +files_dontaudit_search_home(sudodomain) +files_list_tmp(sudodomain) + +fs_search_auto_mountpoints(sudodomain) +fs_getattr_all_fs(sudodomain) + +selinux_validate_context(sudodomain) +selinux_compute_relabel_context(sudodomain) + +term_getattr_pty_fs(sudodomain) +term_relabel_all_ttys(sudodomain) +term_relabel_all_ptys(sudodomain) +term_use_ptmx(sudodomain) + +#auth_run_chk_passwd(sudodomain) +# sudo stores a token in the pam_pid directory +auth_manage_pam_pid(sudodomain) +auth_manage_faillog(sudodomain) + +application_signal(sudodomain) + +init_rw_utmp(sudodomain) + +logging_send_audit_msgs(sudodomain) +logging_set_audit_parameters(sudodomain) + +seutil_read_default_contexts(sudodomain) + +userdom_spec_domtrans_all_users(sudodomain) +userdom_manage_user_home_content_files(sudodomain) +userdom_manage_user_home_content_symlinks(sudodomain) +userdom_manage_user_tmp_files(sudodomain) +userdom_manage_user_tmp_symlinks(sudodomain) +userdom_use_user_terminals(sudodomain) +userdom_signal_all_users(sudodomain) +userdom_exec_user_home_content_files(sudodomain) +# for some PAM modules and for cwd +userdom_search_user_home_content(sudodomain) +userdom_search_admin_dir(sudodomain) +userdom_manage_all_users_keys(sudodomain) + +tunable_policy(`authlogin_yubikey',` + auth_manage_home_content(sudodomain) +') + +optional_policy(` + dbus_system_bus_client(sudodomain) + + optional_policy(` + systemd_dbus_chat_logind(sudodomain) + ') +') + +optional_policy(` + fprintd_dbus_chat(sudodomain) +') diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc index f82f0ce0a..7b8915d47 100644 --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc @@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0) /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) @@ -27,6 +28,7 @@ ifdef(`distro_gentoo',` /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 99e3903ea..5c5627830 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` corecmd_search_bin($1) domtrans_pattern($1, chfn_exec_t, chfn_t) - - ifdef(`hide_broken_symptoms',` - dontaudit chfn_t $1:socket_class_set { read write }; - ') ') ######################################## @@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',` interface(`usermanage_run_chfn',` gen_require(` attribute_role chfn_roles; + type chfn_t; ') usermanage_domtrans_chfn($1) @@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',` corecmd_search_bin($1) domtrans_pattern($1, groupadd_exec_t, groupadd_t) +') - ifdef(`hide_broken_symptoms',` - dontaudit groupadd_t $1:socket_class_set { read write }; +######################################## +## +## Check access to the groupadd executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_access_check_groupadd',` + gen_require(` + type groupadd_exec_t; ') + + corecmd_search_bin($1) + allow $1 groupadd_exec_t:file { getattr_file_perms execute }; ') ######################################## @@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',` # interface(`usermanage_run_groupadd',` gen_require(` + type groupadd_t; attribute_role groupadd_roles; ') @@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',` corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit passwd_t $1:socket_class_set { read write }; - ') ') ######################################## @@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',` # interface(`usermanage_run_passwd',` gen_require(` + type passwd_t; attribute_role passwd_roles; ') @@ -181,6 +191,25 @@ interface(`usermanage_run_passwd',` roleattribute $2 passwd_roles; ') +######################################## +## +## Check access to the passwd executable +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_access_check_passwd',` + gen_require(` + type passwd_exec_t; + ') + + corecmd_search_bin($1) + allow $1 passwd_exec_t:file { getattr_file_perms execute }; +') + ######################################## ## ## Execute password admin functions in @@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',` # interface(`usermanage_run_admin_passwd',` gen_require(` + type sysadm_passwd_t; attribute_role sysadm_passwd_roles; ') @@ -263,10 +293,7 @@ interface(`usermanage_domtrans_useradd',` corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit useradd_t $1:socket_class_set { read write }; - ') + allow $1 useradd_exec_t:file map; ') ######################################## @@ -307,12 +334,32 @@ interface(`usermanage_check_exec_useradd',` interface(`usermanage_run_useradd',` gen_require(` attribute_role useradd_roles; + type useradd_t; ') usermanage_domtrans_useradd($1) roleattribute $2 useradd_roles; ') +######################################## +## +## Check access to the useradd executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_access_check_useradd',` + gen_require(` + type useradd_exec_t; + ') + + corecmd_search_bin($1) + allow $1 useradd_exec_t:file { getattr_file_perms execute }; +') + ######################################## ## ## Read the crack database. diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 1d732f1e7..44e694926 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; domain_obj_id_change_exemption(chfn_t) application_domain(chfn_t, chfn_exec_t) role chfn_roles types chfn_t; +role system_r types chfn_t; type crack_t; type crack_exec_t; @@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t) init_system_domain(groupadd_t, groupadd_exec_t) role groupadd_roles types groupadd_t; + type passwd_t; type passwd_exec_t; domain_obj_id_change_exemption(passwd_t) +domain_system_change_exemption(passwd_t) application_domain(passwd_t, passwd_exec_t) role passwd_roles types passwd_t; @@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) +domain_system_change_exemption(useradd_t) init_system_domain(useradd_t, useradd_exec_t) role useradd_roles types useradd_t; +type useradd_var_run_t; +files_pid_file(useradd_var_run_t) + ######################################## # # Chfn local policy # -allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; @@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) +kernel_dontaudit_getattr_core_if(chfn_t) selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) @@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) -term_use_all_ttys(chfn_t) -term_use_all_ptys(chfn_t) +term_use_all_inherited_ttys(chfn_t) +term_use_all_inherited_ptys(chfn_t) +term_getattr_all_ptys(chfn_t) fs_getattr_xattr_fs(chfn_t) fs_search_auto_mountpoints(chfn_t) # for SSP dev_read_urand(chfn_t) +dev_dontaudit_getattr_all(chfn_t) +auth_manage_passwd(chfn_t) +auth_use_pam(chfn_t) auth_run_chk_passwd(chfn_t, chfn_roles) -auth_dontaudit_read_shadow(chfn_t) -auth_use_nsswitch(chfn_t) +#auth_dontaudit_read_shadow(chfn_t) +#auth_use_nsswitch(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) +corecmd_exec_bin(chfn_t) domain_use_interactive_fds(chfn_t) -files_manage_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) @@ -120,13 +132,15 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) - -miscfiles_read_localization(chfn_t) +init_dontaudit_getattr_initctl(chfn_t) logging_send_syslog_msg(chfn_t) seutil_read_file_contexts(chfn_t) +userdom_manage_user_tmp_files(chfn_t) +userdom_tmp_filetrans_user_tmp(chfn_t, { file }) + userdom_use_unpriv_users_fds(chfn_t) # user generally runs this from their home directory, so do not audit a search # on user home dir @@ -136,6 +150,16 @@ optional_policy(` nscd_run(chfn_t, chfn_roles) ') +optional_policy(` + rssh_exec(chfn_t) +') + +optional_policy(` + # allow to exec tmux + screen_exec(chfn_t) +') + + ######################################## # # Crack local policy @@ -186,7 +210,7 @@ optional_policy(` # Groupadd local policy # -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; +allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; @@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) -term_use_all_ttys(groupadd_t) -term_use_all_ptys(groupadd_t) +term_use_all_inherited_terms(groupadd_t) +term_getattr_all_ptys(groupadd_t) init_use_fds(groupadd_t) init_read_utmp(groupadd_t) @@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) -files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) +files_read_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) @@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) -miscfiles_read_localization(groupadd_t) auth_run_chk_passwd(groupadd_t, groupadd_roles) auth_rw_lastlog(groupadd_t) auth_use_nsswitch(groupadd_t) +auth_manage_passwd(groupadd_t) +auth_manage_shadow(groupadd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. -auth_manage_shadow(groupadd_t) auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) @@ -273,7 +297,7 @@ optional_policy(` # Passwd local policy # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; +allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; @@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; +allow passwd_t self:netlink_selinux_socket create_socket_perms; allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) @@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) +dev_dontaudit_getattr_all(passwd_t) fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) @@ -310,26 +336,34 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) -term_use_all_ttys(passwd_t) -term_use_all_ptys(passwd_t) +term_use_all_inherited_terms(passwd_t) +term_getattr_all_ptys(passwd_t) auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_passwd(passwd_t) +auth_map_passwd(passwd_t) auth_manage_shadow(passwd_t) +auth_map_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -auth_use_nsswitch(passwd_t) +auth_use_pam(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) +corecmd_exec_bin(passwd_t) + +corenet_tcp_connect_kerberos_password_port(passwd_t) domain_use_interactive_fds(passwd_t) files_read_etc_runtime_files(passwd_t) -files_manage_etc_files(passwd_t) +files_read_usr_files(passwd_t) files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) files_relabel_etc_files(passwd_t) +term_search_ptys(passwd_t) + # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) @@ -338,12 +372,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) -miscfiles_read_localization(passwd_t) seutil_read_config(passwd_t) seutil_read_file_contexts(passwd_t) -userdom_use_user_terminals(passwd_t) +userdom_use_inherited_user_terminals(passwd_t) userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) @@ -352,6 +385,20 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) +userdom_rw_stream(passwd_t) + +# needed by gnome-keyring +userdom_manage_user_tmp_files(passwd_t) +userdom_manage_user_tmp_sockets(passwd_t) +userdom_manage_user_tmp_dirs(passwd_t) + +optional_policy(` + gnome_exec_keyringd(passwd_t) + gnome_manage_cache_home_dir(passwd_t) + gnome_manage_generic_cache_sockets(passwd_t) + gnome_stream_connect_gkeyringd(passwd_t) +') optional_policy(` nscd_run(passwd_t, passwd_roles) @@ -362,7 +409,7 @@ optional_policy(` # Password admin local policy # -allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; @@ -401,9 +448,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) -term_use_all_ttys(sysadm_passwd_t) -term_use_all_ptys(sysadm_passwd_t) +term_use_all_inherited_terms(sysadm_passwd_t) +term_getattr_all_ptys(sysadm_passwd_t) +auth_manage_passwd(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) @@ -416,7 +464,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) -files_manage_etc_files(sysadm_passwd_t) files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups @@ -426,12 +473,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) -miscfiles_read_localization(sysadm_passwd_t) logging_send_syslog_msg(sysadm_passwd_t) -seutil_dontaudit_search_config(sysadm_passwd_t) - userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir @@ -446,7 +490,8 @@ optional_policy(` # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; @@ -461,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; +manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) +manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) +files_pid_filetrans(useradd_t, useradd_var_run_t, dir) + # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) @@ -468,29 +517,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) +kernel_getattr_core_if(useradd_t) +dev_dontaudit_getattr_all(useradd_t) + domain_use_interactive_fds(useradd_t) domain_read_all_domains_state(useradd_t) +domain_dontaudit_read_all_domains_state(useradd_t) -files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) +files_manage_etc_files(useradd_t) +files_create_var_lib_dirs(useradd_t) +files_rw_var_lib_dirs(useradd_t) fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) +mls_process_read_to_clearance(useradd_t) -# Allow access to context for shadow file -selinux_get_fs_mount(useradd_t) -selinux_validate_context(useradd_t) -selinux_compute_access_vector(useradd_t) -selinux_compute_create_context(useradd_t) -selinux_compute_relabel_context(useradd_t) -selinux_compute_user_contexts(useradd_t) - -term_use_all_ttys(useradd_t) -term_use_all_ptys(useradd_t) +term_use_all_inherited_terms(useradd_t) +term_getattr_all_ptys(useradd_t) auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) @@ -498,6 +546,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. +auth_manage_passwd(useradd_t) auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) @@ -508,33 +557,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) -miscfiles_read_localization(useradd_t) + +seutil_semanage_policy(useradd_t) +seutil_manage_file_contexts(useradd_t) +seutil_manage_config(useradd_t) +seutil_manage_login_config(useradd_t) +seutil_manage_default_contexts(useradd_t) seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) +seutil_get_semanage_trans_lock(useradd_t) +seutil_get_semanage_read_lock(useradd_t) seutil_run_semanage(useradd_t, useradd_roles) seutil_run_setfiles(useradd_t, useradd_roles) +seutil_run_loadpolicy(useradd_t, useradd_roles) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) -userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) optional_policy(` mta_manage_spool(useradd_t) ') -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(useradd_t) - ') -') - optional_policy(` apache_manage_all_user_content(useradd_t) ') @@ -544,14 +592,27 @@ optional_policy(` dpkg_rw_pipes(useradd_t) ') +optional_policy(` + kerberos_manage_kdc_var_lib(useradd_t) +') + optional_policy(` nscd_run(useradd_t, useradd_roles) ') +optional_policy(` + openshift_manage_content(useradd_t) +') + optional_policy(` puppet_rw_tmp(useradd_t) ') +optional_policy(` + rpc_list_nfs_state_data(useradd_t) + rpc_read_nfs_state_data(useradd_t) +') + optional_policy(` tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) @@ -562,3 +623,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') + +optional_policy(` + smsd_manage_lib_files(useradd_t) + smsd_manage_lib_dirs(useradd_t) +') + +optional_policy(` + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85d3..1a2084fdc 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` role $2 types seunshare_t; allow $1 seunshare_t:process signal_perms; - - ifdef(`hide_broken_symptoms', ` - dontaudit seunshare_t $1:tcp_socket rw_socket_perms; - dontaudit seunshare_t $1:udp_socket rw_socket_perms; - dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; - ') ') ######################################## ## -## Role access for seunshare +## The role template for the seunshare module. ## +## +## +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## +## ## ## ## Role allowed access. @@ -66,15 +66,45 @@ interface(`seunshare_run',` ## ## # -interface(`seunshare_role',` +interface(`seunshare_role_template',` gen_require(` - type seunshare_t; + attribute seunshare_domain; + type seunshare_exec_t; ') - role $2 types seunshare_t; + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; - seunshare_domtrans($1) + kernel_read_system_state($1_seunshare_t) + + auth_use_nsswitch($1_seunshare_t) + + logging_send_syslog_msg($1_seunshare_t) + + mls_process_set_level($1_seunshare_t) + + domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) + allow $1_seunshare_t $3:unix_stream_socket getattr; + + # part of sandboxX.pp + optional_policy(` + sandbox_x_transition($1_seunshare_t, $2) + ') + + # part of sandbox.pp + optional_policy(` + sandbox_transition($1_seunshare_t, $2) + ') + + ps_process_pattern($3, $1_seunshare_t) + dontaudit $1_seunshare_t $3:file read; + allow $3 $1_seunshare_t:process signal_perms; + allow $3 $1_seunshare_t:fd use; + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; + corecmd_bin_domtrans($1_seunshare_t, $1_t) + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te index 759016583..f50f79935 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) # Declarations # -type seunshare_t; +attribute seunshare_domain; type seunshare_exec_t; -application_domain(seunshare_t, seunshare_exec_t) -role system_r types seunshare_t; ######################################## # # seunshare local policy # +allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; +allow seunshare_domain self:fifo_file rw_file_perms; +allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; -allow seunshare_t self:fifo_file rw_file_perms; -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) +corecmd_getattr_all_executables(seunshare_domain) -corecmd_exec_shell(seunshare_t) -corecmd_exec_bin(seunshare_t) +dev_read_urand(seunshare_domain) +dev_dontaudit_rw_dri(seunshare_domain) -files_read_etc_files(seunshare_t) -files_mounton_all_poly_members(seunshare_t) +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) +files_mounton_rootfs(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) +files_relabelfrom_tmp_dirs(seunshare_domain) -auth_use_nsswitch(seunshare_t) - -logging_send_syslog_msg(seunshare_t) - -miscfiles_read_localization(seunshare_t) - -userdom_use_user_terminals(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) +fs_unmount_all_fs(seunshare_domain) +userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain) +userdom_use_inherited_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) + gnome_dontaudit_rw_inherited_config(seunshare_domain) ') + + optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_domain) + mozilla_plugin_dontaudit_leaks(seunshare_domain) + ') +') +optional_policy(` + rsync_exec(seunshare_domain) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_mounton_nfs(seunshare_domain) +') + +tunable_policy(`use_samba_home_dirs',` + fs_mounton_cifs(seunshare_domain) +') + +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 33e0f8dad..3806eab60 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ # # /bin # -/bin -d gen_context(system_u:object_r:bin_t,s0) +/bin gen_context(system_u:object_r:bin_t,s0) /bin/.* gen_context(system_u:object_r:bin_t,s0) /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -46,6 +47,7 @@ ifdef(`distro_redhat',` /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) +/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) @@ -67,18 +69,28 @@ ifdef(`distro_redhat',` /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0) +/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0) +/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) +/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_redhat',` /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) ') /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) +/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -101,11 +113,8 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) -/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) -/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) @@ -114,7 +123,7 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) -/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) @@ -128,6 +137,8 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') +/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /lib # @@ -135,10 +146,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) +/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) @@ -149,10 +162,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') +/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /sbin # -/sbin -d gen_context(system_u:object_r:bin_t,s0) +/sbin gen_context(system_u:object_r:bin_t,s0) /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) @@ -168,6 +183,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -179,34 +195,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # +/usr/bin -d gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) +/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) +/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) -/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -218,19 +250,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/tumbler-[^/]*/tumblerd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/security/pam_krb5(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) +/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) @@ -245,26 +290,41 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) +/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -280,10 +340,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) @@ -298,16 +362,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6?/configpath -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall6?/wait4ifup -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) +/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) +/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) +/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -325,20 +395,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) -/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) +#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -346,6 +423,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) @@ -387,17 +465,34 @@ ifdef(`distro_suse', ` # # /var # -/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') + +# +# /usr/lib +# + +/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a68..5175abbf5 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ ## run init. ## +##################################### +## +## corecmd stub bin_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`corecmd_stub_bin',` + gen_require(` + type bin_t; + ') +') + ######################################## ## ## Make the specified type usable for files @@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; + type usr_t; ') domain_entry_file($1, bin_t) + domain_entry_file($1, usr_t) ') ######################################## @@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` type bin_t; ') + corecmd_read_bin_symlinks($1) search_dirs_pattern($1, bin_t, bin_t) ') @@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` type bin_t; ') + corecmd_read_bin_symlinks($1) list_dirs_pattern($1, bin_t, bin_t) ') @@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` type bin_t; ') + corecmd_read_bin_symlinks($1) read_files_pattern($1, bin_t, bin_t) ') @@ -252,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',` dontaudit $1 bin_t:file write; ') +######################################## +## +## Do not audit attempts to access check bin files. +## +## +## +## Domain to not audit. +## +## +# +interface(`corecmd_dontaudit_access_check_bin',` + gen_require(` + type bin_t; + ') + + dontaudit $1 bin_t:file audit_access; +') + ######################################## ## ## Read symbolic links in bin directories. @@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` type bin_t; ') + corecmd_read_bin_symlinks(bin_t) read_fifo_files_pattern($1, bin_t, bin_t) ') @@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` type bin_t; ') + corecmd_read_bin_symlinks($1) read_sock_files_pattern($1, bin_t, bin_t) ') @@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) + + ifdef(`enable_mls',`',` + files_exec_all_base_ro_files($1) + ') ') ######################################## @@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` type bin_t; ') + corecmd_read_bin_symlinks($1) manage_files_pattern($1, bin_t, bin_t) ') @@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') - mmap_files_pattern($1, bin_t, bin_t) + corecmd_read_bin_symlinks($1) + mmap_exec_files_pattern($1, bin_t, bin_t) ') ######################################## @@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; + type usr_t; ') read_lnk_files_pattern($1, bin_t, bin_t) domain_transition_pattern($1, bin_t, $2) + + read_lnk_files_pattern($1, usr_t, usr_t) + domain_transition_pattern($1, usr_t, $2) ') ######################################## @@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; + type usr_t; ') corecmd_bin_spec_domtrans($1, $2) type_transition $1 bin_t:process $2; + type_transition $1 usr_t:process $2; ') ######################################## @@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; + type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) @@ -952,6 +1006,24 @@ interface(`corecmd_exec_chroot',` allow $1 self:capability sys_chroot; ') +######################################## +## +## Do not audit attempts to access check executable files. +## +## +## +## Domain to not audit. +## +## +# +interface(`corecmd_dontaudit_access_all_executables',` + gen_require(` + attribute exec_type; + ') + + dontaudit $1 exec_type:file audit_access; +') + ######################################## ## ## Get the attributes of all executable files. @@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) + + ifdef(`enable_mls',`',` + files_exec_all_base_ro_files($1) + ') ') ######################################## @@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') + manage_dirs_pattern($1, bin_t, exec_type) manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') @@ -1089,5 +1166,38 @@ interface(`corecmd_mmap_all_executables',` type bin_t; ') - mmap_files_pattern($1, bin_t, exec_type) + mmap_exec_files_pattern($1, bin_t, exec_type) +') + +######################################## +## +## Create objects in the /bin directory +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`corecmd_bin_filetrans',` + gen_require(` + type bin_t; + ') + + filetrans_pattern($1, bin_t, $2, $3, $4) ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 20c76cff9..cc63dcc9c 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -13,7 +13,8 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. # -type bin_t alias { ls_exec_t sbin_t }; +type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t }; +files_ro_base_file(bin_t) corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV @@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV # shell_exec_t is the type of user shells such as /bin/bash. # type shell_exec_t; +files_ro_base_file(shell_exec_t) corecmd_executable_file(shell_exec_t) type chroot_exec_t; diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc index f9b25c12f..9af1f7a61 100644 --- a/policy/modules/kernel/corenetwork.fc +++ b/policy/modules/kernel/corenetwork.fc @@ -8,3 +8,6 @@ /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) + +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 07126bdcc..7ff70b2d8 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` ') typeattribute $1 reserved_port_type; + corenet_port($1) ') ######################################## @@ -82,6 +83,7 @@ interface(`corenet_rpc_port',` ') typeattribute $1 rpc_port_type; + corenet_port($1) ') ######################################## @@ -580,6 +582,24 @@ interface(`corenet_raw_send_all_if',` allow $1 netif_type:netif { rawip_send egress }; ') +######################################## +## +## Send and receive SCTP network traffic on generic nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_sendrecv_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:node { sendto recvfrom }; +') + ######################################## ## ## Receive raw IP packets on all interfaces. @@ -613,6 +633,24 @@ interface(`corenet_raw_sendrecv_all_if',` corenet_raw_receive_all_if($1) ') +######################################## +## +## Send and receive DCCP network traffic on generic nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom }; +') + ######################################## ## ## Send and receive TCP network traffic on generic nodes. @@ -787,6 +825,24 @@ interface(`corenet_raw_sendrecv_generic_node',` corenet_raw_receive_generic_node($1) ') +######################################## +## +## Bind DCCP sockets to generic nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:dccp_socket node_bind; +') + ######################################## ## ## Bind TCP sockets to generic nodes. @@ -853,6 +909,44 @@ interface(`corenet_udp_bind_generic_node',` allow $1 node_t:udp_socket node_bind; ') +######################################## +## +## Dontaudit attempts to bind TCP sockets to generic nodes. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_tcp_bind_generic_node',` + gen_require(` + type node_t; + ') + + dontaudit $1 node_t:tcp_socket node_bind; +') + +######################################## +## +## Dontaudit attempts to bind UDP sockets to generic nodes. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_bind_generic_node',` + gen_require(` + type node_t; + ') + + dontaudit $1 node_t:udp_socket node_bind; +') + ######################################## ## ## Bind raw sockets to genric nodes. @@ -926,6 +1020,24 @@ interface(`corenet_inout_generic_node',` corenet_out_generic_node($1) ') +######################################## +## +## Send and receive DCCP network traffic on all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom }; +') + ######################################## ## ## Send and receive TCP network traffic on all nodes. @@ -981,6 +1093,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` dontaudit $1 node_type:node { udp_send sendto }; ') +######################################## +## +## Send and receive SCTP network traffic on all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_sendrecv_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:node { sendto recvfrom }; +') + ######################################## ## ## Receive UDP network traffic on all nodes. @@ -1100,6 +1230,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` corenet_raw_receive_all_nodes($1) ') +######################################## +## +## Bind DCCP sockets to all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:dccp_socket node_bind; +') + ######################################## ## ## Bind TCP sockets to all nodes. @@ -1155,6 +1303,24 @@ interface(`corenet_raw_bind_all_nodes',` allow $1 node_type:rawip_socket node_bind; ') +######################################## +## +## Send and receive DCCP network traffic on generic ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; +') + ######################################## ## ## Send and receive TCP network traffic on generic ports. @@ -1167,12 +1333,51 @@ interface(`corenet_raw_bind_all_nodes',` # interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; +') + +######################################## +## +## Do not audit attempts to send and +## receive DCCP network traffic on +## generic ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; +') + +######################################## +## +## Bind SCTP sockets to all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_all_nodes',` + gen_require(` + attribute node_type; ') - allow $1 port_t:tcp_socket { send_msg recv_msg }; + allow $1 node_type:sctp_socket node_bind; ') + ######################################## ## ## Do not audit send and receive TCP network traffic on generic ports. @@ -1185,10 +1390,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; ') - dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; ') ######################################## @@ -1203,10 +1408,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` # interface(`corenet_udp_send_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; ') - allow $1 port_t:udp_socket send_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg; ') ######################################## @@ -1221,10 +1426,10 @@ interface(`corenet_udp_send_generic_port',` # interface(`corenet_udp_receive_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; ') - allow $1 port_t:udp_socket recv_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg; ') ######################################## @@ -1242,6 +1447,26 @@ interface(`corenet_udp_sendrecv_generic_port',` corenet_udp_receive_generic_port($1) ') +######################################## +## +## Bind DCCP sockets to generic ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; + dontaudit $1 defined_port_type:dccp_socket name_bind; +') + ######################################## ## ## Bind TCP sockets to generic ports. @@ -1254,14 +1479,33 @@ interface(`corenet_udp_sendrecv_generic_port',` # interface(`corenet_tcp_bind_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') - allow $1 port_t:tcp_socket name_bind; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; dontaudit $1 defined_port_type:tcp_socket name_bind; ') +######################################## +## +## Do not audit attempts to bind DCCP +## sockets to generic ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; +') + ######################################## ## ## Do not audit bind TCP sockets to generic ports. @@ -1274,10 +1518,10 @@ interface(`corenet_tcp_bind_generic_port',` # interface(`corenet_dontaudit_tcp_bind_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; ') - dontaudit $1 port_t:tcp_socket name_bind; + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; ') ######################################## @@ -1292,14 +1536,32 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` # interface(`corenet_udp_bind_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') - allow $1 port_t:udp_socket name_bind; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind; dontaudit $1 defined_port_type:udp_socket name_bind; ') +######################################## +## +## Connect DCCP sockets to generic ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_connect_generic_port',` + gen_require(` + type port_t, unreserved_port_t,ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect; +') + ######################################## ## ## Connect TCP sockets to generic ports. @@ -1312,10 +1574,28 @@ interface(`corenet_udp_bind_generic_port',` # interface(`corenet_tcp_connect_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect; +') + +######################################## +## +## Send and receive DCCP network traffic on all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_all_ports',` + gen_require(` + attribute port_type; ') - allow $1 port_t:tcp_socket name_connect; + allow $1 port_type:dccp_socket { send_msg recv_msg }; ') ######################################## @@ -1382,7 +1662,7 @@ interface(`corenet_udp_send_all_ports',` ######################################## ## -## Receive UDP network traffic on all ports. +## Bind SCTP sockets to generic ports. ## ## ## @@ -1390,45 +1670,176 @@ interface(`corenet_udp_send_all_ports',` ## ## # -interface(`corenet_udp_receive_all_ports',` +interface(`corenet_sctp_bind_generic_port',` gen_require(` - attribute port_type; + type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; ') - allow $1 port_type:udp_socket recv_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 defined_port_type:sctp_socket name_bind; ') ######################################## ## -## Send and receive UDP network traffic on all ports. +## Do not audit attempts to bind SCTP +## sockets to generic ports. ## -## -##

-## Send and receive UDP network traffic on all ports. -## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
  • -##
  • corenet_udp_sendrecv_generic_if()
  • -##
  • corenet_udp_sendrecv_generic_node()
  • -##
  • corenet_udp_bind_all_ports()
  • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-##
## -## -## Domain allowed access. -## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_sctp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; +') + +######################################## +## +## Do not audit attepts to bind SCTP sockets to any ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_sctp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:sctp_socket name_bind; +') + +######################################## +## +## Do not audit attempts to connect SCTP sockets +## to all ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_sctp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:sctp_socket name_connect; +') + +######################################## +## +## Connect SCTP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_connect_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:sctp_socket name_connect; +') + +######################################## +## +## Connect SCTP sockets to all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:sctp_socket name_connect; +') + +######################################## +## +## Bind SCTP sockets to all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:sctp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## +## Receive UDP network traffic on all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_receive_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:udp_socket recv_msg; +') + +######################################## +## +## Send and receive UDP network traffic on all ports. +## +## +##

+## Send and receive UDP network traffic on all ports. +## Related interfaces: +##

+##
    +##
  • corenet_all_recvfrom_unlabeled()
  • +##
  • corenet_udp_sendrecv_generic_if()
  • +##
  • corenet_udp_sendrecv_generic_node()
  • +##
  • corenet_udp_bind_all_ports()
  • +##
+##

+## Example client being able to send to all ports over +## generic nodes, without labeled networking: +##

+##

+## allow myclient_t self:udp_socket create_socket_perms; +## corenet_udp_sendrecv_generic_if(myclient_t) +## corenet_udp_sendrecv_generic_node(myclient_t) +## corenet_udp_sendrecv_all_ports(myclient_t) +## corenet_all_recvfrom_unlabeled(myclient_t) +##

+##
+## +## +## Domain allowed access. +## ## ## # @@ -1437,6 +1848,25 @@ interface(`corenet_udp_sendrecv_all_ports',` corenet_udp_receive_all_ports($1) ') +######################################## +## +## Bind DCCP sockets to all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:dccp_socket name_bind; + allow $1 self:capability net_bind_service; +') + ######################################## ## ## Bind TCP sockets to all ports. @@ -1456,6 +1886,24 @@ interface(`corenet_tcp_bind_all_ports',` allow $1 self:capability net_bind_service; ') +######################################## +## +## Do not audit attepts to bind DCCP sockets to any ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:dccp_socket name_bind; +') + ######################################## ## ## Do not audit attepts to bind TCP sockets to any ports. @@ -1493,6 +1941,24 @@ interface(`corenet_udp_bind_all_ports',` allow $1 self:capability net_bind_service; ') +######################################## +## +## Connect SCTP sockets to generic ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_connect_generic_port',` + gen_require(` + type port_t, unreserved_port_t,ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; +') + ######################################## ## ## Do not audit attepts to bind UDP sockets to any ports. @@ -1511,6 +1977,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` dontaudit $1 port_type:udp_socket name_bind; ') +######################################## +## +## Connect DCCP sockets to all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:dccp_socket name_connect; +') + ######################################## ## ## Connect TCP sockets to all ports. @@ -1557,6 +2041,25 @@ interface(`corenet_tcp_connect_all_ports',` allow $1 port_type:tcp_socket name_connect; ') +######################################## +## +## Do not audit attempts to connect DCCP sockets +## to all ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:dccp_socket name_connect; +') + ######################################## ## ## Do not audit attempts to connect TCP sockets @@ -1576,6 +2079,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` dontaudit $1 port_type:tcp_socket name_connect; ') +######################################## +## +## Send and receive DCCP network traffic on generic reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_reserved_port',` + gen_require(` + type reserved_port_t; + ') + + allow $1 reserved_port_t:dccp_socket { send_msg recv_msg }; +') + ######################################## ## ## Send and receive TCP network traffic on generic reserved ports. @@ -1645,6 +2166,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` corenet_udp_receive_reserved_port($1) ') +######################################## +## +## Bind DCCP sockets to generic reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_reserved_port',` + gen_require(` + type reserved_port_t; + ') + + allow $1 reserved_port_t:dccp_socket name_bind; + allow $1 self:capability net_bind_service; +') + ######################################## ## ## Bind TCP sockets to generic reserved ports. @@ -1664,6 +2204,25 @@ interface(`corenet_tcp_bind_reserved_port',` allow $1 self:capability net_bind_service; ') +######################################## +## +## Bind SCTP sockets to all ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:sctp_socket name_bind; + allow $1 self:capability net_bind_service; +') + ######################################## ## ## Bind UDP sockets to generic reserved ports. @@ -1683,6 +2242,24 @@ interface(`corenet_udp_bind_reserved_port',` allow $1 self:capability net_bind_service; ') +######################################## +## +## Connect DCCP sockets to generic reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_connect_reserved_port',` + gen_require(` + type reserved_port_t; + ') + + allow $1 reserved_port_t:dccp_socket name_connect; +') + ######################################## ## ## Connect TCP sockets to generic reserved ports. @@ -1701,6 +2278,24 @@ interface(`corenet_tcp_connect_reserved_port',` allow $1 reserved_port_t:tcp_socket name_connect; ') +######################################## +## +## Send and receive DCCP network traffic on all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_sendrecv_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; +') + ######################################## ## ## Send and receive TCP network traffic on all reserved ports. @@ -1716,12 +2311,300 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` attribute reserved_port_type; ') - allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; + allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; +') + +######################################## +## +## Send UDP network traffic on all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_send_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:udp_socket send_msg; +') + +######################################## +## +## Receive UDP network traffic on all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_receive_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:udp_socket recv_msg; +') + +######################################## +## +## Send and receive UDP network traffic on all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_sendrecv_all_reserved_ports',` + corenet_udp_send_all_reserved_ports($1) + corenet_udp_receive_all_reserved_ports($1) +') + +######################################## +## +## Bind DCCP sockets to all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:dccp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## +## Bind TCP sockets to all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:tcp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## +## Do not audit attempts to bind DCCP sockets to all reserved ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:dccp_socket name_bind; +') + +######################################## +## +## Do not audit attempts to bind TCP sockets to all reserved ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:tcp_socket name_bind; +') + +######################################## +## +## Bind UDP sockets to all reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:udp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## +## Do not audit attempts to bind UDP sockets to all reserved ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:udp_socket name_bind; +') + +######################################## +## +## Bind DCCP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:dccp_socket name_bind; +') + +######################################## +## +## Bind TCP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:tcp_socket name_bind; +') + +######################################## +## +## Bind TCP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_bind_unreserved_ports',` + gen_require(` + attribute unreserved_port_t; + ') + + allow $1 unreserved_port_t:tcp_socket name_bind; +') + +######################################## +## +## Bind UDP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:udp_socket name_bind; +') + +######################################## +## +## Bind TCP sockets to all ports > 32768. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_bind_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; + ') + + allow $1 ephemeral_port_type:tcp_socket name_bind; +') + +######################################## +## +## Bind UDP sockets to all ports > 32768. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_udp_bind_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; + ') + + allow $1 ephemeral_port_type:udp_socket name_bind; +') + +######################################## +## +## Connect DCCP sockets to reserved ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + allow $1 reserved_port_type:dccp_socket name_connect; ') ######################################## ## -## Send UDP network traffic on all reserved ports. +## Connect TCP sockets to reserved ports. ## ## ## @@ -1729,17 +2612,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` ## ## # -interface(`corenet_udp_send_all_reserved_ports',` +interface(`corenet_tcp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') - allow $1 reserved_port_type:udp_socket send_msg; + allow $1 reserved_port_type:tcp_socket name_connect; ') ######################################## ## -## Receive UDP network traffic on all reserved ports. +## Connect DCCP sockets to all ports > 1024. ## ## ## @@ -1747,17 +2630,35 @@ interface(`corenet_udp_send_all_reserved_ports',` ## ## # -interface(`corenet_udp_receive_all_reserved_ports',` +interface(`corenet_dccp_connect_all_unreserved_ports',` gen_require(` - attribute reserved_port_type; + attribute unreserved_port_type; ') - allow $1 reserved_port_type:udp_socket recv_msg; + allow $1 unreserved_port_type:dccp_socket name_connect; +') + +####################################### +## +## Connect TCP sockets to ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_connect_unreserved_ports',` + gen_require(` + type unreserved_port_t; + ') + + allow $1 unreserved_port_t:tcp_socket name_connect; ') ######################################## ## -## Send and receive UDP network traffic on all reserved ports. +## Connect TCP sockets to all ports > 1024. ## ## ## @@ -1765,14 +2666,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` ## ## # -interface(`corenet_udp_sendrecv_all_reserved_ports',` - corenet_udp_send_all_reserved_ports($1) - corenet_udp_receive_all_reserved_ports($1) +interface(`corenet_tcp_connect_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:tcp_socket name_connect; ') ######################################## ## -## Bind TCP sockets to all reserved ports. +## Connect TCP sockets to all ports > 32768. ## ## ## @@ -1780,18 +2684,18 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ## ## # -interface(`corenet_tcp_bind_all_reserved_ports',` +interface(`corenet_tcp_connect_all_ephemeral_ports',` gen_require(` - attribute reserved_port_type; + attribute ephemeral_port_type; ') - allow $1 reserved_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; + allow $1 ephemeral_port_type:tcp_socket name_connect; ') ######################################## ## -## Do not audit attempts to bind TCP sockets to all reserved ports. +## Do not audit attempts to connect DCCP sockets +## all reserved ports. ## ## ## @@ -1799,54 +2703,54 @@ interface(`corenet_tcp_bind_all_reserved_ports',` ## ## # -interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') - dontaudit $1 reserved_port_type:tcp_socket name_bind; + dontaudit $1 reserved_port_type:dccp_socket name_connect; ') ######################################## ## -## Bind UDP sockets to all reserved ports. +## Do not audit attempts to connect TCP sockets +## all reserved ports. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`corenet_udp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') - allow $1 reserved_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; + dontaudit $1 reserved_port_type:tcp_socket name_connect; ') ######################################## ## -## Do not audit attempts to bind UDP sockets to all reserved ports. +## Connect DCCP sockets to rpc ports. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +interface(`corenet_dccp_connect_all_rpc_ports',` gen_require(` - attribute reserved_port_type; + attribute rpc_port_type; ') - dontaudit $1 reserved_port_type:udp_socket name_bind; + allow $1 rpc_port_type:dccp_socket name_connect; ') ######################################## ## -## Bind TCP sockets to all ports > 1024. +## Connect TCP sockets to rpc ports. ## ## ## @@ -1854,53 +2758,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ## ## # -interface(`corenet_tcp_bind_all_unreserved_ports',` +interface(`corenet_tcp_connect_all_rpc_ports',` gen_require(` - attribute unreserved_port_type; + attribute rpc_port_type; ') - allow $1 unreserved_port_type:tcp_socket name_bind; + allow $1 rpc_port_type:tcp_socket name_connect; ') ######################################## ## -## Bind UDP sockets to all ports > 1024. +## Do not audit attempts to connect DCCP sockets +## all rpc ports. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`corenet_udp_bind_all_unreserved_ports',` +interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` gen_require(` - attribute unreserved_port_type; + attribute rpc_port_type; ') - allow $1 unreserved_port_type:udp_socket name_bind; + dontaudit $1 rpc_port_type:dccp_socket name_connect; ') ######################################## ## -## Connect TCP sockets to reserved ports. +## Do not audit attempts to connect TCP sockets +## all rpc ports. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`corenet_tcp_connect_all_reserved_ports',` +interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` gen_require(` - attribute reserved_port_type; + attribute rpc_port_type; ') - allow $1 reserved_port_type:tcp_socket name_connect; + dontaudit $1 rpc_port_type:tcp_socket name_connect; ') ######################################## ## -## Connect TCP sockets to all ports > 1024. +## Read and write the TUN/TAP virtual network device. ## ## ## @@ -1908,87 +2814,85 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ## ## # -interface(`corenet_tcp_connect_all_unreserved_ports',` +interface(`corenet_sctp_bind_reserved_port',` gen_require(` - attribute unreserved_port_type; + type reserved_port_t; ') - allow $1 unreserved_port_type:tcp_socket name_connect; + allow $1 reserved_port_t:sctp_socket name_bind; + allow $1 self:capability net_bind_service; ') ######################################## ## -## Do not audit attempts to connect TCP sockets -## all reserved ports. ## ## ## -## Domain to not audit. +## The domain allowed access. ## ## # -interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` +interface(`corenet_rw_tun_tap_dev',` gen_require(` - attribute reserved_port_type; + type tun_tap_device_t; ') - dontaudit $1 reserved_port_type:tcp_socket name_connect; + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') ######################################## ## -## Connect TCP sockets to rpc ports. +## Relabel to and from the TUN/TAP virtual network device. ## ## ## -## Domain allowed access. +## The domain allowed access. ## ## # -interface(`corenet_tcp_connect_all_rpc_ports',` +interface(`corenet_relabel_tun_tap_dev',` gen_require(` - attribute rpc_port_type; + type tun_tap_device_t; ') - allow $1 rpc_port_type:tcp_socket name_connect; + relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) ') ######################################## ## -## Do not audit attempts to connect TCP sockets -## all rpc ports. +## Read and write inherited TUN/TAP virtual network device. ## ## ## -## Domain to not audit. +## The domain allowed access. ## ## # -interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` +interface(`corenet_rw_inherited_tun_tap_dev',` gen_require(` - attribute rpc_port_type; + type tun_tap_device_t; ') - dontaudit $1 rpc_port_type:tcp_socket name_connect; + allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## -## Read and write the TUN/TAP virtual network device. +## Connect SCTP sockets to generic reserved ports. ## ## ## -## The domain allowed access. +## Domain allowed access. ## ## # -interface(`corenet_rw_tun_tap_dev',` +interface(`corenet_sctp_connect_reserved_port',` gen_require(` - type tun_tap_device_t; + type reserved_port_t; ') - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; + allow $1 reserved_port_t:sctp_socket name_connect; ') ######################################## @@ -2047,6 +2951,25 @@ interface(`corenet_rw_ppp_dev',` allow $1 ppp_device_t:chr_file rw_chr_file_perms; ') +######################################## +## +## Bind DCCP sockets to all RPC ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_bind_all_rpc_ports',` + gen_require(` + attribute rpc_port_type; + ') + + allow $1 rpc_port_type:dccp_socket name_bind; + allow $1 self:capability net_bind_service; +') + ######################################## ## ## Bind TCP sockets to all RPC ports. @@ -2066,6 +2989,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` allow $1 self:capability net_bind_service; ') +######################################## +## +## Do not audit attempts to bind DCCP sockets to all RPC ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',` + gen_require(` + attribute rpc_port_type; + ') + + dontaudit $1 rpc_port_type:dccp_socket name_bind; +') + ######################################## ## ## Do not audit attempts to bind TCP sockets to all RPC ports. @@ -2192,6 +3133,25 @@ interface(`corenet_tcp_recv_netlabel',` corenet_tcp_recvfrom_netlabel($1) ') +######################################## +## +## Receive DCCP packets from a NetLabel connection. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dccp_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + allow $1 netlabel_peer_t:peer recv; + allow $1 netlabel_peer_t:dccp_socket recvfrom; +') + ######################################## ## ## Receive TCP packets from a NetLabel connection. @@ -2213,7 +3173,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## -## Receive TCP packets from an unlabled connection. +## Receive DCCP packets from an unlabled connection. ## ## ## @@ -2221,16 +3181,39 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## ## # -interface(`corenet_tcp_recvfrom_unlabeled',` - kernel_tcp_recvfrom_unlabeled($1) +interface(`corenet_dccp_recvfrom_unlabeled',` + gen_require(` + attribute corenet_unlabeled_type; + ') + + kernel_dccp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) + typeattribute $1 corenet_unlabeled_type; # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') +######################################## +## +## Do not audit attempts to bind SCTP sockets to all reserved ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:sctp_socket name_bind; +') + ######################################## ## ## Do not audit attempts to receive TCP packets from a NetLabel @@ -2247,6 +3230,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` corenet_dontaudit_tcp_recvfrom_netlabel($1) ') +######################################## +## +## Do not audit attempts to receive DCCP packets from a NetLabel +## connection. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + dontaudit $1 netlabel_peer_t:peer recv; + dontaudit $1 netlabel_peer_t:dccp_socket recvfrom; +') + ######################################## ## ## Do not audit attempts to receive TCP packets from a NetLabel @@ -2267,6 +3270,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; ') +######################################## +## +## Do not audit attempts to receive DCCP packets from an unlabeled +## connection. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',` + kernel_dontaudit_dccp_recvfrom_unlabeled($1) + kernel_dontaudit_recvfrom_unlabeled_peer($1) + + # XXX - at some point the oubound/send access check will be removed + # but for right now we need to keep this in place so as not to break + # older systems + kernel_dontaudit_sendrecv_unlabeled_association($1) +') + ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled @@ -2342,6 +3366,24 @@ interface(`corenet_udp_recvfrom_unlabeled',` kernel_sendrecv_unlabeled_association($1) ') +######################################## +## +## Bind SCTP sockets to all ports > 1024. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:sctp_socket name_bind; +') + ######################################## ## ## Do not audit attempts to receive UDP packets from a NetLabel @@ -2471,22 +3513,40 @@ interface(`corenet_dontaudit_raw_recv_netlabel',` ######################################## ## -## Do not audit attempts to receive Raw IP packets from a NetLabel -## connection. +## Do not audit attempts to receive Raw IP packets from a NetLabel +## connection. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_raw_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + dontaudit $1 netlabel_peer_t:peer recv; + dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; +') + +######################################## +## +## Connect SCTP sockets to reserved ports. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`corenet_dontaudit_raw_recvfrom_netlabel',` +interface(`corenet_sctp_connect_all_reserved_ports',` gen_require(` - type netlabel_peer_t; + attribute reserved_port_type; ') - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; + allow $1 reserved_port_type:sctp_socket name_connect; ') ######################################## @@ -2533,15 +3593,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` - kernel_tcp_recvfrom_unlabeled($1) - kernel_udp_recvfrom_unlabeled($1) - kernel_raw_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) + gen_require(` + attribute corenet_unlabeled_type; + ') + typeattribute $1 corenet_unlabeled_type; ') ######################################## @@ -2567,11 +3622,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` gen_require(` - type netlabel_peer_t; + attribute netlabel_peer_type; ') - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; + typeattribute $1 netlabel_peer_type; +') + +######################################## +## +## Enable unlabeled net packets +## +## +##

+## Allow unlabeled_packet_t to be used by all domains that use the network +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_enable_unlabeled_packets',` + gen_require(` + attribute corenet_unlabeled_type; + ') + + kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) ') ######################################## @@ -2585,6 +3663,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` + kernel_dontaudit_dccp_recvfrom_unlabeled($1) kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) @@ -2596,6 +3675,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',` kernel_dontaudit_sendrecv_unlabeled_association($1) ') +######################################## +## +## Do not audit attempts to connect SCTP sockets +## all reserved ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:sctp_socket name_connect; +') + ######################################## ## ## Do not audit attempts to receive packets from a NetLabel @@ -2613,7 +3711,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; + dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; +') + +######################################## +## +## Rules for receiving labeled DCCP packets. +## +## +## +## Domain allowed access. +## +## +## +## +## Peer domain. +## +## +# +interface(`corenet_dccp_recvfrom_labeled',` + allow { $1 $2 } self:association sendto; + allow $1 $2:{ association dccp_socket } recvfrom; + allow $2 $1:{ association dccp_socket } recvfrom; + + allow $1 $2:peer recv; + allow $2 $1:peer recv; + + # allow receiving packets from MLS-only peers using NetLabel + corenet_dccp_recvfrom_netlabel($1) + corenet_dccp_recvfrom_netlabel($2) ') ######################################## @@ -2727,6 +3853,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` + corenet_sctp_recvfrom_labeled($1, $2) corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) @@ -2997,6 +4124,24 @@ interface(`corenet_send_all_server_packets',` allow $1 server_packet_type:packet send; ') +######################################## +## +## Receive SCTP packets from a NetLabel connection. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + allow $1 netlabel_peer_t:peer recv; +') + ######################################## ## ## Receive all server packets. @@ -3048,6 +4193,27 @@ interface(`corenet_relabelto_all_server_packets',` allow $1 server_packet_type:packet relabelto; ') +######################################## +## +## Receive SCTP packets from an unlabled connection. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_recvfrom_unlabeled',` + gen_require(` + attribute corenet_unlabeled_type; + ') + + kernel_recvfrom_unlabeled_peer($1) + + typeattribute $1 corenet_unlabeled_type; + kernel_sendrecv_unlabeled_association($1) +') + ######################################## ## ## Send all packets. @@ -3134,3 +4300,216 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') + +######################################## +## +## Dontaudit bind tcp sockets to defined ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dontaudit_tcp_bind_all_defined_ports',` + gen_require(` + attribute defined_port_type; + ') + dontaudit $1 defined_port_type:tcp_socket name_bind; +') + +######################################## +## +## Create all network named devices with the correct label +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_filetrans_all_named_dev',` + + gen_require(` + type tun_tap_device_t; + type ppp_device_t; + ') + + dev_filetrans($1, tun_tap_device_t, chr_file, "tap0") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap1") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap2") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap3") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap4") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap5") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap6") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap7") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap8") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap9") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap10") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap11") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap12") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap13") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap14") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap15") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap16") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap17") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap18") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap19") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap20") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap21") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap22") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap23") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap24") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap25") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap26") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap27") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap28") + dev_filetrans($1, tun_tap_device_t, chr_file, "tap29") + dev_filetrans($1, ppp_device_t, chr_file, "ppp") +') + +######################################## +## +## Define type to be an infiniband pkey type +## +## +##

+## Define type to be an infiniband pkey type +##

+##

+## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +##

+##
+## +## +## Type to be used for infiniband pkeys. +## +## +# +interface(`corenet_ib_pkey',` + gen_require(` + attribute ibpkey_type; + ') + + typeattribute $1 ibpkey_type; +') + +######################################## +## +## Access unlabeled infiniband pkeys. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_ib_access_unlabeled_pkeys',` + kernel_ib_access_unlabeled_pkeys($1) +') + +######################################## +## +## Access all labeled infiniband pkeys. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_ib_access_all_pkeys',` + gen_require(` + attribute ibpkey_type; + ') + + allow $1 ibpkey_type:infiniband_pkey access; +') + +######################################## +## +## Define type to be an infiniband endport +## +## +##

+## Define type to be an infiniband endport +##

+##

+## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +##

+##
+## +## +## Type to be used for infiniband endports. +## +## +# +interface(`corenet_ib_endport',` + gen_require(` + attribute ibendport_type; + ') + + typeattribute $1 ibendport_type; +') + +######################################## +## +## Manage subnets on all labeled Infiniband endports +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_ib_manage_subnet_all_endports',` + gen_require(` + attribute ibendport_type; + ') + + allow $1 ibendport_type:infiniband_endport manage_subnet; +') + +######################################## +## +## Rules for receiving labeled SCTP packets. +## +## +## +## Domain allowed access. +## +## +## +## +## Peer domain. +## +## +# +interface(`corenet_sctp_recvfrom_labeled',` + allow { $1 $2 } self:association sendto; + allow $1 $2:association recvfrom; + allow $2 $1:association recvfrom; + + allow $1 $2:peer recv; + allow $2 $1:peer recv; + + # allow receiving packets from MLS-only peers using NetLabel + corenet_sctp_recvfrom_netlabel($1) + corenet_sctp_recvfrom_netlabel($2) +') + +######################################## +## +## Manage subnet on all unlabeled Infiniband endports +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_ib_manage_subnet_unlabeled_endports',` + kernel_ib_manage_subnet_unlabeled_endports($1) +') diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 index 8e0f9cd14..2fe34db47 100644 --- a/policy/modules/kernel/corenetwork.if.m4 +++ b/policy/modules/kernel/corenetwork.if.m4 @@ -629,6 +629,26 @@ interface(`corenet_udp_bind_$1_port',` $4 ') +######################################## +## +## Do not audit attempts to sbind to $1 port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_bind_$1_port',` + gen_require(` + $3 $1_$2; + ') + + dontaudit dollarsone $1_$2:udp_socket name_bind; + $4 +') + ######################################## ## ## Make a TCP connection to the $1 port. @@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',` allow dollarsone $1_$2:tcp_socket name_connect; ') +######################################## +## +## Do not audit attempts to make a TCP connection to $1 port. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_dontaudit_tcp_connect_$1_port',` + gen_require(` + $3 $1_$2; + ') + + dontaudit dollarsone $1_$2:tcp_socket name_connect; +') '') dnl end create_port_interfaces define(`create_packet_interfaces',`` @@ -776,6 +813,48 @@ interface(`corenet_relabelto_$1_packets',` ') '') dnl end create_port_interfaces +define(`create_ibpkey_interfaces',`` +######################################## +## +## Access the infiniband fabric on the $1 ibpkey. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_ib_access_$1_pkey',` + gen_require(` + $3 $1_$2; + ') + + allow dollarsone $1_$2:infiniband_pkey access; +') +'') dnl end create_ibpkey_interfaces + +define(`create_ibendport_interfaces',`` +######################################## +## +## Manage the subnet on $1 ibendport. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_ib_manage_subnet_$1_endport',` + gen_require(` + $3 $1_$2; + ') + + allow dollarsone $1_$2:infiniband_endport manage_subnet; +') +'') dnl end create_ibendport_interfaces + # # create_netif_*_interfaces(linux_interfacename) # @@ -851,3 +930,25 @@ define(`network_packet',` create_packet_interfaces($1_client) create_packet_interfaces($1_server) ') + +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity) +# (these wrap create_port_interfaces to handle attributes and types) +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))') + +# +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity) +# +define(`ib_pkey',` +create_ibpkey_type_interfaces($*) +') + +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity) +# (these wrap create_port_interfaces to handle attributes and types) +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))') + +# +# ib_endport(name,device_name, portnum mls_sensitivity) +# +define(`ib_endport',` +create_ibendport_type_interfaces($*) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index b191055f9..c89e45e64 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) # Declarations # +attribute netlabel_peer_type; attribute client_packet_type; # This is an optimization for { port_type -port_t } attribute defined_port_type; @@ -14,12 +15,16 @@ attribute node_type; attribute packet_type; attribute port_type; attribute reserved_port_type; +attribute ephemeral_port_type; attribute rpc_port_type; attribute server_packet_type; +attribute ibpkey_type; +attribute ibendport_type; # This is an optimization for { port_type -reserved_port_type } attribute unreserved_port_type; attribute corenet_unconfined_type; +attribute corenet_unlabeled_type; type ppp_device_t; dev_node(ppp_device_t) @@ -29,12 +34,25 @@ dev_node(ppp_device_t) # type tun_tap_device_t; dev_node(tun_tap_device_t) +mls_trusted_object(tun_tap_device_t) ######################################## # # Ports and packets # +# +# client_packet_t is the default type of IPv4 and IPv6 client packets. +# +type intranet_packet_t; +corenet_packet(intranet_packet_t) + +# +# client_packet_t is the default type of IPv4 and IPv6 client packets. +# +type internet_packet_t; +corenet_packet(internet_packet_t) + # # client_packet_t is the default type of IPv4 and IPv6 client packets. # @@ -46,6 +64,7 @@ type client_packet_t, packet_type, client_packet_type; # type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +mcs_constrained(netlabel_peer_t) # # port_t is the default type of INET port numbers. @@ -58,6 +77,12 @@ sid port gen_context(system_u:object_r:port_t,s0) # type unreserved_port_t, port_type, unreserved_port_type; +# +# ephemeral_port_t is the default type of ephemeral port numbers. +# cat /proc/sys/net/ipv4/ip_local_port_range +# +type ephemeral_port_t, port_type, ephemeral_port_type; + # # reserved_port_t is the type of INET port numbers below 1024. # @@ -76,63 +101,82 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) -network_port(afs_pt, udp,7002,s0) +network_port(afs_pt, tcp,7002,s0, udp,7002,s0) network_port(afs_vl, udp,7003,s0) network_port(afs3_callback, tcp,7001,s0, udp,7001,s0) network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) -network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0) +network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(apc, tcp,3052,s0, udp,3052,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(apertus_ldp, tcp,539,s0, udp,539,s0) -network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) +network_port(bacula, tcp,9103,s0, udp,9103,s0) +network_port(bctp, tcp,8999,s0, udp,8999,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) +network_port(brlp, tcp,4101,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) +network_port(collectd, udp,25826,s0) network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cma, tcp,1050,s0, udp,1050,s0) network_port(cobbler, tcp,25151,s0) -network_port(commplex_link, tcp,5001,s0, udp,5001,s0) +network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0) network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) -network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) +network_port(conman, tcp,7890,s0, udp,7890,s0) +network_port(connlcli, tcp,1358,s0, udp,1358,s0) +network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) +network_port(cyrus_imapd, tcp,2005,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) +network_port(dey_keyneg, tcp,8750,s0, udp,8750,s0) +network_port(dey_sapi, tcp,4330,s0) network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) -network_port(dns, tcp,53,s0, udp,53,s0) +network_port(dogtag, tcp,7390,s0) +network_port(dns, udp,53,s0, tcp,53,s0) +network_port(dnssec, tcp,8955,s0) +network_port(echo, tcp,7,s0, udp,7,s0) network_port(efs, tcp,520,s0) network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) network_port(epmap, tcp,135,s0, udp,135,s0) network_port(epmd, tcp,4369,s0, udp,4369,s0) +network_port(fac_restore, tcp,5582,s0, udp,5582,s0) network_port(fingerd, tcp,79,s0) -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) +network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) +network_port(freeipmi, tcp,9225,s0, udp,9225,s0) +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +network_port(gear, tcp,43273,s0, udp,43273,s0) +network_port(geneve, tcp,6080,s0) network_port(gdomap, tcp,538,s0, udp,538,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(giftd, tcp,1213,s0) network_port(git, tcp,9418,s0, udp,9418,s0) +network_port(glance, tcp,9292,s0, udp,9292,s0) network_port(glance_registry, tcp,9191,s0, udp,9191,s0) +network_port(gluster, tcp,24007-24027,s0, udp,24007-24027,s0, tcp, 38465-38469,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) @@ -140,45 +184,60 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy +network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy +network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0) +network_port(intermapper, tcp,8181,s0) network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) +network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) network_port(interwise, tcp,7778,s0, udp,7778,s0) network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -network_port(ircd, tcp,6667,s0) +network_port(ircd, tcp,6667,s0, tcp,6697,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) -network_port(isns, tcp,3205,s0, udp,3205,s0) +network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) -network_port(jabber_interserver, tcp,5269,s0) -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) -network_port(kismet, tcp,2501,s0) +network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0) +network_port(jabber_router, tcp,5347,s0) +network_port(jacorb, tcp,3528,s0, tcp,3529,s0) +network_port(jboss_debug, tcp,8787,s0, udp,8787,s0) +network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) +network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp, 35357,s0, udp, 35357,s0) +network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0) +network_port(llmnr, tcp, 5355, s0, udp, 5355,s0) +network_port(lltng, tcp, 5345, s0) +network_port(rabbitmq, tcp,25672,s0) +network_port(rlogin, tcp,543,s0, tcp,2105,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) -network_port(l2tp, tcp,1701,s0, udp,1701,s0) -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) +network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0) network_port(lirc, tcp,8765,s0) -network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(luci, tcp,8084,s0) +network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0) network_port(lrrd) # no defined portcon +network_port(lsm_plugin, tcp,18700,s0) +network_port(l2tp, tcp,1701,s0, udp,1701,s0) network_port(mail, tcp,2000,s0, tcp,3905,s0) +network_port(mailbox, tcp,2004,s0) network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) -network_port(milter) # no defined portcon +network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) network_port(mpd, tcp,6600,s0) -network_port(msgsrvr, tcp,8787,s0, udp,8787,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) @@ -186,101 +245,129 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) +network_port(mythtv, tcp,6543-6544,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) -network_port(nfs, tcp,2049,s0, udp,2049,s0) -network_port(nfsrdma, tcp,20049,s0, udp,20049,s0) +network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0) network_port(nmbd, udp,137,s0, udp,138,s0) +network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(oa_system, tcp,8022,s0, udp,8022,s0) -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) +network_port(openflow, tcp,6633,s0, tcp,6653,s0) network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(openvswitch, tcp,6634,s0) +network_port(osapi_compute, tcp, 8774, s0) +network_port(ovsdb, tcp, 6640, s0) network_port(pdps, tcp,1314,s0, udp,1314,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) +network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) +network_port(pki_ra, tcp,12888-12889,s0) +network_port(pki_tps, tcp,7888-7889,s0) network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) -network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) +network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -network_port(postgresql, tcp,5432,s0) +network_port(postgresql, tcp,5432,s0, tcp,9898,s0) network_port(postgrey, tcp,60000,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) +network_port(preupgrade, tcp, 8099, s0) network_port(printer, tcp,515,s0) +network_port(prosody, tcp,5280-5281,s0) network_port(ptal, tcp,5703,s0) -network_port(pulseaudio, tcp,4713,s0) +network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -network_port(radacct, udp,1646,s0, udp,1813,s0) -network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0) +network_port(nsd_control, tcp,8952,s0) +network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0) +network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) -network_port(redis, tcp,6379,s0) +network_port(time, tcp,37,s0, udp,37,s0) +network_port(redis, tcp,6379,s0, tcp,26379,s0, tcp,16379,s0) network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) -network_port(rndc, tcp,953,s0, udp,953,s0) +network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0) network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(rtsp, tcp,554,s0, udp,554,s0) +network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0) +network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0) network_port(rwho, udp,513,s0) +network_port(salt, tcp,4505,s0, tcp,4506,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) +network_port(sge, tcp,6444,s0, tcp,6445,s0) +network_port(shellinaboxd, tcp,4200,s0) network_port(sieve, tcp,4190,s0) network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0) +network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) -network_port(spamd, tcp,783,s0) +network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) network_port(speech, tcp,8036,s0) -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -network_port(ssdp, tcp,1900,s0, udp,1900,s0) +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(ssdp, tcp,1900,s0, udp, 1900, s0) network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(svrloc, tcp,427,s0, udp,427,s0) network_port(swat, tcp,901,s0) +network_port(swift, tcp,6200-6203,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) -network_port(syslogd, udp,514,s0) -network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0) +network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) +network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0, tcp,9150,s0) network_port(traceroute, udp,64000-64010,s0) +network_port(tram, tcp, 4567, s0) network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) +network_port(us_cli, tcp,8082,s0, udp,8082,s0, tcp,8083,s0, udp,8083,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) -network_port(vnc, tcp,5900,s0) +network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0) network_port(wccp, udp,2048,s0) network_port(websm, tcp,9090,s0, udp,9090,s0) -network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0) +network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(winshadow, tcp,3161,s0, udp,3261,s0) +network_port(wap_wsp, tcp,9200,s0, udp,9200,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) +network_port(xinuexpansion3, tcp,2023,s0, udp,2023,s0) +network_port(xinuexpansion4, tcp,2024,s0, udp,2024,s0) network_port(xfs, tcp,7100,s0) +network_port(xodbc_connect, tcp,6632,s0) network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) @@ -288,19 +375,26 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) +network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0) network_port(zented, tcp,1229,s0, udp,1229,s0) network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. -portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) -portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) +portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) +portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) +portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) +portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) ######################################## # @@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) +allow netlabel_peer_t lo_netif_t:netif ingress; +allow netlabel_peer_type lo_netif_t:netif egress; ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') @@ -345,9 +441,35 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; +allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect }; allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; +allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect }; allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; + +# Infiniband +corenet_ib_access_all_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_all_endports(corenet_unconfined_type) +corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type) + +# +# Rules coverning the use of unlabeled types +# +kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type) + +allow netlabel_peer_type netlabel_peer_t:peer recv; +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; +allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; +allow netlabel_peer_t node_t:node recvfrom; + +typealias neutron_port_t alias quantum_port_t; +typealias neutron_server_packet_t alias quantum_server_packet_t; +typealias neutron_client_packet_t alias quantum_client_packet_t; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e16889..abd046c56 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;') ') +define(`add_ephemeral_attribute',`dnl +ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type; +',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl +') + # bindresvport in glibc starts searching for reserved ports at 512 define(`add_rpc_attribute',`dnl ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type; @@ -101,6 +106,7 @@ type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl +ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl ') @@ -111,3 +117,29 @@ define(`network_packet',` type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; ') + +define(`declare_ibpkeycons',`dnl +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl +') + +# +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) +# +define(`ib_pkey',` +type $1_ibpkey_t, ibpkey_type; +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl +') + +define(`declare_ibendportcons',`dnl +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl +') + +# +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]]) +# +define(`ib_endport',` +type $1_ibendport_t, ibendport_type; +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index b31c05491..9bf0f8504 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,19 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) +/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) -/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0) /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) -/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) +/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/drm_dp_aux.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) +/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -42,8 +46,15 @@ /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) +/dev/gpiochip[0-9]+ -c gen_context(system_u:object_r:gpio_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) +/dev/infiniband/issm[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) +/dev/infiniband/umad[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) +/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) +/dev/infiniband/issm[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) +/dev/infiniband/umad[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) @@ -61,8 +72,10 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) +/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/mei[0-9]* -c gen_context(system_u:object_r:mei_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/memory_bandwidth -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -72,7 +85,9 @@ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) +/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/mpt[0-9]*ctl -c gen_context(system_u:object_r:mptctl_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) @@ -80,7 +95,10 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0) +/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) +/dev/ndctl[0-9] -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -88,11 +106,15 @@ /dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) +/dev/opal-prd -c gen_context(system_u:object_r:opal_device_t,s0) +/dev/op_panel -c gen_context(system_u:object_r:opal_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/prandom -c gen_context(system_u:object_r:random_device_t,s0) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) +/dev/kfd -c gen_context(system_u:object_r:hsa_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -106,8 +128,10 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) +/dev/tpmrm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) /dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -118,7 +142,17 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) +/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) +/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) +/dev/clp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) +/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) +/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -129,12 +163,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) +/dev/cdc-wdm[0-9] -c gen_context(system_u:object_r:modem_device_t,s0) /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) @@ -169,14 +205,21 @@ ifdef(`distro_suse', ` /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/ss[0-9]+ -c gen_context(system_u:object_r:gpfs_device_t,s0) + /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0) + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hypervvssd_device_t,s0) +/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hypervkvp_device_t,s0) + /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0) @@ -198,12 +241,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) -/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) - ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0) +/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0) +/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0) +/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/ +/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) ') + +# +# /sys +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) + +/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) +/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 76f285ea6..39c574228 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` type device_t; ') - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) + relabel_dirs_pattern($1, device_t, device_node) + relabel_files_pattern($1, device_t, device_node) + relabel_lnk_files_pattern($1, device_t, device_node) + relabel_fifo_files_pattern($1, device_t, device_node) + relabel_sock_files_pattern($1, device_t, device_node) + relabel_blk_files_pattern($1, device_t, device_node) + relabel_chr_files_pattern($1, device_t, device_node) +') + +######################################## +## +## Allow full relabeling (to and from) of all device files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dev_relabel_all_dev_files',` + gen_require(` + type device_t; + ') + + relabel_files_pattern($1, device_t, device_t) ') ######################################## @@ -207,6 +226,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` dontaudit $1 device_t:dir list_dir_perms; ') +######################################## +## +## Dontaudit attempts to list all device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_all_access_check',` + gen_require(` + attribute device_node; + ') + + dontaudit $1 device_node:file_class_set audit_access; +') + ######################################## ## ## Add entries to directories in /dev. @@ -352,6 +389,24 @@ interface(`dev_read_generic_files',` read_files_pattern($1, device_t, device_t) ') +####################################### +## +## Read generic files in /dev. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_read_generic_files',` + gen_require(` + type device_t; + ') + + dontaudit $1 device_t:file { read getattr }; +') + ######################################## ## ## Read and write generic files in /dev. @@ -460,6 +515,42 @@ interface(`dev_getattr_generic_blk_files',` getattr_blk_files_pattern($1, device_t, device_t) ') +######################################## +## +## Rename generic block device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rename_generic_blk_files',` + gen_require(` + type device_t; + ') + + rename_blk_files_pattern($1, device_t, device_t) +') + +######################################## +## +## write generic sock files in /dev. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_write_generic_sock_files',` + gen_require(` + type device_t; + ') + + write_sock_files_pattern($1, device_t, device_t) +') + ######################################## ## ## Dontaudit getattr on generic block devices. @@ -568,6 +659,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` dontaudit $1 device_t:chr_file getattr; ') +######################################## +## +## Rename generic character device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rename_generic_chr_files',` + gen_require(` + type device_t; + ') + + rename_chr_files_pattern($1, device_t, device_t) +') + ######################################## ## ## Dontaudit setattr for generic character device files. @@ -646,7 +755,7 @@ interface(`dev_rw_generic_blk_files',` ## ## ## -## Domain to dontaudit access. +## Domain to not audit. ## ## # @@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ######################################## ## -## Read symbolic links in device directories. +## Create symbolic links in device directories. ## ## ## @@ -741,17 +850,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ## ## # -interface(`dev_read_generic_symlinks',` +interface(`dev_create_generic_symlinks',` gen_require(` type device_t; ') - allow $1 device_t:lnk_file read_lnk_file_perms; + create_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## -## Create symbolic links in device directories. +## Delete symbolic links in device directories. ## ## ## @@ -759,17 +868,17 @@ interface(`dev_read_generic_symlinks',` ## ## # -interface(`dev_create_generic_symlinks',` +interface(`dev_delete_generic_symlinks',` gen_require(` type device_t; ') - create_lnk_files_pattern($1, device_t, device_t) + delete_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## -## Delete symbolic links in device directories. +## Read symbolic links in device directories. ## ## ## @@ -777,12 +886,12 @@ interface(`dev_create_generic_symlinks',` ## ## # -interface(`dev_delete_generic_symlinks',` +interface(`dev_read_generic_symlinks',` gen_require(` type device_t; ') - delete_lnk_files_pattern($1, device_t, device_t) + allow $1 device_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -875,6 +984,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') +######################################## +## +## Read block device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_generic_blk_files',` + gen_require(` + type device_t; + ') + + read_blk_files_pattern($1, device_t, device_t) +') + ######################################## ## ## Create, delete, read, and write block device files. @@ -981,6 +1108,25 @@ interface(`dev_tmpfs_filetrans_dev',` fs_tmpfs_filetrans($1, device_t, $2, $3) ') +######################################## +## +## Allow getattr on all device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_all',` + gen_require(` + attribute device_node; + type device_t; + ') + + allow $1 { device_t device_node }:dir_file_class_set getattr; +') + ######################################## ## ## Getattr on all block file device nodes. @@ -1001,6 +1147,26 @@ interface(`dev_getattr_all_blk_files',` getattr_blk_files_pattern($1, device_t, device_node) ') +######################################## +## +## Read on all block file device nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dev_read_all_blk_files',` + gen_require(` + attribute device_node; + type device_t; + ') + + read_blk_files_pattern($1, device_t, device_node) +') + ######################################## ## ## Dontaudit getattr on all block file device nodes. @@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') getattr_chr_files_pattern($1, device_t, device_node) @@ -1204,6 +1371,42 @@ interface(`dev_create_all_chr_files',` create_chr_files_pattern($1, device_t, device_node) ') +######################################## +## +## rw all inherited character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_chr_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## rw all inherited blk device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_blk_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:blk_file rw_inherited_blk_file_perms; +') + ######################################## ## ## Delete all block device files. @@ -1558,25 +1761,6 @@ interface(`dev_relabel_autofs_dev',` allow $1 autofs_device_t:chr_file relabel_chr_file_perms; ') -######################################## -## -## Read and write cachefiles character -## device nodes. -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_rw_cachefiles',` - gen_require(` - type device_t, cachefiles_device_t; - ') - - rw_chr_files_pattern($1, device_t, cachefiles_device_t) -') - ######################################## ## ## Read and write the PCMCIA card manager device. @@ -1680,6 +1864,26 @@ interface(`dev_filetrans_cardmgr',` filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) ') +######################################## +## +## Automatic type transition to the type +## for xserver misc device nodes when +## created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_xserver_misc',` + gen_require(` + type device_t, xserver_misc_device_t; + ') + + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) +') + ######################################## ## ## Get the attributes of the CPU @@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',` rw_chr_files_pattern($1, device_t, crypt_device_t) ') +######################################## +## +## Read and write the the ecrypt filesystem device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_ecryptfs',` + gen_require(` + type device_t, ecryptfs_device_t; + ') + + rw_chr_files_pattern($1, device_t, ecryptfs_device_t) +') + ####################################### ## ## Set the attributes of the dlm control devices. @@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',` ######################################## ## -## Read and write the dri devices. +## Mmap the dri devices. ## ## ## @@ -1873,35 +2095,36 @@ interface(`dev_setattr_dri_dev',` ## ## # -interface(`dev_rw_dri',` +interface(`dev_map_dri',` gen_require(` type device_t, dri_device_t; ') - rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; ') ######################################## ## -## Dontaudit read and write on the dri devices. +## Read and write the dri devices. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_rw_dri',` +interface(`dev_rw_dri',` gen_require(` - type dri_device_t; + type device_t, dri_device_t; ') - dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; + rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; ') ######################################## ## -## Create, read, write, and delete the dri devices. +## Read and write the dri devices. ## ## ## @@ -1909,26 +2132,63 @@ interface(`dev_dontaudit_rw_dri',` ## ## # -interface(`dev_manage_dri_dev',` +interface(`dev_rw_inherited_dri',` gen_require(` type device_t, dri_device_t; ') - manage_chr_files_pattern($1, device_t, dri_device_t) + allow $1 device_t:dir search_dir_perms; + allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## -## Automatic type transition to the type -## for DRI device nodes when created in /dev. +## Dontaudit read and write on the dri devices. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## -## -## +# +interface(`dev_dontaudit_rw_dri',` + gen_require(` + type dri_device_t; + ') + + dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; +') + +######################################## +## +## Create, read, write, and delete the dri devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_dri_dev',` + gen_require(` + type device_t, dri_device_t; + ') + + manage_chr_files_pattern($1, device_t, dri_device_t) +') + +######################################## +## +## Automatic type transition to the type +## for DRI device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +## +## ## The name of the object being created. ## ## @@ -2015,6 +2275,181 @@ interface(`dev_rw_input_dev',` rw_chr_files_pattern($1, device_t, event_device_t) ') +######################################## +## +## Read input event devices (/dev/input). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_inherited_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + allow $1 device_t:dir search_dir_perms; + allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## Read ipmi devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; + ') + + read_chr_files_pattern($1, device_t, ipmi_device_t) +') + +######################################## +## +## Read and write ipmi devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; + ') + + rw_chr_files_pattern($1, device_t, ipmi_device_t) +') + +######################################## +## +## Manage ipmi devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; + ') + + manage_chr_files_pattern($1, device_t, ipmi_device_t) +') + +######################################## +## +## Automatic type transition to the type +## for PCMCIA card manager device nodes when +## created in /dev. +## +## +## +## Domain allowed access. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`dev_filetrans_ipmi',` + gen_require(` + type device_t, ipmi_device_t; + ') + + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2) +') + +######################################## +## +## Read infiniband devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_infiniband_dev',` + gen_require(` + type device_t, infiniband_device_t; + ') + + read_chr_files_pattern($1, device_t, infiniband_device_t) + read_blk_files_pattern($1, device_t, infiniband_device_t) +') + +######################################## +## +## Read and write ipmi devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_infiniband_dev',` + gen_require(` + type device_t, infiniband_device_t; + ') + + rw_chr_files_pattern($1, device_t, infiniband_device_t) + rw_blk_files_pattern($1, device_t, infiniband_device_t) + allow $1 infiniband_device_t:chr_file map; +') + +######################################## +## +## Read infiniband mgmt devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_infiniband_mgmt_dev',` + gen_require(` + type device_t, infiniband_mgmt_device_t; + ') + + read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) + read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) +') + +######################################## +## +## Read and write ipmi devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_infiniband_mgmt_dev',` + gen_require(` + type device_t, infiniband_mgmt_device_t; + ') + + rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) + rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) +') + ######################################## ## ## Get the attributes of the framebuffer device node. @@ -2124,6 +2559,24 @@ interface(`dev_write_framebuffer',` write_chr_files_pattern($1, device_t, framebuf_device_t) ') +######################################## +## +## Mmap the framebuffer. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_map_framebuffer',` + gen_require(` + type framebuf_device_t; + ') + + allow $1 framebuf_device_t:file map; +') + ######################################## ## ## Read and write the framebuffer. @@ -2402,7 +2855,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## -## Get the attributes of the lvm comtrol device. +## Get the attributes of the loop comtrol device. ## ## ## @@ -2410,17 +2863,17 @@ interface(`dev_filetrans_lirc',` ## ## # -interface(`dev_getattr_lvm_control',` +interface(`dev_getattr_loop_control',` gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; ') - getattr_chr_files_pattern($1, device_t, lvm_control_t) + getattr_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## -## Read the lvm comtrol device. +## Read the loop comtrol device. ## ## ## @@ -2428,17 +2881,17 @@ interface(`dev_getattr_lvm_control',` ## ## # -interface(`dev_read_lvm_control',` +interface(`dev_read_loop_control',` gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; ') - read_chr_files_pattern($1, device_t, lvm_control_t) + read_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## -## Read and write the lvm control device. +## Read and write the loop control device. ## ## ## @@ -2446,17 +2899,17 @@ interface(`dev_read_lvm_control',` ## ## # -interface(`dev_rw_lvm_control',` +interface(`dev_rw_loop_control',` gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; ') - rw_chr_files_pattern($1, device_t, lvm_control_t) + rw_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## -## Do not audit attempts to read and write lvm control device. +## Do not audit attempts to read and write loop control device. ## ## ## @@ -2464,17 +2917,17 @@ interface(`dev_rw_lvm_control',` ## ## # -interface(`dev_dontaudit_rw_lvm_control',` +interface(`dev_dontaudit_rw_loop_control',` gen_require(` - type lvm_control_t; + type loop_control_device_t; ') - dontaudit $1 lvm_control_t:chr_file rw_file_perms; + dontaudit $1 loop_control_device_t:chr_file rw_file_perms; ') ######################################## ## -## Delete the lvm control device. +## Delete the loop control device. ## ## ## @@ -2482,35 +2935,35 @@ interface(`dev_dontaudit_rw_lvm_control',` ## ## # -interface(`dev_delete_lvm_control_dev',` +interface(`dev_delete_loop_control_dev',` gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; ') - delete_chr_files_pattern($1, device_t, lvm_control_t) + delete_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## -## dontaudit getattr raw memory devices (e.g. /dev/mem). +## Get the attributes of the loop comtrol device. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_getattr_memory_dev',` +interface(`dev_getattr_lvm_control',` gen_require(` - type memory_device_t; + type device_t, lvm_control_t; ') - dontaudit $1 memory_device_t:chr_file getattr; + getattr_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## -## Read raw memory devices (e.g. /dev/mem). +## Read the lvm comtrol device. ## ## ## @@ -2518,62 +2971,153 @@ interface(`dev_dontaudit_getattr_memory_dev',` ## ## # -interface(`dev_read_raw_memory',` +interface(`dev_read_lvm_control',` gen_require(` - type device_t, memory_device_t; - attribute memory_raw_read; + type device_t, lvm_control_t; ') - read_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; + read_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## -## Do not audit attempts to read raw memory devices -## (e.g. /dev/mem). +## Read and write the lvm control device. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_read_raw_memory',` +interface(`dev_rw_lvm_control',` gen_require(` - type memory_device_t; + type device_t, lvm_control_t; ') - dontaudit $1 memory_device_t:chr_file read_chr_file_perms; + rw_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## -## Write raw memory devices (e.g. /dev/mem). +## Do not audit attempts to read and write lvm control device. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_write_raw_memory',` +interface(`dev_dontaudit_rw_lvm_control',` gen_require(` - type device_t, memory_device_t; - attribute memory_raw_write; + type lvm_control_t; ') - write_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_write; + dontaudit $1 lvm_control_t:chr_file rw_file_perms; ') ######################################## ## -## Read and execute raw memory devices (e.g. /dev/mem). +## Delete the lvm control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_delete_lvm_control_dev',` + gen_require(` + type device_t, lvm_control_t; + ') + + delete_chr_files_pattern($1, device_t, lvm_control_t) +') + +######################################## +## +## dontaudit getattr raw memory devices (e.g. /dev/mem). +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_memory_dev',` + gen_require(` + type memory_device_t; + ') + + dontaudit $1 memory_device_t:chr_file getattr; +') + +######################################## +## +## Read raw memory devices (e.g. /dev/mem). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_raw_memory',` + gen_require(` + type device_t, memory_device_t; + attribute memory_raw_read; + ') + + read_chr_files_pattern($1, device_t, memory_device_t) + allow $1 memory_device_t:chr_file map; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_read; +') + +######################################## +## +## Do not audit attempts to read raw memory devices +## (e.g. /dev/mem). +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_read_raw_memory',` + gen_require(` + type memory_device_t; + ') + + dontaudit $1 memory_device_t:chr_file read_chr_file_perms; +') + +######################################## +## +## Write raw memory devices (e.g. /dev/mem). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_raw_memory',` + gen_require(` + type device_t, memory_device_t; + attribute memory_raw_write; + ') + + write_chr_files_pattern($1, device_t, memory_device_t) + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_write; +') + +######################################## +## +## Read and execute raw memory devices (e.g. /dev/mem). ## ## ## @@ -2587,7 +3131,7 @@ interface(`dev_rx_raw_memory',` ') dev_read_raw_memory($1) - allow $1 memory_device_t:chr_file execute; + allow $1 memory_device_t:chr_file { map execute }; ') ######################################## @@ -2606,7 +3150,7 @@ interface(`dev_wx_raw_memory',` ') dev_write_raw_memory($1) - allow $1 memory_device_t:chr_file execute; + allow $1 memory_device_t:chr_file { map execute }; ') ######################################## @@ -2725,7 +3269,7 @@ interface(`dev_write_misc',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -2809,6 +3353,78 @@ interface(`dev_rw_modem',` rw_chr_files_pattern($1, device_t, modem_device_t) ') +######################################## +## +## Get the attributes of the monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_monitor_dev',` + gen_require(` + type device_t, monitor_device_t; + ') + + getattr_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## +## Set the attributes of the monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_monitor_dev',` + gen_require(` + type device_t, monitor_device_t; + ') + + setattr_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## +## Read the monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_monitor_dev',` + gen_require(` + type device_t, monitor_device_t; + ') + + read_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## +## Read and write to monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_monitor_dev',` + gen_require(` + type device_t, monitor_device_t; + ') + + rw_chr_files_pattern($1, device_t, monitor_device_t) +') + ######################################## ## ## Get the attributes of the mouse devices. @@ -2903,20 +3519,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## -## Read the memory type range +## Write the memory type range ## registers (MTRR). (Deprecated) ## ## ##

-## Read the memory type range +## Write the memory type range ## registers (MTRR). This interface has ## been deprecated, dev_rw_mtrr() should be ## used instead. ##

##

## The MTRR device ioctls can be used for -## reading and writing; thus, read access to the -## device cannot be separated from write access. +## reading and writing; thus, write access to the +## device cannot be separated from read access. ##

##
## @@ -2925,43 +3541,34 @@ interface(`dev_getattr_mtrr_dev',` ##
## # -interface(`dev_read_mtrr',` +interface(`dev_write_mtrr',` refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') dev_rw_mtrr($1) ') ######################################## ## -## Write the memory type range -## registers (MTRR). (Deprecated) +## Do not audit attempts to write the memory type +## range registers (MTRR). ## -## -##

-## Write the memory type range -## registers (MTRR). This interface has -## been deprecated, dev_rw_mtrr() should be -## used instead. -##

-##

-## The MTRR device ioctls can be used for -## reading and writing; thus, write access to the -## device cannot be separated from read access. -##

-##
## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) +interface(`dev_dontaudit_write_mtrr',` + gen_require(` + type mtrr_device_t; + ') + + dontaudit $1 mtrr_device_t:file write_file_perms; + dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ') ######################################## ## -## Do not audit attempts to write the memory type +## Do not audit attempts to read the memory type ## range registers (MTRR). ## ## @@ -2970,13 +3577,32 @@ interface(`dev_write_mtrr',` ##
## # -interface(`dev_dontaudit_write_mtrr',` +interface(`dev_dontaudit_read_mtrr',` gen_require(` type mtrr_device_t; ') - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; + dontaudit $1 mtrr_device_t:file { open read }; + dontaudit $1 mtrr_device_t:chr_file { open read }; +') + +######################################## +## +## Read the memory type range registers (MTRR). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_mtrr',` + gen_require(` + type device_t, mtrr_device_t; + ') + + read_files_pattern($1, device_t, mtrr_device_t) + read_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## @@ -3144,44 +3770,43 @@ interface(`dev_create_null_dev',` ######################################## ## -## Do not audit attempts to get the attributes -## of the BIOS non-volatile RAM device. +## Get the status of a null device service. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_getattr_nvram_dev',` +interface(`dev_service_status_null_dev',` gen_require(` - type nvram_device_t; + type null_device_t; ') - dontaudit $1 nvram_device_t:chr_file getattr; + allow $1 null_device_t:service status; ') ######################################## ## -## Read and write BIOS non-volatile RAM. +## Configure null_device as a unit files. ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # -interface(`dev_rw_nvram',` +interface(`dev_config_null_dev_service',` gen_require(` - type nvram_device_t; + type null_device_t; ') - rw_chr_files_pattern($1, device_t, nvram_device_t) + allow $1 null_device_t:service manage_service_perms; ') ######################################## ## -## Get the attributes of the printer device nodes. +## Read Non-Volatile Memory Host Controller Interface. ## ## ## @@ -3189,17 +3814,18 @@ interface(`dev_rw_nvram',` ## ## # -interface(`dev_getattr_printer_dev',` +interface(`dev_read_nvme',` gen_require(` - type device_t, printer_device_t; + type nvme_device_t; ') - getattr_chr_files_pattern($1, device_t, printer_device_t) + read_chr_files_pattern($1, device_t, nvme_device_t) + read_blk_files_pattern($1, device_t, nvme_device_t) ') ######################################## ## -## Set the attributes of the printer device nodes. +## Read/Write Non-Volatile Memory Host Controller Interface. ## ## ## @@ -3207,36 +3833,37 @@ interface(`dev_getattr_printer_dev',` ## ## # -interface(`dev_setattr_printer_dev',` +interface(`dev_rw_nvme',` gen_require(` - type device_t, printer_device_t; + type nvme_device_t; ') - setattr_chr_files_pattern($1, device_t, printer_device_t) + rw_chr_files_pattern($1, device_t, nvme_device_t) + rw_blk_files_pattern($1, device_t, nvme_device_t) ') ######################################## ## -## Append the printer device. +## Do not audit attempts to get the attributes +## of the BIOS non-volatile RAM device. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -# cjp: added for lpd/checkpc_t -interface(`dev_append_printer',` +interface(`dev_dontaudit_getattr_nvram_dev',` gen_require(` - type device_t, printer_device_t; + type nvram_device_t; ') - append_chr_files_pattern($1, device_t, printer_device_t) + dontaudit $1 nvram_device_t:chr_file getattr; ') ######################################## ## -## Read and write the printer device. +## Read BIOS non-volatile RAM. ## ## ## @@ -3244,17 +3871,17 @@ interface(`dev_append_printer',` ## ## # -interface(`dev_rw_printer',` +interface(`dev_read_nvram',` gen_require(` - type device_t, printer_device_t; + type nvram_device_t; ') - rw_chr_files_pattern($1, device_t, printer_device_t) + read_chr_files_pattern($1, device_t, nvram_device_t) ') ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +## Read and write BIOS non-volatile RAM. ## ## ## @@ -3262,18 +3889,17 @@ interface(`dev_rw_printer',` ## ## # -interface(`dev_read_printk',` +interface(`dev_rw_nvram',` gen_require(` - type device_t, printk_device_t; + type nvram_device_t; ') - read_chr_files_pattern($1, device_t, printk_device_t) + rw_chr_files_pattern($1, device_t, nvram_device_t) ') ######################################## ## -## Get the attributes of the QEMU -## microcode and id interfaces. +## Get the attributes of the printer device nodes. ## ## ## @@ -3281,9 +3907,120 @@ interface(`dev_read_printk',` ## ## # -interface(`dev_getattr_qemu_dev',` +interface(`dev_getattr_printer_dev',` gen_require(` - type device_t, qemu_device_t; + type device_t, printer_device_t; + ') + + getattr_chr_files_pattern($1, device_t, printer_device_t) +') + +######################################## +## +## Set the attributes of the printer device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_printer_dev',` + gen_require(` + type device_t, printer_device_t; + ') + + setattr_chr_files_pattern($1, device_t, printer_device_t) +') + +######################################## +## +## Append the printer device. +## +## +## +## Domain allowed access. +## +## +# +# cjp: added for lpd/checkpc_t +interface(`dev_append_printer',` + gen_require(` + type device_t, printer_device_t; + ') + + append_chr_files_pattern($1, device_t, printer_device_t) +') + +######################################## +## +## Read and write the printer device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_printer',` + gen_require(` + type device_t, printer_device_t; + ') + + rw_chr_files_pattern($1, device_t, printer_device_t) +') + +######################################## +## +## Relabel the printer device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabel_printer',` + gen_require(` + type printer_device_t; + ') + + allow $1 printer_device_t:chr_file relabel_chr_file_perms; +') + +######################################## +## +## Read and write the printer device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_printer',` + gen_require(` + type device_t, printer_device_t; + ') + + manage_chr_files_pattern($1, device_t, printer_device_t) + dev_filetrans_printer_named_dev($1) +') + +######################################## +## +## Get the attributes of the QEMU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_qemu_dev',` + gen_require(` + type device_t, qemu_device_t; ') getattr_chr_files_pattern($1, device_t, qemu_device_t) @@ -3399,7 +4136,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## -## Do not audit attempts to append to random +## Do not audit attempts to append to the random ## number generator devices (e.g., /dev/random) ## ## @@ -3413,7 +4150,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') - dontaudit $1 random_device_t:chr_file append_chr_file_perms; + dontaudit $1 random_device_t:chr_file { append }; ') ######################################## @@ -3633,6 +4370,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) + allow $1 sound_device_t:chr_file map; ') ######################################## @@ -3669,6 +4407,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) + allow $1 sound_device_t:chr_file map; ') ######################################## @@ -3855,7 +4594,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## -## Search the sysfs directories. +## Set the attributes of sysfs directories. ## ## ## @@ -3863,91 +4602,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # -interface(`dev_search_sysfs',` +interface(`dev_setattr_sysfs_dirs',` gen_require(` type sysfs_t; ') - search_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir setattr_dir_perms; ') ######################################## ## -## Do not audit attempts to search sysfs. +## Get attributes of sysfs filesystems. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_search_sysfs',` +interface(`dev_getattr_sysfs_fs',` gen_require(` type sysfs_t; ') - dontaudit $1 sysfs_t:dir search_dir_perms; + allow $1 sysfs_t:filesystem getattr; ') ######################################## ## -## List the contents of the sysfs directories. +## Mount a filesystem on /sys ## ## ## -## Domain allowed access. +## Domain allow access. ## ## # -interface(`dev_list_sysfs',` +interface(`dev_mounton_sysfs',` gen_require(` type sysfs_t; ') - list_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir mounton; ') ######################################## ## -## Write in a sysfs directories. +## Dontaudit attempts to mount a filesystem on /sys ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -# cjp: added for cpuspeed -interface(`dev_write_sysfs_dirs',` +interface(`dev_dontaudit_mounton_sysfs',` gen_require(` type sysfs_t; ') - allow $1 sysfs_t:dir write; + dontaudit $1 sysfs_t:dir mounton; ') ######################################## ## -## Do not audit attempts to write in a sysfs directory. +## Mount sysfs filesystems. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_write_sysfs_dirs',` +interface(`dev_mount_sysfs_fs',` gen_require(` type sysfs_t; ') - dontaudit $1 sysfs_t:dir write; + allow $1 sysfs_t:filesystem mount; ') ######################################## ## -## Create, read, write, and delete sysfs -## directories. +## Unmount sysfs filesystems. ## ## ## @@ -3955,68 +4692,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_unmount_sysfs_fs',` gen_require(` type sysfs_t; ') - manage_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:filesystem unmount; ') ######################################## ## -## Read hardware state information. +## Search the sysfs directories. ## -## -##

-## Allow the specified domain to read the contents of -## the sysfs filesystem. This filesystem contains -## information, parameters, and other settings on the -## hardware installed on the system. -##

-##
## ## ## Domain allowed access. ## ## -## # -interface(`dev_read_sysfs',` +interface(`dev_search_sysfs',` gen_require(` type sysfs_t; ') - read_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) + search_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## -## Allow caller to modify hardware state information. +## Do not audit attempts to search sysfs. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_rw_sysfs',` +interface(`dev_dontaudit_search_sysfs',` gen_require(` type sysfs_t; ') - rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) + dontaudit $1 sysfs_t:dir search_dir_perms; ') ######################################## ## -## Read and write the TPM device. +## List the contents of the sysfs directories. ## ## ## @@ -4024,96 +4746,73 @@ interface(`dev_rw_sysfs',` ## ## # -interface(`dev_rw_tpm',` +interface(`dev_list_sysfs',` gen_require(` - type device_t, tpm_device_t; + type sysfs_t; ') - rw_chr_files_pattern($1, device_t, tpm_device_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## -## Read from pseudo random number generator devices (e.g., /dev/urandom). +## Write in a sysfs directories. ## -## -##

-## Allow the specified domain to read from pseudo random number -## generator devices (e.g., /dev/urandom). Typically this is -## used in situations when a cryptographically secure random -## number is not necessarily needed. One example is the Stack -## Smashing Protector (SSP, formerly known as ProPolice) support -## that may be compiled into programs. -##

-##

-## Related interface: -##

-##
    -##
  • dev_read_rand()
  • -##
-##

-## Related tunable: -##

-##
    -##
  • global_ssp
  • -##
-##
## ## ## Domain allowed access. ## ## -## # -interface(`dev_read_urand',` +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` gen_require(` - type device_t, urandom_device_t; + type sysfs_t; ') - read_chr_files_pattern($1, device_t, urandom_device_t) + allow $1 sysfs_t:dir write; ') ######################################## ## -## Do not audit attempts to read from pseudo -## random devices (e.g., /dev/urandom) +## Access check for a sysfs directories. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_read_urand',` +interface(`dev_access_check_sysfs',` gen_require(` - type urandom_device_t; + type sysfs_t; ') - dontaudit $1 urandom_device_t:chr_file { getattr read }; + allow $1 sysfs_t:dir audit_access; ') ######################################## ## -## Write to the pseudo random device (e.g., /dev/urandom). This -## sets the random number generator seed. +## Do not audit attempts to write in a sysfs directory. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_write_urand',` +interface(`dev_dontaudit_write_sysfs_dirs',` gen_require(` - type device_t, urandom_device_t; + type sysfs_t; ') - write_chr_files_pattern($1, device_t, urandom_device_t) + dontaudit $1 sysfs_t:dir write; ') ######################################## ## -## Getattr generic the USB devices. +## Mmap the sysfs. ## ## ## @@ -4121,35 +4820,42 @@ interface(`dev_write_urand',` ## ## # -interface(`dev_getattr_generic_usb_dev',` +interface(`dev_map_sysfs',` gen_require(` - type usb_device_t; + type sysfs_t; ') - getattr_chr_files_pattern($1, device_t, usb_device_t) + allow $1 sysfs_t:file map; ') + ######################################## ## -## Setattr generic the USB devices. +## Read cpu online hardware state information. ## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+##
## ## ## Domain allowed access. ## ## # -interface(`dev_setattr_generic_usb_dev',` +interface(`dev_read_cpu_online',` gen_require(` - type usb_device_t; + type cpu_online_t; ') - setattr_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) ') ######################################## ## -## Read generic the USB devices. +## Relabel cpu online hardware state information. ## ## ## @@ -4157,35 +4863,50 @@ interface(`dev_setattr_generic_usb_dev',` ## ## # -interface(`dev_read_generic_usb_dev',` +interface(`dev_relabel_cpu_online',` gen_require(` - type usb_device_t; + type cpu_online_t; + type sysfs_t; ') - read_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; ') + ######################################## ## -## Read and write generic the USB devices. +## Read hardware state information. ## +## +##

+## Allow the specified domain to read the contents of +## the sysfs filesystem. This filesystem contains +## information, parameters, and other settings on the +## hardware installed on the system. +##

+##
## ## ## Domain allowed access. ## ## +## # -interface(`dev_rw_generic_usb_dev',` +interface(`dev_read_sysfs',` gen_require(` - type device_t, usb_device_t; + type sysfs_t; ') - rw_chr_files_pattern($1, device_t, usb_device_t) + read_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## -## Relabel generic the USB devices. +## Allow caller to modify hardware state information. ## ## ## @@ -4193,17 +4914,247 @@ interface(`dev_rw_generic_usb_dev',` ## ## # -interface(`dev_relabel_generic_usb_dev',` +interface(`dev_rw_sysfs',` + gen_require(` + type sysfs_t; + ') + + rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## +## Relabel hardware state directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabel_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + relabel_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## +## Relabel hardware state files +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabel_all_sysfs',` + gen_require(` + type sysfs_t; + ') + + relabel_dirs_pattern($1, sysfs_t, sysfs_t) + relabel_files_pattern($1, sysfs_t, sysfs_t) + relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## +## Allow caller to modify hardware state information. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + manage_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## +## Allow caller to modify hardware state information. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_sysfs',` + gen_require(` + type sysfs_t; + ') + + manage_dirs_pattern($1, sysfs_t, sysfs_t) + manage_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## +## Read and write the TPM device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_tpm',` + gen_require(` + type device_t, tpm_device_t; + ') + + rw_chr_files_pattern($1, device_t, tpm_device_t) +') + +######################################## +## +## Read from pseudo random number generator devices (e.g., /dev/urandom). +## +## +##

+## Allow the specified domain to read from pseudo random number +## generator devices (e.g., /dev/urandom). Typically this is +## used in situations when a cryptographically secure random +## number is not necessarily needed. One example is the Stack +## Smashing Protector (SSP, formerly known as ProPolice) support +## that may be compiled into programs. +##

+##

+## Related interface: +##

+##
    +##
  • dev_read_rand()
  • +##
+##

+## Related tunable: +##

+##
    +##
  • global_ssp
  • +##
+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`dev_read_urand',` + gen_require(` + type device_t, urandom_device_t; + ') + + read_chr_files_pattern($1, device_t, urandom_device_t) +') + +######################################## +## +## Do not audit attempts to read from pseudo +## random devices (e.g., /dev/urandom) +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_read_urand',` + gen_require(` + type urandom_device_t; + ') + + dontaudit $1 urandom_device_t:chr_file { getattr read }; +') + +######################################## +## +## Write to the pseudo random device (e.g., /dev/urandom). This +## sets the random number generator seed. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_urand',` + gen_require(` + type device_t, urandom_device_t; + ') + + write_chr_files_pattern($1, device_t, urandom_device_t) +') + +######################################## +## +## Do not audit attempts to write to pseudo +## random devices (e.g., /dev/urandom) +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_urand',` + gen_require(` + type urandom_device_t; + ') + + dontaudit $1 urandom_device_t:chr_file write; +') + +######################################## +## +## Getattr generic the USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_generic_usb_dev',` + gen_require(` + type usb_device_t,device_t; + ') + + getattr_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## +## Setattr generic the USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_usb_dev',` gen_require(` type usb_device_t; ') - relabel_chr_files_pattern($1, device_t, usb_device_t) + setattr_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## -## Read USB monitor devices. +## Read generic the USB devices. ## ## ## @@ -4211,17 +5162,17 @@ interface(`dev_relabel_generic_usb_dev',` ## ## # -interface(`dev_read_usbmon_dev',` +interface(`dev_read_generic_usb_dev',` gen_require(` - type device_t, usbmon_device_t; + type usb_device_t; ') - read_chr_files_pattern($1, device_t, usbmon_device_t) + read_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## -## Write USB monitor devices. +## Read and write generic the USB devices. ## ## ## @@ -4229,17 +5180,17 @@ interface(`dev_read_usbmon_dev',` ## ## # -interface(`dev_write_usbmon_dev',` +interface(`dev_rw_generic_usb_dev',` gen_require(` - type device_t, usbmon_device_t; + type device_t, usb_device_t; ') - write_chr_files_pattern($1, device_t, usbmon_device_t) + rw_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## -## Mount a usbfs filesystem. +## Relabel generic the USB devices. ## ## ## @@ -4247,35 +5198,554 @@ interface(`dev_write_usbmon_dev',` ## ## # -interface(`dev_mount_usbfs',` +interface(`dev_relabel_generic_usb_dev',` + gen_require(` + type usb_device_t; + ') + + relabel_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## +## Read USB monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_usbmon_dev',` + gen_require(` + type device_t, usbmon_device_t; + ') + + read_chr_files_pattern($1, device_t, usbmon_device_t) +') + +######################################## +## +## Mmap USB monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_map_usbmon_dev',` + gen_require(` + type usbmon_device_t; + ') + + allow $1 usbmon_device_t:chr_file map; +') + +######################################## +## +## Write USB monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_usbmon_dev',` + gen_require(` + type device_t, usbmon_device_t; + ') + + write_chr_files_pattern($1, device_t, usbmon_device_t) +') + +######################################## +## +## Mount a usbfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_usbfs',` + gen_require(` + type usbfs_t; + ') + + allow $1 usbfs_t:filesystem mount; +') + +######################################## +## +## Associate a file to a usbfs filesystem. +## +## +## +## The type of the file to be associated to usbfs. +## +## +# +interface(`dev_associate_usbfs',` + gen_require(` + type usbfs_t; + ') + + allow $1 usbfs_t:filesystem associate; +') + +######################################## +## +## Get the attributes of a directory in the usb filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_usbfs_dirs',` + gen_require(` + type usbfs_t; + ') + + allow $1 usbfs_t:dir getattr_dir_perms; +') + +######################################## +## +## Do not audit attempts to get the attributes +## of a directory in the usb filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_usbfs_dirs',` + gen_require(` + type usbfs_t; + ') + + dontaudit $1 usbfs_t:dir getattr_dir_perms; +') + +######################################## +## +## Search the directory containing USB hardware information. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_search_usbfs',` + gen_require(` + type usbfs_t; + ') + + search_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## +## Allow caller to get a list of usb hardware. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_list_usbfs',` + gen_require(` + type usbfs_t; + ') + + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + getattr_files_pattern($1, usbfs_t, usbfs_t) + + list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## +## Set the attributes of usbfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_usbfs_files',` + gen_require(` + type usbfs_t; + ') + + setattr_files_pattern($1, usbfs_t, usbfs_t) + list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## +## Read USB hardware information using +## the usbfs filesystem interface. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_usbfs',` + gen_require(` + type usbfs_t; + ') + + read_files_pattern($1, usbfs_t, usbfs_t) + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## +## Allow caller to modify usb hardware configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_usbfs',` + gen_require(` + type usbfs_t; + ') + + list_dirs_pattern($1, usbfs_t, usbfs_t) + rw_files_pattern($1, usbfs_t, usbfs_t) + read_lnk_files_pattern($1, usbfs_t, usbfs_t) +') + +###################################### +## +## Read and write userio device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_userio_dev',` + gen_require(` + type device_t, userio_device_t; + ') + + rw_chr_files_pattern($1, device_t, userio_device_t) +') + +######################################## +## +## Mmap the userio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_map_userio_dev',` + gen_require(` + type device_t, userio_device_t; + ') + + allow $1 userio_device_t:chr_file map; +') + +######################################## +## +## Get the attributes of video4linux devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + getattr_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## +## Do not audit attempts to get the attributes +## of video4linux device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_video_dev',` + gen_require(` + type v4l_device_t; + ') + + dontaudit $1 v4l_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of video4linux device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + setattr_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## +## Do not audit attempts to set the attributes +## of video4linux device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_setattr_video_dev',` + gen_require(` + type v4l_device_t; + ') + + dontaudit $1 v4l_device_t:chr_file setattr; +') + +######################################## +## +## Read the video4linux devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + read_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## +## Mmap the video4linux devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_map_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + allow $1 v4l_device_t:chr_file map; + +') + +######################################## +## +## Write the video4linux devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + write_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## +## Get the attributes of vfio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + getattr_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## +## Do not audit attempts to get the attributes +## of vfio device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_vfio_dev',` + gen_require(` + type vfio_device_t; + ') + + dontaudit $1 vfio_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of vfio device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + setattr_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## +## Do not audit attempts to set the attributes +## of vfio device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_setattr_vfio_dev',` + gen_require(` + type vfio_device_t; + ') + + dontaudit $1 vfio_device_t:chr_file setattr; +') + +######################################## +## +## Read the vfio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + read_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## +## Write the vfio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + write_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## +## Read and write the VFIO devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_vfio_dev',` gen_require(` - type usbfs_t; + type device_t, vfio_device_t; ') - allow $1 usbfs_t:filesystem mount; + rw_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## -## Associate a file to a usbfs filesystem. +## Allow read/write the vhost net device ## -## +## ## -## The type of the file to be associated to usbfs. +## Domain allowed access. ## ## # -interface(`dev_associate_usbfs',` +interface(`dev_rw_vhost',` gen_require(` - type usbfs_t; + type device_t, vhost_device_t; ') - allow $1 usbfs_t:filesystem associate; + rw_chr_files_pattern($1, device_t, vhost_device_t) ') ######################################## ## -## Get the attributes of a directory in the usb filesystem. +## Allow read/write inheretid the vhost net device ## ## ## @@ -4283,36 +5753,35 @@ interface(`dev_associate_usbfs',` ## ## # -interface(`dev_getattr_usbfs_dirs',` +interface(`dev_rw_inherited_vhost',` gen_require(` - type usbfs_t; + type device_t, vhost_device_t; ') - allow $1 usbfs_t:dir getattr_dir_perms; + allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## -## Do not audit attempts to get the attributes -## of a directory in the usb filesystem. +## Read and write VMWare devices. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_getattr_usbfs_dirs',` +interface(`dev_rw_vmware',` gen_require(` - type usbfs_t; + type device_t, vmware_device_t; ') - dontaudit $1 usbfs_t:dir getattr_dir_perms; + rw_chr_files_pattern($1, device_t, vmware_device_t) ') ######################################## ## -## Search the directory containing USB hardware information. +## Read, write, and mmap VMWare devices. ## ## ## @@ -4320,17 +5789,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` ## ## # -interface(`dev_search_usbfs',` +interface(`dev_rwx_vmware',` gen_require(` - type usbfs_t; + type device_t, vmware_device_t; ') - search_dirs_pattern($1, usbfs_t, usbfs_t) + dev_rw_vmware($1) + allow $1 vmware_device_t:chr_file { map execute }; ') ######################################## ## -## Allow caller to get a list of usb hardware. +## Read from watchdog devices. ## ## ## @@ -4338,20 +5808,17 @@ interface(`dev_search_usbfs',` ## ## # -interface(`dev_list_usbfs',` +interface(`dev_read_watchdog',` gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; ') - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - getattr_files_pattern($1, usbfs_t, usbfs_t) - - list_dirs_pattern($1, usbfs_t, usbfs_t) + read_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## -## Set the attributes of usbfs filesystem. +## Write to watchdog devices. ## ## ## @@ -4359,19 +5826,17 @@ interface(`dev_list_usbfs',` ## ## # -interface(`dev_setattr_usbfs_files',` +interface(`dev_write_watchdog',` gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; ') - setattr_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) + write_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## -## Read USB hardware information using -## the usbfs filesystem interface. +## RW to watchdog devices. ## ## ## @@ -4379,19 +5844,17 @@ interface(`dev_setattr_usbfs_files',` ## ## # -interface(`dev_read_usbfs',` +interface(`dev_rw_watchdog',` gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; ') - read_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) + rw_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## -## Allow caller to modify usb hardware configuration files. +## Read and write the the wireless device. ## ## ## @@ -4399,19 +5862,17 @@ interface(`dev_read_usbfs',` ## ## # -interface(`dev_rw_usbfs',` +interface(`dev_rw_wireless',` gen_require(` - type usbfs_t; + type device_t, wireless_device_t; ') - list_dirs_pattern($1, usbfs_t, usbfs_t) - rw_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) + rw_chr_files_pattern($1, device_t, wireless_device_t) ') ######################################## ## -## Get the attributes of video4linux devices. +## Read and write Xen devices. ## ## ## @@ -4419,17 +5880,17 @@ interface(`dev_rw_usbfs',` ## ## # -interface(`dev_getattr_video_dev',` +interface(`dev_rw_xen',` gen_require(` - type device_t, v4l_device_t; + type device_t, xen_device_t; ') - getattr_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, xen_device_t) ') -###################################### +######################################## ## -## Read and write userio device. +## Create, read, write, and delete Xen devices. ## ## ## @@ -4437,36 +5898,41 @@ interface(`dev_getattr_video_dev',` ## ## # -interface(`dev_rw_userio_dev',` +interface(`dev_manage_xen',` gen_require(` - type device_t, userio_device_t; + type device_t, xen_device_t; ') - rw_chr_files_pattern($1, device_t, userio_device_t) + manage_chr_files_pattern($1, device_t, xen_device_t) ') ######################################## ## -## Do not audit attempts to get the attributes -## of video4linux device nodes. +## Automatic type transition to the type +## for xen device nodes when created in /dev. ## ## ## -## Domain to not audit. +## Domain allowed access. +## +## +## +## +## The name of the object being created. ## ## # -interface(`dev_dontaudit_getattr_video_dev',` +interface(`dev_filetrans_xen',` gen_require(` - type v4l_device_t; + type device_t, xen_device_t; ') - dontaudit $1 v4l_device_t:chr_file getattr; + filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) ') ######################################## ## -## Set the attributes of video4linux device nodes. +## Get the attributes of X server miscellaneous devices. ## ## ## @@ -4474,36 +5940,35 @@ interface(`dev_dontaudit_getattr_video_dev',` ## ## # -interface(`dev_setattr_video_dev',` +interface(`dev_getattr_xserver_misc_dev',` gen_require(` - type device_t, v4l_device_t; + type device_t, xserver_misc_device_t; ') - setattr_chr_files_pattern($1, device_t, v4l_device_t) + getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## -## Do not audit attempts to set the attributes -## of video4linux device nodes. +## Set the attributes of X server miscellaneous devices. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`dev_dontaudit_setattr_video_dev',` +interface(`dev_setattr_xserver_misc_dev',` gen_require(` - type v4l_device_t; + type device_t, xserver_misc_device_t; ') - dontaudit $1 v4l_device_t:chr_file setattr; + setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## -## Read the video4linux devices. +## Read and write X server miscellaneous devices. ## ## ## @@ -4511,35 +5976,36 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # -interface(`dev_read_video_dev',` +interface(`dev_rw_xserver_misc',` gen_require(` - type device_t, v4l_device_t; + type device_t, xserver_misc_device_t; ') - read_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + allow $1 xserver_misc_device_t:chr_file map; ') ######################################## ## -## Write the video4linux devices. +## Dontaudit attempts to Read and write X server miscellaneous devices. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_write_video_dev',` +interface(`dev_dontaudit_leaked_xserver_misc',` gen_require(` - type device_t, v4l_device_t; + type xserver_misc_device_t; ') - write_chr_files_pattern($1, device_t, v4l_device_t) + dontaudit $1 xserver_misc_device_t:chr_file { read write }; ') ######################################## ## -## Allow read/write the vhost net device +## Read and write X server miscellaneous devices. ## ## ## @@ -4547,17 +6013,19 @@ interface(`dev_write_video_dev',` ## ## # -interface(`dev_rw_vhost',` +interface(`dev_manage_xserver_misc',` gen_require(` - type device_t, vhost_device_t; + type device_t, xserver_misc_device_t; ') - rw_chr_files_pattern($1, device_t, vhost_device_t) + manage_chr_files_pattern($1, device_t, xserver_misc_device_t) + + dev_filetrans_xserver_named_dev($1) ') ######################################## ## -## Read and write VMWare devices. +## Read and write to the zero device (/dev/zero). ## ## ## @@ -4565,17 +6033,17 @@ interface(`dev_rw_vhost',` ## ## # -interface(`dev_rw_vmware',` +interface(`dev_rw_zero',` gen_require(` - type device_t, vmware_device_t; + type device_t, zero_device_t; ') - rw_chr_files_pattern($1, device_t, vmware_device_t) + rw_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## ## -## Read, write, and mmap VMWare devices. +## Read, write, and execute the zero device (/dev/zero). ## ## ## @@ -4583,18 +6051,18 @@ interface(`dev_rw_vmware',` ## ## # -interface(`dev_rwx_vmware',` +interface(`dev_rwx_zero',` gen_require(` - type device_t, vmware_device_t; + type zero_device_t; ') - dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file execute; + dev_rw_zero($1) + allow $1 zero_device_t:chr_file { map execute }; ') ######################################## ## -## Read from watchdog devices. +## Execmod the zero device (/dev/zero). ## ## ## @@ -4602,17 +6070,18 @@ interface(`dev_rwx_vmware',` ## ## # -interface(`dev_read_watchdog',` +interface(`dev_execmod_zero',` gen_require(` - type device_t, watchdog_device_t; + type zero_device_t; ') - read_chr_files_pattern($1, device_t, watchdog_device_t) + dev_rw_zero($1) + allow $1 zero_device_t:chr_file execmod; ') ######################################## ## -## Write to watchdog devices. +## Create the zero device (/dev/zero). ## ## ## @@ -4620,17 +6089,17 @@ interface(`dev_read_watchdog',` ## ## # -interface(`dev_write_watchdog',` +interface(`dev_create_zero_dev',` gen_require(` - type device_t, watchdog_device_t; + type device_t, zero_device_t; ') - write_chr_files_pattern($1, device_t, watchdog_device_t) + create_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## ## -## Read and write the the wireless device. +## Unconfined access to devices. ## ## ## @@ -4638,35 +6107,36 @@ interface(`dev_write_watchdog',` ## ## # -interface(`dev_rw_wireless',` +interface(`dev_unconfined',` gen_require(` - type device_t, wireless_device_t; + attribute devices_unconfined_type; ') - rw_chr_files_pattern($1, device_t, wireless_device_t) + typeattribute $1 devices_unconfined_type; ') ######################################## ## -## Read and write Xen devices. +## Dontaudit getattr on all device nodes. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dev_rw_xen',` +interface(`dev_dontaudit_getattr_all',` gen_require(` - type device_t, xen_device_t; + attribute device_node; + type device_t; ') - rw_chr_files_pattern($1, device_t, xen_device_t) + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; ') ######################################## ## -## Create, read, write, and delete Xen devices. +## Get the attributes of the mei devices. ## ## ## @@ -4674,41 +6144,35 @@ interface(`dev_rw_xen',` ## ## # -interface(`dev_manage_xen',` +interface(`dev_getattr_mei',` gen_require(` - type device_t, xen_device_t; + type device_t, mei_device_t; ') - manage_chr_files_pattern($1, device_t, xen_device_t) + getattr_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## -## Automatic type transition to the type -## for xen device nodes when created in /dev. +## Read the mei devices. ## ## ## ## Domain allowed access. ## ## -## -## -## The name of the object being created. -## -## # -interface(`dev_filetrans_xen',` +interface(`dev_read_mei',` gen_require(` - type device_t, xen_device_t; + type device_t, mei_device_t; ') - filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + read_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## -## Get the attributes of X server miscellaneous devices. +## Read and write to mei devices. ## ## ## @@ -4716,17 +6180,17 @@ interface(`dev_filetrans_xen',` ## ## # -interface(`dev_getattr_xserver_misc_dev',` +interface(`dev_rw_mei',` gen_require(` - type device_t, xserver_misc_device_t; + type device_t, mei_device_t; ') - getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## -## Set the attributes of X server miscellaneous devices. +## Read and write uhid devices. ## ## ## @@ -4734,17 +6198,18 @@ interface(`dev_getattr_xserver_misc_dev',` ## ## # -interface(`dev_setattr_xserver_misc_dev',` +interface(`dev_rw_uhid_dev',` gen_require(` - type device_t, xserver_misc_device_t; + type device_t, uhid_device_t; ') - setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, uhid_device_t) ') + ######################################## ## -## Read and write X server miscellaneous devices. +## Allow read/write the hypervkvp device ## ## ## @@ -4752,17 +6217,17 @@ interface(`dev_setattr_xserver_misc_dev',` ## ## # -interface(`dev_rw_xserver_misc',` +interface(`dev_rw_hypervkvp',` gen_require(` - type device_t, xserver_misc_device_t; + type device_t, hypervkvp_device_t; ') - rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, hypervkvp_device_t) ') ######################################## ## -## Read and write to the zero device (/dev/zero). +## Allow read/write the hypervkvp device ## ## ## @@ -4770,17 +6235,17 @@ interface(`dev_rw_xserver_misc',` ## ## # -interface(`dev_rw_zero',` +interface(`dev_read_gpfs',` gen_require(` - type device_t, zero_device_t; + type device_t, gpfs_device_t; ') - rw_chr_files_pattern($1, device_t, zero_device_t) + read_chr_files_pattern($1, device_t, gpfs_device_t) ') ######################################## ## -## Read, write, and execute the zero device (/dev/zero). +## Allow read/write the gpiochip device ## ## ## @@ -4788,18 +6253,17 @@ interface(`dev_rw_zero',` ## ## # -interface(`dev_rwx_zero',` +interface(`dev_read_gpio',` gen_require(` - type zero_device_t; + type device_t, gpio_device_t; ') - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execute; + read_chr_files_pattern($1, device_t, gpio_device_t) ') ######################################## ## -## Execmod the zero device (/dev/zero). +## Allow read/write the hypervvssd device ## ## ## @@ -4807,47 +6271,933 @@ interface(`dev_rwx_zero',` ## ## # -interface(`dev_execmod_zero',` +interface(`dev_rw_hypervvssd',` gen_require(` - type zero_device_t; + type device_t, hypervvssd_device_t; ') - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execmod; + rw_chr_files_pattern($1, device_t, hypervvssd_device_t) ') ######################################## ## -## Create the zero device (/dev/zero). +## Create all named devices with the correct label ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # -interface(`dev_create_zero_dev',` +interface(`dev_filetrans_printer_named_dev',` + gen_require(` - type device_t, zero_device_t; - ') + type printer_device_t; - create_chr_files_pattern($1, device_t, zero_device_t) + ') + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ') ######################################## ## -## Unconfined access to devices. +## Create all named devices with the correct label ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # -interface(`dev_unconfined',` - gen_require(` - attribute devices_unconfined_type; - ') - - typeattribute $1 devices_unconfined_type; +interface(`dev_filetrans_all_named_dev',` + +gen_require(` + type device_t; + type usb_device_t; + type uhid_device_t; + type sound_device_t; + type apm_bios_t; + type mouse_device_t; + type autofs_device_t; + type lvm_control_t; + type crash_device_t; + type dlm_control_device_t; + type clock_device_t; + type v4l_device_t; + type vsock_device_t; + type vmci_device_t; + type vfio_device_t; + type event_device_t; + type xen_device_t; + type framebuf_device_t; + type null_device_t; + type random_device_t; + type dri_device_t; + type hsa_device_t; + type ipmi_device_t; + type memory_device_t; + type kmsg_device_t; + type qemu_device_t; + type ksm_device_t; + type kvm_device_t; + type lirc_device_t; + type cpu_device_t; + type scanner_device_t; + type modem_device_t; + type monitor_device_t; + type vhost_device_t; + type netcontrol_device_t; + type nvram_device_t; + type power_device_t; + type opal_device_t; + type wireless_device_t; + type tpm_device_t; + type userio_device_t; + type urandom_device_t; + type usbmon_device_t; + type vmware_device_t; + type watchdog_device_t; + type crypt_device_t; + type zero_device_t; + type smartcard_device_t; + type mtrr_device_t; + type ecryptfs_device_t; + type mptctl_device_t; + type hypervkvp_device_t; + type hypervvssd_device_t; + type gpfs_device_t; + type gpio_device_t; +') + + dev_filetrans_printer_named_dev($1) + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9") + filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") + filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") + filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") + filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8") + filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") + filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") + filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") + filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event3") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event4") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event5") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event6") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event21") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event22") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event23") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event24") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event25") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event26") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event27") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event28") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event29") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event30") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9") + filetrans_pattern($1, device_t, null_device_t, chr_file, "full") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "000") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "001") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "002") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "003") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "004") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "005") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "006") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet") + filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") + filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") + filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") + filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl") + filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl") + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg") + filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu") + filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm") + filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8") + filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8") + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") + filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9") + filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost") + filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency") + filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") + filetrans_pattern($1, device_t, null_device_t, chr_file, "null") + filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9") + filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu") + filetrans_pattern($1, device_t, opal_device_t, chr_file, "op_panel") + filetrans_pattern($1, device_t, opal_device_t, chr_file, "opal-prd") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "port") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9") + filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9") + filetrans_pattern($1, device_t, random_device_t, chr_file, "random") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1") + filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9") + filetrans_pattern($1, device_t, power_device_t, chr_file, "smu") + filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm0") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm1") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm2") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm3") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm4") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm5") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm6") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm7") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm8") + filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm9") + filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8") + filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9") + filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner") + filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net") + filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vsock") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") + filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9") + filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") + filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") + filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8") + filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9") + filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8") + filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9") + filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8") + filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8") + filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9") + filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") + filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") + filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") + filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") + filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0") + filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0") + filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1") + filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2") + dev_filetrans_xserver_named_dev($1) +') + +######################################## +## +## Create all named devices with the correct label +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_xserver_named_dev',` + + gen_require(` + type xserver_misc_device_t; + ') + + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 0b1a8715a..331978df5 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; # type device_t; fs_associate_tmpfs(device_t) -files_type(device_t) +files_base_file(device_t) files_mountpoint(device_t) files_associate_tmp(device_t) fs_type(device_t) fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); +dev_node(device_t) # # Type for /dev/agpgart @@ -43,9 +44,6 @@ type cardmgr_dev_t; dev_node(cardmgr_dev_t) files_tmp_file(cardmgr_dev_t) -type cachefiles_device_t; -dev_node(cachefiles_device_t) - # # clock_device_t is the type of # /dev/rtc. @@ -65,6 +63,9 @@ dev_node(cpu_device_t) type crash_device_t; dev_node(crash_device_t) +type ecryptfs_device_t; +dev_node(ecryptfs_device_t) + # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) @@ -78,6 +79,9 @@ dev_node(dlm_control_device_t) type dri_device_t; dev_node(dri_device_t) +type hsa_device_t; +dev_node(hsa_device_t) + type event_device_t; dev_node(event_device_t) @@ -87,12 +91,45 @@ dev_node(event_device_t) type framebuf_device_t; dev_node(framebuf_device_t) +# +# Type for hyperv devices +# +type hypervkvp_device_t; +dev_node(hypervkvp_device_t) + +type hypervvssd_device_t; +dev_node(hypervvssd_device_t) + +# +# Type for /dev/ss0 +# +type gpfs_device_t; +dev_node(gpfs_device_t) + +# +# Type for /dev/gpiochip* +# +type gpio_device_t; +dev_node(gpio_device_t) + # # Type for /dev/ipmi/0 # type ipmi_device_t; dev_node(ipmi_device_t) +# +# Type for /dev/infiniband +# +type infiniband_device_t; +dev_node(infiniband_device_t) + +# +# Type for /dev/infiniband mgmt devices +# +type infiniband_mgmt_device_t; +dev_node(infiniband_mgmt_device_t) + # # Type for /dev/kmsg # @@ -111,6 +148,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) +mls_trusted_object(kvm_device_t) # # Type for /dev/lirc @@ -118,6 +156,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) +# +# Type for /dev/mapper/control +# type loop_control_device_t; dev_node(loop_control_device_t) @@ -149,12 +190,24 @@ dev_node(misc_device_t) type modem_device_t; dev_node(modem_device_t) +# +# A general type for monitor devices. +# +type monitor_device_t; +dev_node(monitor_device_t) + # # A more general type for mouse devices. # type mouse_device_t; dev_node(mouse_device_t) +# +# Type for /dev/mptctl used to check RAID status. +# +type mptctl_device_t; +dev_node(mptctl_device_t) + # # Type for /dev/cpu/mtrr and /proc/mtrr # @@ -182,6 +235,19 @@ sid devnull gen_context(system_u:object_r:null_device_t,s0) type nvram_device_t; dev_node(nvram_device_t) +# +# Type for controller device nodes +# +type nvme_device_t; +dev_node(nvme_device_t) + +# +# Type for /dev/op_panel +# Type for /dev/opal-prd +# +type opal_device_t; +dev_node(opal_device_t) + # # Type for /dev/pmu # @@ -227,6 +293,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) +type cpu_online_t; +files_type(cpu_online_t) +dev_associate_sysfs(cpu_online_t) + # # Type for /dev/tpm # @@ -266,14 +336,30 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) +# +# uhid_device_t is the type for /dev/uhid +# +type uhid_device_t; +dev_node(uhid_device_t) + +type vfio_device_t; +dev_node(vfio_device_t) + type v4l_device_t; dev_node(v4l_device_t) +type vsock_device_t; +dev_node(vsock_device_t) + +type vmci_device_t; +dev_node(vmci_device_t) + # # vhost_device_t is the type for /dev/vhost-net # type vhost_device_t; dev_node(vhost_device_t) +mls_trusted_object(vhost_device_t) # Type for vmware devices. type vmware_device_t; @@ -319,5 +405,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; -allow devices_unconfined_type mtrr_device_t:file *; +allow devices_unconfined_type device_node:{ blk_file lnk_file } *; +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d156..5fa83a2fb 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) - ') - ') - - # send init a sigchld and signull - optional_policy(` - init_sigchld($1) - init_signull($1) - ') - - # these seem questionable: - - optional_policy(` - rpm_use_fds($1) - rpm_read_pipes($1) - ') - - optional_policy(` - selinux_dontaudit_getattr_fs($1) - selinux_dontaudit_read_fs($1) - ') - - optional_policy(` - seutil_dontaudit_read_config($1) - ') + # Only way to get corenet_unlabeled packets disabled to work + corenet_all_recvfrom_unlabeled($1) ') ######################################## @@ -128,7 +103,7 @@ interface(`domain_entry_file',` ') allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_file_perms ioctl lock }; + allow $1 $2:file { mmap_exec_file_perms ioctl lock }; typeattribute $2 entry_type; @@ -511,6 +486,26 @@ interface(`domain_signull_all_domains',` allow $1 domain:process signull; ') +######################################## +## +## Do not audit attempts to send +## signulls to all domains. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`domain_dontaudit_signull_all_domains',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:process signull; +') + ######################################## ## ## Send a stop signal to all domains. @@ -569,6 +564,25 @@ interface(`domain_kill_all_domains',` allow $1 self:capability kill; ') +######################################## +## +## Destroy all domains semaphores +## +## +## +## Domain allowed access. +## +## +## +# +interface(`domain_destroy_all_semaphores',` + gen_require(` + attribute domain; + ') + + allow $1 domain:sem destroy; +') + ######################################## ## ## Search the process state directory (/proc/pid) of all domains. @@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## -## Get the attributes of all domains of all domains. +## Get the attributes of all domains. ## ## ## @@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -1114,6 +1128,25 @@ interface(`domain_dontaudit_rw_all_key_sockets',` dontaudit $1 domain:key_socket { read write }; ') +######################################## +## +## Do not audit attempts to link +## all domains keys. +## +## +## +## Domain to not audit. +## +## +# +interface(`domain_dontaudit_link_keys',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:key { link search }; +') + ######################################## ## ## Do not audit attempts to get the attributes @@ -1354,6 +1387,24 @@ interface(`domain_manage_all_entry_files',` allow $1 entry_type:file manage_file_perms; ') +######################################## +## +## Relabel from domain types on files if a user managed to mislable +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_relabelfrom',` + gen_require(` + attribute domain; + ') + + allow $1 domain:dir_file_class_set relabelfrom_file_perms; +') + ######################################## ## ## Relabel to and from all entry point @@ -1390,7 +1441,7 @@ interface(`domain_mmap_all_entry_files',` attribute entry_type; ') - allow $1 entry_type:file mmap_file_perms; + allow $1 entry_type:file mmap_exec_file_perms; ') ######################################## @@ -1421,7 +1472,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## Ability to mmap a low area of the address ## space conditionally, as configured by -## /proc/sys/kernel/mmap_min_addr. +## /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## @@ -1448,7 +1499,7 @@ interface(`domain_mmap_low',` ## ## Ability to mmap a low area of the address ## space unconditionally, as configured -## by /proc/sys/kernel/mmap_min_addr. +## by /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## @@ -1506,6 +1557,24 @@ interface(`domain_unconfined_signal',` allow $1 unconfined_domain_type:process signal; ') +######################################## +## +## Named Filetrans Domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_named_filetrans',` + gen_require(` + attribute named_filetrans_domain; + ') + + typeattribute $1 named_filetrans_domain; +') + ######################################## ## ## Unconfined access to domains. @@ -1530,4 +1599,63 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; + + mcs_process_set_categories($1) + + userdom_filetrans_home_content($1) +') + +######################################## +## +## Do not audit attempts to read or write +## all leaked sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`domain_dontaudit_leaks',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:socket_class_set { read write }; +') + +######################################## +## +## Allow caller to transition to any domain +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_transition_all',` + gen_require(` + attribute domain; + ') + + allow $1 domain:process transition; +') + +######################################## +## +## Do not audit attempts to access check /proc +## +## +## +## Domain to not audit. +## +## +# +interface(`domain_dontaudit_access_check',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index cf04cb509..d49f2f6da 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,56 @@ policy_module(domain, 1.11.0) # # Declarations # +## +##

+## Allow all domains to use other domains file descriptors +##

+##
+# +gen_tunable(domain_fd_use, true) + +## +##

+## Allow all domains to execute in fips_mode +##

+##
+# +gen_tunable(fips_mode, true) + +## +##

+## Allow all domains to have the kernel load modules +##

+##
+# +gen_tunable(domain_kernel_load_modules, false) ## ##

## Control the ability to mmap a low area of the address space, -## as configured by /proc/sys/kernel/mmap_min_addr. +## as configured by /proc/sys/vm/mmap_min_addr. ##

##
gen_tunable(mmap_low_allowed, false) +## +##

+## Allow all domains write to kmsg_device, +## while kernel is executed with systemd.log_target=kmsg parameter. +##

+##
+gen_tunable(domain_can_write_kmsg, false) + +## +##

+## Allow any process to mmap any file on system with attribute file_type. +##

+##
+gen_tunable(domain_can_mmap_files, true) + # Mark process types as domains attribute domain; +attribute named_filetrans_domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; @@ -86,23 +125,65 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; +allow domain self:fifo_file rw_fifo_file_perms; +allow domain self:sem create_sem_perms; +allow domain self:shm create_shm_perms; + kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) +kernel_read_vm_overcommit_sysctls(domain) + # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +kernel_dontaudit_search_debugfs(domain) # create child processes in the domain -allow domain self:process { fork sigchld }; +allow domain self:process { getcap fork getsched signal_perms }; # Use trusted objects in /dev +dev_read_cpu_online(domain) dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) +# Allow all domains to read /dev/urandom. It is needed by all apps/services +# linked to libgcrypt. There is no harm to allow it by default. +dev_read_urand(domain) + # list the root directory files_list_root(domain) +# allow all domains to search through base_file_type directory, since users +# sometimes place labels within these directories. (samba_share_t) for example. +files_search_base_file_types(domain) + +files_read_inherited_tmp_files(domain) +files_append_inherited_tmp_files(domain) +files_read_all_base_ro_files(domain) +files_dontaduit_getattr_kernel_symbol_table(domain) + +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + +optional_policy(` + userdom_search_admin_dir(domain) +') + +tunable_policy(`domain_can_write_kmsg',` + dev_write_kmsg(domain) +') + +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) +') + +tunable_policy(`domain_can_mmap_files',` + allow domain file_type:file map; + allow domain file_type:blk_file map; + allow domain file_type:chr_file map; +') ifdef(`hide_broken_symptoms',` # This check is in the general socket @@ -120,9 +201,20 @@ tunable_policy(`global_ssp',` dev_read_urand(domain) ') +optional_policy(` + afs_rw_cache(domain) +') + optional_policy(` libs_use_ld_so(domain) libs_use_shared_libs(domain) + libs_read_lib_files(domain) +') + +optional_policy(` + miscfiles_read_localization(domain) + miscfiles_read_man_pages(domain) + miscfiles_read_fonts(domain) ') optional_policy(` @@ -133,6 +225,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_append_xdm_home_files(domain) + xserver_dontaudit_write_log(domain) + xserver_dontaudit_xdm_rw_stream_sockets(domain) ') ######################################## @@ -147,12 +242,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +allow unconfined_domain_type domain:system all_system_perms; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + # Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; +tunable_policy(`deny_ptrace',`',` + allow unconfined_domain_type domain:process ptrace; +') # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; @@ -166,5 +267,385 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; +corenet_filetrans_all_named_dev(named_filetrans_domain) + +dev_filetrans_all_named_dev(named_filetrans_domain) + # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +files_filetrans_named_content(named_filetrans_domain) +files_filetrans_system_conf_named_files(named_filetrans_domain) +files_config_all_files(unconfined_domain_type) +dev_config_null_dev_service(unconfined_domain_type) + +optional_policy(` + kdump_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` + fstools_filetrans_named_content_fsadm(named_filetrans_domain) +') + +optional_policy(` + ipa_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + locallogin_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` + mandb_filetrans_named_home_content(named_filetrans_domain) +') + +optional_policy(` + ppp_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + snapper_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + seutil_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + wine_filetrans_named_content(named_filetrans_domain) +') + +storage_filetrans_all_named_dev(named_filetrans_domain) + +term_filetrans_all_named_dev(named_filetrans_domain) + +optional_policy(` + init_disable_services(unconfined_domain_type) + init_enable_services(unconfined_domain_type) + init_reload_services(unconfined_domain_type) + init_status(unconfined_domain_type) + init_reboot(unconfined_domain_type) + init_halt(unconfined_domain_type) + init_undefined(unconfined_domain_type) + init_filetrans_named_content(named_filetrans_domain) +') + +# Allow manage transient unit files +optional_policy(` + init_start_transient_unit(unconfined_domain_type) + init_stop_transient_unit(unconfined_domain_type) + init_status_transient_unit(unconfined_domain_type) + init_reload_transient_unit(unconfined_domain_type) + init_enable_transient_unit(unconfined_domain_type) + init_disable_transient_unit(unconfined_domain_type) +') + +optional_policy(` + auth_filetrans_named_content(named_filetrans_domain) + auth_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` + libs_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + logging_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + miscfiles_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + abrt_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + alsa_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + apache_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + apcupsd_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + bootloader_filetrans_config(named_filetrans_domain) +') + +optional_policy(` + clock_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + cups_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + cvs_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` + dbus_filetrans_named_content_system(named_filetrans_domain) +') + +optional_policy(` + devicekit_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + dnsmasq_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + container_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + gnome_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` + iscsi_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + iptables_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + kerberos_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + mta_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + mplayer_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` + modules_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + mysql_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + networkmanager_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + ntp_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + nx_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + plymouthd_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + postgresql_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + postfix_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + prelink_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + pulseaudio_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` + quota_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + rpcbind_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + rsync_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + sysnet_filetrans_named_content(named_filetrans_domain) + sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) +') + +optional_policy(` + systemd_login_status(unconfined_domain_type) + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) + systemd_filetrans_named_content(named_filetrans_domain) + systemd_filetrans_named_hostname(named_filetrans_domain) + systemd_filetrans_home_content(named_filetrans_domain) + systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) +') + +optional_policy(` + tftp_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file }) +') + +optional_policy(` + ssh_filetrans_admin_home_content(named_filetrans_domain) + ssh_filetrans_keys(unconfined_domain_type) +') + +optional_policy(` + userdom_filetrans_named_user_tmp_files(named_filetrans_domain) +') + +optional_policy(` + virt_filetrans_named_content(named_filetrans_domain) +') + +selinux_getattr_fs(domain) +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) + +optional_policy(` + seutil_dontaudit_read_config(domain) +') + +optional_policy(` + init_sigchld(domain) + init_signull(domain) + init_read_machineid(domain) +') + +ifdef(`distro_redhat',` + files_search_mnt(domain) +') + +# these seem questionable: + +optional_policy(` + abrt_domtrans_helper(domain) + abrt_read_pid_files(domain) + abrt_read_state(domain) + abrt_signull(domain) + abrt_append_cache(domain) + abrt_rw_fifo_file(domain) +') + +optional_policy(` + sosreport_append_tmp_files(domain) +') + +tunable_policy(`domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') + +optional_policy(` + cron_dontaudit_write_system_job_tmp_files(domain) + cron_rw_pipes(domain) + cron_rw_system_job_pipes(domain) +') + +optional_policy(` + devicekit_dbus_chat_power(domain) +') + +optional_policy(` + container_spc_stream_connect(domain) +') + +ifdef(`hide_broken_symptoms',` + dontaudit domain self:capability { net_admin }; + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; + dontaudit domain domain:socket_class_set { read write }; + dontaudit domain self:capability sys_module; +') + +optional_policy(` + ipsec_match_default_spd(domain) +') + +optional_policy(` + ifdef(`hide_broken_symptoms',` + afs_rw_udp_sockets(domain) + ') +') + +optional_policy(` + rolekit_dbus_chat(domain) +') + +optional_policy(` + ssh_rw_pipes(domain) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) + unconfined_sigchld(domain) +') + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; +dontaudit domain self:file create; + +ifdef(`distro_redhat',` + optional_policy(` + unconfined_use_fds(domain) + ') +') + +# these seem questionable: + +optional_policy(` + puppet_rw_tmp(domain) +') + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +optional_policy(` + rkhunter_append_lib_files(domain) +') + +optional_policy(` + rpm_rw_script_inherited_pipes(domain) + rpm_use_fds(domain) + rpm_read_pipes(domain) + rpm_search_log(domain) + rpm_append_tmp_files(domain) + rpm_dontaudit_leaks(domain) + rpm_read_script_tmp_files(domain) + rpm_inherited_fifo(domain) + rpm_named_filetrans(named_filetrans_domain) +') + +tunable_policy(`fips_mode',` + allow domain self:fifo_file manage_fifo_file_perms; + kernel_read_kernel_sysctls(domain) +') + +optional_policy(` + tunable_policy(`fips_mode',` + prelink_exec(domain) + ') +') + +optional_policy(` + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index b876c48ad..df5b188be 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) +/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') ifdef(`distro_suse',` @@ -27,7 +28,7 @@ ifdef(`distro_suse',` # # /boot # -/boot -d gen_context(system_u:object_r:boot_t,s0) +/boot gen_context(system_u:object_r:boot_t,s0) /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) @@ -38,27 +39,36 @@ ifdef(`distro_suse',` # # /emul # -/emul -d gen_context(system_u:object_r:usr_t,s0) +/emul gen_context(system_u:object_r:usr_t,s0) /emul/.* gen_context(system_u:object_r:usr_t,s0) # # /etc # -/etc -d gen_context(system_u:object_r:etc_t,s0) +/etc gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) + +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) +/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) + +/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) +/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) @@ -70,7 +80,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) + +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) + ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -78,10 +91,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -ifdef(`distro_redhat',` -/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) -') - ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -92,6 +101,8 @@ ifdef(`distro_suse',` # expanded by genhomedircon # HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) +HOME_ROOT/home-inst -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) +HOME_ROOT/\-inst -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0) HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) @@ -104,7 +115,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # -# /lib(64)? +# /lib # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) @@ -125,10 +136,13 @@ ifdef(`distro_debian',` # # Mount points; do not relabel subdirectories, since # we don't want to change any removable media by default. -/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) +/media(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0) /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) +/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/var/run/media/.* <> +/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) # # /misc @@ -138,7 +152,7 @@ ifdef(`distro_debian',` # # /mnt # -/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) +/mnt(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0) /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> @@ -150,10 +164,10 @@ ifdef(`distro_debian',` # # /opt # -/opt -d gen_context(system_u:object_r:usr_t,s0) +/opt gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) -/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) # # /proc @@ -161,6 +175,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> +ifdef(`distro_redhat',` +/rhev -d gen_context(system_u:object_r:mnt_t,s0) +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/rhev/[^/]*/.* gen_context(system_u:object_r:mnt_t,s0) +') + # # /run # @@ -169,6 +189,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0) # # /selinux # @@ -178,13 +199,14 @@ ifdef(`distro_debian',` # # /srv # -/srv -d gen_context(system_u:object_r:var_t,s0) +/srv gen_context(system_u:object_r:var_t,s0) /srv/.* gen_context(system_u:object_r:var_t,s0) # # /tmp # -/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp/.* <> /tmp/\.journal <> @@ -194,9 +216,11 @@ ifdef(`distro_debian',` # # /usr # -/usr -d gen_context(system_u:object_r:usr_t,s0) +/usr gen_context(system_u:object_r:usr_t,s0) /usr/.* gen_context(system_u:object_r:usr_t,s0) /usr/\.journal <> +/export(/.*)? gen_context(system_u:object_r:usr_t,s0) +/ostree(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -204,15 +228,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) -/usr/local/\.journal <> - -/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) -/usr/local/lost\+found/.* <> - /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> +/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) @@ -220,8 +238,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` -/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') @@ -229,19 +245,33 @@ ifndef(`distro_redhat',` # # /var # -/var -d gen_context(system_u:object_r:var_t,s0) +/var gen_context(system_u:object_r:var_t,s0) /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) +/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0) /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + +/var/lib/openshift/.openshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + +/var/lib/servicelog/servicelog\.db -- gen_context(system_u:object_r:system_db_t,s0) +/var/lib/servicelog/servicelog\.db-journal -- gen_context(system_u:object_r:system_db_t,s0) + +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) +/var/lock/.* <> /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> @@ -256,12 +286,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> +/var/run/lock/.* <> /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) +/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> @@ -271,3 +303,7 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f962f76ad..4a8ce9c4b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ ## Comains the file initial SID. ## +##################################### +## +## files stub etc_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_etc',` + gen_require(` + type etc_t; + ') +') + +##################################### +## +## files stub var_lock_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var_lock',` + gen_require(` + type var_lock_t; + ') +') + +##################################### +## +## files stub var_log_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var_log',` + gen_require(` + type var_log_t; + ') +') + +##################################### +## +## files stub var_lib_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var_lib',` + gen_require(` + type var_lib_t; + ') +') + +##################################### +## +## files stub var_run_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var_run',` + gen_require(` + type var_run_t; + ') +') + +##################################### +## +## files stub var_run_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var_spool',` + gen_require(` + type var_spool_t; + ') +') + +##################################### +## +## files stub var_run_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_var',` + gen_require(` + type var_t; + ') +') + + +##################################### +## +## files stub tmp_t interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`files_stub_tmp',` + gen_require(` + type tmp_t; + ') +') + + ######################################## ## ## Make the specified type usable for files @@ -55,6 +185,7 @@ ##
  • files_pid_file()
  • ##
  • files_security_file()
  • ##
  • files_security_mountpoint()
  • +##
  • files_spool_file()
  • ##
  • files_tmp_file()
  • ##
  • files_tmpfs_file()
  • ##
  • logging_log_file()
  • @@ -125,44 +256,59 @@ interface(`files_security_file',` typeattribute $1 file_type, security_file_type, non_auth_file_type; ') + ######################################## ## ## Make the specified type usable for -## lock files. +## filesystem mount points. ## ## ## -## Type to be used for lock files. +## Type to be used for mount points. ## ## # -interface(`files_lock_file',` +interface(`files_mountpoint',` gen_require(` - attribute lockfile; + attribute mountpoint; ') files_type($1) - typeattribute $1 lockfile; + typeattribute $1 mountpoint; ') ######################################## ## -## Make the specified type usable for -## filesystem mount points. +## Create a private type object in mountpoint dir +## with an automatic type transition ## -## +## ## -## Type to be used for mount points. +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. ## ## # -interface(`files_mountpoint',` +interface(`files_mountpoint_filetrans',` gen_require(` attribute mountpoint; ') - files_type($1) - typeattribute $1 mountpoint; + filetrans_pattern($1, mountpoint, $2, $3, $4) ') ######################################## @@ -185,6 +331,26 @@ interface(`files_security_mountpoint',` typeattribute $1 mountpoint; ') +######################################## +## +## Make the specified type usable for +## lock files. +## +## +## +## Type to be used for lock files. +## +## +# +interface(`files_lock_file',` + gen_require(` + attribute lockfile; + ') + + files_type($1) + typeattribute $1 lockfile; +') + ######################################## ## ## Make the specified type usable for @@ -521,7 +687,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir mounton; + allow $1 non_security_file_type:dir { write setattr mounton }; allow $1 non_security_file_type:file mounton; ') @@ -543,6 +709,24 @@ interface(`files_write_non_security_dirs',` allow $1 non_security_file_type:dir write; ') +######################################## +## +## Allow attempts to setattr any directory +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + allow $1 non_security_file_type:dir { read setattr }; +') + ######################################## ## ## Allow attempts to manage non-security directories @@ -580,6 +764,42 @@ interface(`files_getattr_all_files',` getattr_lnk_files_pattern($1, file_type, file_type) ') +######################################## +## +## Get the attributes of all chr files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_all_chr_files',` + gen_require(` + attribute file_type; + ') + + getattr_chr_files_pattern($1, file_type, file_type) +') + +######################################## +## +## Get the attributes of all blk files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_all_blk_files',` + gen_require(` + attribute file_type; + ') + + getattr_blk_files_pattern($1, file_type, file_type) +') + ######################################## ## ## Do not audit attempts to get the attributes @@ -618,6 +838,63 @@ interface(`files_dontaudit_getattr_non_security_files',` dontaudit $1 non_security_file_type:file getattr; ') +######################################## +## +## Do not audit attempts to search +## non security dirs. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to set the attributes +## of non security files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_setattr_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:file setattr; +') + +######################################## +## +## Do not audit attempts to set the attributes +## of non security directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_setattr_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:dir setattr; +') + ######################################## ## ## Read all files. @@ -683,129 +960,261 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') + list_dirs_pattern($1, non_security_file_type, non_security_file_type) read_files_pattern($1, non_security_file_type, non_security_file_type) read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## -## Read all directories on the filesystem, except -## the listed exceptions. +## Map all non-security files. ## ## ## ## Domain allowed access. ## ## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## # -interface(`files_read_all_dirs_except',` +interface(`files_map_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - allow $1 { file_type $2 }:dir list_dir_perms; + allow $1 non_security_file_type:file map; ') ######################################## ## -## Read all files on the filesystem, except -## the listed exceptions. +## Read/Write all inherited non-security files. ## ## ## ## Domain allowed access. ## ## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## # -interface(`files_read_all_files_except',` +interface(`files_rw_inherited_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - read_files_pattern($1, { file_type $2 }, { file_type $2 }) + allow $1 non_security_file_type:file { read write }; ') ######################################## ## -## Read all symbolic links on the filesystem, except -## the listed exceptions. +## Manage all non-security files. ## ## ## ## Domain allowed access. ## ## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## +## # -interface(`files_read_all_symlinks_except',` +interface(`files_manage_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + manage_files_pattern($1, non_security_file_type, non_security_file_type) + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') ######################################## ## -## Get the attributes of all symbolic links. +## Relabel all non-security files. ## ## ## ## Domain allowed access. ## ## +## # -interface(`files_getattr_all_symlinks',` +interface(`files_relabel_non_security_files',` gen_require(` - attribute file_type; + attribute non_security_file_type; ') - getattr_lnk_files_pattern($1, file_type, file_type) + relabel_files_pattern($1, non_security_file_type, non_security_file_type) + allow $1 { non_security_file_type }:dir list_dir_perms; + relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) ') ######################################## ## -## Do not audit attempts to get the attributes -## of all symbolic links. +## Search all base file dirs. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_getattr_all_symlinks',` +interface(`files_search_base_file_types',` gen_require(` - attribute file_type; + attribute base_file_type; ') - dontaudit $1 file_type:lnk_file getattr; + allow $1 base_file_type:dir search_dir_perms; ') ######################################## ## -## Do not audit attempts to read all symbolic links. +## Relabel all base file types. ## ## ## -## Domain to not audit. +## Domain allowed access. +## +## +# +interface(`files_relabel_base_file_types',` + gen_require(` + attribute base_file_type; + ') + + allow $1 base_file_type:dir list_dir_perms; + relabel_dirs_pattern($1, base_file_type , base_file_type ) + relabel_files_pattern($1, base_file_type , base_file_type ) + relabel_lnk_files_pattern($1, base_file_type , base_file_type ) + relabel_fifo_files_pattern($1, base_file_type , base_file_type ) + relabel_sock_files_pattern($1, base_file_type , base_file_type ) + relabel_blk_files_pattern($1, base_file_type , base_file_type ) + relabel_chr_files_pattern($1, base_file_type , base_file_type ) +') + +######################################## +## +## Read all directories on the filesystem, except +## the listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`files_read_all_dirs_except',` + gen_require(` + attribute file_type; + ') + + allow $1 { file_type $2 }:dir list_dir_perms; +') + +######################################## +## +## Read all files on the filesystem, except +## the listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`files_read_all_files_except',` + gen_require(` + attribute file_type; + ') + + read_files_pattern($1, { file_type $2 }, { file_type $2 }) +') + +######################################## +## +## Read all symbolic links on the filesystem, except +## the listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`files_read_all_symlinks_except',` + gen_require(` + attribute file_type; + ') + + read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) +') + +######################################## +## +## Get the attributes of all symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_all_symlinks',` + gen_require(` + attribute file_type; + ') + + getattr_lnk_files_pattern($1, file_type, file_type) +') + +######################################## +## +## Do not audit attempts to get the attributes +## of all symbolic links. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_all_symlinks',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:lnk_file getattr; +') + +######################################## +## +## Do not audit attempts to read all symbolic links. +## +## +## +## Domain to not audit. ## ## # @@ -951,6 +1360,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` dontaudit $1 non_security_file_type:fifo_file getattr; ') +######################################## +## +## Do not audit attempts to read/write +## of non security named pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_rw_inherited_pipes',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; +') + ######################################## ## ## Get the attributes of all named sockets. @@ -989,6 +1417,44 @@ interface(`files_dontaudit_getattr_all_sockets',` dontaudit $1 file_type:sock_file getattr; ') +######################################## +## +## Do not audit attempts to read +## of all named sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_all_sockets',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:sock_file read; +') + +######################################## +## +## Do not audit attempts to read +## of all security file types. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_all_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + dontaudit $1 non_security_file_type:file read_file_perms; +') + ######################################## ## ## Do not audit attempts to get the attributes @@ -1073,10 +1539,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: seutil_relabelto_bin_policy($1) @@ -1180,24 +1644,6 @@ interface(`files_list_all',` allow $1 file_type:dir list_dir_perms; ') -######################################## -## -## Create all files as is. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_all_files_as',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:kernel_service create_files_as; -') - ######################################## ## ## Do not audit attempts to search the @@ -1443,9 +1889,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) ') ############################################# @@ -1599,6 +2042,24 @@ interface(`files_setattr_all_mountpoints',` allow $1 mountpoint:dir setattr; ') +######################################## +## +## Set the attributes of all mount points. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + allow $1 mountpoint:dir relabelto; +') + ######################################## ## ## Do not audit attempts to set the attributes on all mount points. @@ -1689,6 +2150,24 @@ interface(`files_dontaudit_list_all_mountpoints',` dontaudit $1 mountpoint:dir list_dir_perms; ') +######################################## +## +## Write all mount points. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + allow $1 mountpoint:dir write; +') + ######################################## ## ## Do not audit attempts to write to mount points. @@ -1703,80 +2182,172 @@ interface(`files_dontaudit_write_all_mountpoints',` gen_require(` attribute mountpoint; ') + dontaudit $1 self:capability { dac_read_search dac_override }; dontaudit $1 mountpoint:dir write; ') ######################################## ## -## List the contents of the root directory. +## Do not audit attempts to unmount all mount points. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_list_root',` +interface(`files_dontaudit_unmount_all_mountpoints',` gen_require(` - type root_t; + attribute mountpoint; ') - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + dontaudit $1 mountpoint:filesystem unmount; ') ######################################## ## -## Do not audit attempts to write to / dirs. +## Read all mountpoint symbolic links. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_write_root_dirs',` +interface(`files_read_all_mountpoint_symlinks',` gen_require(` - type root_t; + attribute mountpoint; ') - dontaudit $1 root_t:dir write; + allow $1 mountpoint:lnk_file read_lnk_file_perms; ') -################### +######################################## ## -## Do not audit attempts to write -## files in the root directory. +## Write all file type directories. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_rw_root_dir',` +interface(`files_write_all_dirs',` gen_require(` - type root_t; + attribute file_type; ') - dontaudit $1 root_t:dir rw_dir_perms; + allow $1 file_type:dir write; ') ######################################## ## -## Create an object in the root directory, with a private -## type using a type transition. +## List the contents of the root directory. ## ## ## ## Domain allowed access. ## ## -## -## -## The type of the object to be created. -## +# +interface(`files_list_root',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir list_dir_perms; + allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; +') +######################################## +## +## Do not audit attempts to write to / dirs. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_write_root_dirs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir write; +') + +######################################## +## +## Do not audit attempts to write to / dirs. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_write_root_dirs',` + gen_require(` + type root_t; + ') + + dontaudit $1 root_t:dir write; +') + +################### +## +## Do not audit attempts to write +## files in the root directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_rw_root_dir',` + gen_require(` + type root_t; + ') + + dontaudit $1 root_t:dir rw_dir_perms; +') + +######################################## +## +## Do not audit attempts to check the +## access on root directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_access_check_root',` + gen_require(` + type root_t; + ') + + dontaudit $1 root_t:dir_file_class_set audit_access; +') + + +######################################## +## +## Create an object in the root directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## ## ## ## @@ -1892,25 +2463,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## -## Associate to root file system. +## Set attributes of the root directory. ## -## +## ## -## Type of the file to associate. +## Domain allowed access. ## ## # -interface(`files_associate_rootfs',` +interface(`files_setattr_root_dirs',` gen_require(` type root_t; ') - allow $1 root_t:filesystem associate; + allow $1 root_t:dir setattr_dir_perms; ') ######################################## ## -## Relabel to and from rootfs file system. +## Relabel a rootfs filesystem. ## ## ## @@ -1923,7 +2494,7 @@ interface(`files_relabel_rootfs',` type root_t; ') - allow $1 root_t:filesystem { relabelto relabelfrom }; + allow $1 root_t:filesystem relabel_file_perms; ') ######################################## @@ -1944,6 +2515,42 @@ interface(`files_unmount_rootfs',` allow $1 root_t:filesystem unmount; ') +######################################## +## +## Mount a filesystem on the root file system +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir { search_dir_perms mounton }; +') + +######################################## +## +## Mount a filesystem on the root file system +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_mounton_rootfs',` + gen_require(` + type root_t; + ') + + dontaudit $1 root_t:dir mounton; +') + ######################################## ## ## Get attributes of the /boot directory. @@ -2143,6 +2750,23 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') +###################################### +## +## Map files in the /boot. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_map_boot_files',` + gen_require(` + type boot_t; + ') + allow $1 boot_t:file map; +') + ######################################## ## ## Create, read, write, and delete files @@ -2181,6 +2805,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') +######################################## +## +## Relabel to files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_boot_files',` + gen_require(` + type boot_t; + ') + + relabelto_files_pattern($1, boot_t, boot_t) +') + ###################################### ## ## Read symbolic links in the /boot directory. @@ -2555,6 +3197,24 @@ interface(`files_read_default_pipes',` allow $1 default_t:fifo_file read_fifo_file_perms; ') +######################################## +## +## Mounton directories on filesystem /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_etc',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir mounton; +') + ######################################## ## ## Search the contents of /etc directories. @@ -2645,6 +3305,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') +####################################### +## +## Dontaudit remove dir /etc directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_remove_etc_dir',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:dir rmdir; +') + ########################################## ## ## Manage generic directories in /etc @@ -2716,6 +3394,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) + files_read_etc_runtime_files($1) ') ######################################## @@ -2724,7 +3403,7 @@ interface(`files_read_etc_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -2778,6 +3457,25 @@ interface(`files_manage_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') +######################################## +## +## Do not audit attempts to check the +## access on etc files +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_access_check_etc',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:dir_file_class_set audit_access; +') + ######################################## ## ## Delete system configuration files in /etc. @@ -2796,6 +3494,24 @@ interface(`files_delete_etc_files',` delete_files_pattern($1, etc_t, etc_t) ') +######################################## +## +## Remove entries from the etc directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_etc_dir_entry',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir del_entry_dir_perms; +') + ######################################## ## ## Execute generic files in /etc. @@ -2961,24 +3677,6 @@ interface(`files_delete_boot_flag',` delete_files_pattern($1, root_t, etc_runtime_t) ') -######################################## -## -## Do not audit attempts to set the attributes of the etc_runtime files -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_setattr_etc_runtime_files',` - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file setattr; -') - ######################################## ## ## Read files in /etc that are dynamically @@ -3021,9 +3719,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## -## Do not audit attempts to read files -## in /etc that are dynamically -## created on boot, such as mtab. +## Do not audit attempts to set the attributes of the etc_runtime files ## ## ## @@ -3031,18 +3727,17 @@ interface(`files_read_etc_runtime_files',` ## ## # -interface(`files_dontaudit_read_etc_runtime_files',` +interface(`files_dontaudit_setattr_etc_runtime_files',` gen_require(` type etc_runtime_t; ') - dontaudit $1 etc_runtime_t:file { getattr read }; + dontaudit $1 etc_runtime_t:file setattr; ') ######################################## ## -## Do not audit attempts to write -## etc runtime files. +## Do not audit attempts to write etc_runtime files ## ## ## @@ -3058,6 +3753,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` dontaudit $1 etc_runtime_t:file write; ') +######################################## +## +## Do not audit attempts to read files +## in /etc that are dynamically +## created on boot, such as mtab. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + + dontaudit $1 etc_runtime_t:file { getattr read }; +') + ######################################## ## ## Read and write files in /etc that are dynamically @@ -3077,6 +3792,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) + read_lnk_files_pattern($1, etc_t, etc_t) ') ######################################## @@ -3098,6 +3814,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) + read_lnk_files_pattern($1, etc_t, etc_runtime_t) ') ######################################## @@ -3142,10 +3859,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir getattr; +') + +######################################## +## +## Getattr all file opbjects on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; ') - allow $1 file_t:dir getattr; + allow $1 unlabeled_t:dir_file_class_set getattr; +') + +######################################## +## +## Setattr of directories on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_isid_type_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir setattr; ') ######################################## @@ -3161,10 +3916,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; ') - dontaudit $1 file_t:dir search_dir_perms; + dontaudit $1 unlabeled_t:dir search_dir_perms; ') ######################################## @@ -3180,10 +3935,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:dir list_dir_perms; + allow $1 unlabeled_t:dir list_dir_perms; ') ######################################## @@ -3199,10 +3954,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:dir rw_dir_perms; + allow $1 unlabeled_t:dir rw_dir_perms; ') ######################################## @@ -3218,10 +3973,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; + ') + + delete_dirs_pattern($1, unlabeled_t, unlabeled_t) +') +######################################## +## +## Execute files on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_isid_files',` + gen_require(` + type unlabeled_t; + ') + + can_exec($1, unlabeled_t) +') + +######################################## +## +## Moundon directories on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_isid',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir mounton; +') + +######################################## +## +## Relabelfrom all file opbjects on new filesystems +## that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; ') - delete_dirs_pattern($1, file_t, file_t) + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## @@ -3237,10 +4048,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:dir manage_dir_perms; + allow $1 unlabeled_t:dir manage_dir_perms; ') ######################################## @@ -3256,10 +4067,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir { search_dir_perms mounton }; +') + +######################################## +## +## Mount a filesystem on a new chr_file +## that has not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_isid_type_chr_file',` + gen_require(` + type unlabeled_t; ') - allow $1 file_t:dir { search_dir_perms mounton }; + allow $1 unlabeled_t:chr_file mounton; ') ######################################## @@ -3275,10 +4105,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:file read_file_perms; + allow $1 unlabeled_t:file read_file_perms; ') ######################################## @@ -3294,10 +4124,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_files_pattern($1, file_t, file_t) + delete_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3313,10 +4143,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_lnk_files_pattern($1, file_t, file_t) + delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3332,10 +4162,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_fifo_files_pattern($1, file_t, file_t) + delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3351,10 +4181,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_sock_files_pattern($1, file_t, file_t) + delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3370,10 +4200,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_blk_files_pattern($1, file_t, file_t) + delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3389,10 +4219,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` - type file_t; + type unlabeled_t; ') - dontaudit $1 file_t:chr_file write; + dontaudit $1 unlabeled_t:chr_file write; ') ######################################## @@ -3408,10 +4238,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` - type file_t; + type unlabeled_t; ') - delete_chr_files_pattern($1, file_t, file_t) + delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) ') ######################################## @@ -3427,10 +4257,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:file manage_file_perms; + allow $1 unlabeled_t:file manage_file_perms; ') ######################################## @@ -3446,10 +4276,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:lnk_file manage_lnk_file_perms; + allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; ') ######################################## @@ -3465,10 +4295,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` - type file_t; + type unlabeled_t; + ') + + allow $1 unlabeled_t:blk_file rw_blk_file_perms; +') + +######################################## +## +## rw any files inherited from another process +## on new filesystems that have not yet been labeled. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_inherited_isid_type_files',` + gen_require(` + type unlabeled_t; ') - allow $1 file_t:blk_file rw_blk_file_perms; + allow $1 unlabeled_t:file rw_inherited_file_perms; ') ######################################## @@ -3484,10 +4333,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:blk_file manage_blk_file_perms; + allow $1 unlabeled_t:blk_file manage_blk_file_perms; ') ######################################## @@ -3503,10 +4352,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` - type file_t; + type unlabeled_t; ') - allow $1 file_t:chr_file manage_chr_file_perms; + allow $1 unlabeled_t:chr_file manage_chr_file_perms; ') ######################################## @@ -3550,6 +4399,43 @@ interface(`files_dontaudit_getattr_home_dir',` dontaudit $1 home_root_t:lnk_file getattr; ') +######################################## +## +## Do not audit attempts to check the +## access on home root directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_access_check_home_dir',` + gen_require(` + type home_root_t; + ') + + dontaudit $1 home_root_t:dir_file_class_set audit_access; +') + +######################################## +## +## Create /home directories +## +## +## +## Domain allowed access +## +## +# +interface(`files_create_home_dir',` + gen_require(` + type home_root_t; + ') + + create_dirs_pattern($1, home_root_t, home_root_t) +') + ######################################## ## ## Search home directories root (/home). @@ -3814,20 +4700,38 @@ interface(`files_list_mnt',` ###################################### ## -## Do not audit attempts to list the contents of /mnt. +## dontaudit List the contents of /mnt. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_list_mnt',` + gen_require(` + type mnt_t; + ') + + dontaudit $1 mnt_t:dir list_dir_perms; +') + +######################################## +## +## Do not audit attempts to check the +## write access on mnt files ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_dontaudit_list_mnt',` +interface(`files_dontaudit_access_check_mnt',` gen_require(` type mnt_t; ') - - dontaudit $1 mnt_t:dir list_dir_perms; + dontaudit $1 mnt_t:dir_file_class_set audit_access; ') ######################################## @@ -3921,6 +4825,45 @@ interface(`files_read_mnt_symlinks',` read_lnk_files_pattern($1, mnt_t, mnt_t) ') + +######################################## +## +## Load kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_load_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + files_read_kernel_modules($1) + allow $1 modules_object_t:system module_load; +') + +######################################## +## +## Mmap kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_map_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:file map; + +') + ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. @@ -4012,6 +4955,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) + ') ######################################## @@ -4217,174 +5161,235 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') -######################################## +####################################### ## -## Allow the specified type to associate -## to a filesystem with the type of the -## temporary directory (/tmp). +## Read manageable system configuration files in /etc ## -## -## -## Type of the file to associate. -## +## +## +## Domain allowed access. +## ## # -interface(`files_associate_tmp',` - gen_require(` - type tmp_t; - ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) ') -######################################## +###################################### ## -## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) ') -######################################## +##################################### ## -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') - dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") ') -######################################## +###################################### ## -## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`files_search_tmp',` - gen_require(` - type tmp_t; - ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') - allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) ') -######################################## +###################################### ## -## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. ## ## -## -## Domain to not audit. -## +## +## Domain allowed access. +## ## # -interface(`files_dontaudit_search_tmp',` - gen_require(` - type tmp_t; - ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) ') -######################################## +################################### ## -## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. ## ## -## -## Domain allowed access. -## +## +## The type of the process performing this action. +## ## # -interface(`files_list_tmp',` - gen_require(` - type tmp_t; - ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) ') -######################################## +###################################### ## -## Do not audit listing of the tmp directory (/tmp). +## Manage manageable system db files in /var/lib. ## ## -## -## Domain not to audit. -## +## +## Domain allowed access. +## ## # -interface(`files_dontaudit_list_tmp',` - gen_require(` - type tmp_t; - ') +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) ') -######################################## +###################################### ## -## Remove entries from the tmp directory. +## Map manageable system db files in /var/lib. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_map_system_db_files',` + gen_require(` + type system_db_t; + ') + allow $1 system_db_t:file map; +') + +##################################### +## +## File name transition for system db files in /var/lib. ## ## +## +## Domain allowed access. +## +## +# +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') + + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") +') + +######################################## +## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). +## +## ## -## Domain allowed access. +## Type of the file to associate. ## ## # -interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') - allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## -## Read files in the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system ## -## +## ## -## Domain allowed access. +## Type of the file to associate. ## ## # -interface(`files_read_generic_tmp_files',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') - read_files_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; ') ######################################## ## -## Manage temporary directories in /tmp. +## Get the attributes of the tmp directory (/tmp). ## ## ## @@ -4392,53 +5397,56 @@ interface(`files_read_generic_tmp_files',` ## ## # -interface(`files_manage_generic_tmp_dirs',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') - manage_dirs_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## -## Manage temporary files and directories in /tmp. +## Do not audit attempts to check the +## access on tmp files ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') - manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## -## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') - read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## -## Read and write generic named sockets in the tmp directory (/tmp). +## Search the tmp directory (/tmp). ## ## ## @@ -4446,35 +5454,37 @@ interface(`files_read_generic_tmp_symlinks',` ## ## # -interface(`files_rw_generic_tmp_sockets',` +interface(`files_search_tmp',` gen_require(` type tmp_t; ') - rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; ') ######################################## ## -## Set the attributes of all tmp directories. +## Do not audit attempts to search the tmp directory (/tmp). ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_setattr_all_tmp_dirs',` +interface(`files_dontaudit_search_tmp',` gen_require(` - attribute tmpfile; + type tmp_t; ') - allow $1 tmpfile:dir { search_dir_perms setattr }; + dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## -## List all tmp directories. +## Read the tmp directory (/tmp). ## ## ## @@ -4482,59 +5492,55 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # -interface(`files_list_all_tmp',` +interface(`files_list_tmp',` gen_require(` - attribute tmpfile; + type tmp_t; ') - allow $1 tmpfile:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## -## Relabel to and from all temporary -## directory types. +## Do not audit listing of the tmp directory (/tmp). ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## -## # -interface(`files_relabel_all_tmp_dirs',` +interface(`files_dontaudit_list_tmp',` gen_require(` - attribute tmpfile; - type var_t; + type tmp_t; ') - allow $1 var_t:dir search_dir_perms; - relabel_dirs_pattern($1, tmpfile, tmpfile) + dontaudit $1 tmp_t:dir list_dir_perms; ') -######################################## +####################################### ## -## Do not audit attempts to get the attributes -## of all tmp files. +## Allow read and write to the tmp directory (/tmp). ## ## -## -## Domain not to audit. -## +## +## Domain not to audit. +## ## # -interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') - dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') ######################################## ## -## Allow attempts to get the attributes -## of all tmp files. +## Remove entries from the tmp directory. ## ## ## @@ -4542,110 +5548,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # -interface(`files_getattr_all_tmp_files',` +interface(`files_delete_tmp_dir_entry',` gen_require(` - attribute tmpfile; + type tmp_t; ') - allow $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; ') ######################################## ## -## Relabel to and from all temporary -## file types. +## Read files in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## -## # -interface(`files_relabel_all_tmp_files',` +interface(`files_read_generic_tmp_files',` gen_require(` - attribute tmpfile; - type var_t; + type tmp_t; ') - allow $1 var_t:dir search_dir_perms; - relabel_files_pattern($1, tmpfile, tmpfile) + read_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit attempts to get the attributes -## of all tmp sock_file. +## Manage temporary directories in /tmp. ## ## ## -## Domain not to audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_getattr_all_tmp_sockets',` +interface(`files_manage_generic_tmp_dirs',` gen_require(` - attribute tmpfile; + type tmp_t; ') - dontaudit $1 tmpfile:sock_file getattr; + manage_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Read all tmp files. +## Allow shared library text relocations in tmp files. ## +## +##

    +## Allow shared library text relocations in tmp files. +##

    +##

    +## This is added to support java policy. +##

    +##
    ## ## ## Domain allowed access. ## ## # -interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` gen_require(` attribute tmpfile; ') - read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; ') ######################################## ## -## Create an object in the tmp directories, with a private -## type using a type transition. +## Manage temporary files and directories in /tmp. ## ## ## ## Domain allowed access. ## ## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## # -interface(`files_tmp_filetrans',` +interface(`files_manage_generic_tmp_files',` gen_require(` type tmp_t; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) + manage_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Delete the contents of /tmp. +## Read symbolic links in the tmp directory (/tmp). ## ## ## @@ -4653,22 +5647,17 @@ interface(`files_tmp_filetrans',` ## ## # -interface(`files_purge_tmp',` +interface(`files_read_generic_tmp_symlinks',` gen_require(` - attribute tmpfile; + type tmp_t; ') - allow $1 tmpfile:dir list_dir_perms; - delete_dirs_pattern($1, tmpfile, tmpfile) - delete_files_pattern($1, tmpfile, tmpfile) - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) + read_lnk_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Set the attributes of the /usr directory. +## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## @@ -4676,17 +5665,17 @@ interface(`files_purge_tmp',` ## ## # -interface(`files_setattr_usr_dirs',` +interface(`files_rw_generic_tmp_sockets',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir setattr; + rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Search the content of /usr. +## Relabel a dir from the type used in /tmp. ## ## ## @@ -4694,18 +5683,17 @@ interface(`files_setattr_usr_dirs',` ## ## # -interface(`files_search_usr',` +interface(`files_relabelfrom_tmp_dirs',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir search_dir_perms; + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## List the contents of generic -## directories in /usr. +## Relabel a file from the type used in /tmp. ## ## ## @@ -4713,35 +5701,35 @@ interface(`files_search_usr',` ## ## # -interface(`files_list_usr',` +interface(`files_relabelfrom_tmp_files',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir list_dir_perms; + relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit write of /usr dirs +## Set the attributes of all tmp directories. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_write_usr_dirs',` +interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir write; + allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## -## Add and remove entries from /usr directories. +## Allow caller to read inherited tmp files. ## ## ## @@ -4749,36 +5737,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # -interface(`files_rw_usr_dirs',` +interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file { append open read_inherited_file_perms }; ') ######################################## ## -## Do not audit attempts to add and remove -## entries from /usr directories. +## Allow caller to append inherited tmp files. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_rw_usr_dirs',` +interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## -## Delete generic directories in /usr in the caller domain. +## Allow caller to read and write inherited tmp files. ## ## ## @@ -4786,17 +5773,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # -interface(`files_delete_usr_dirs',` +interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_dirs_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Delete generic files in /usr in the caller domain. +## List all tmp directories. ## ## ## @@ -4804,73 +5791,59 @@ interface(`files_delete_usr_dirs',` ## ## # -interface(`files_delete_usr_files',` +interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Get the attributes of files in /usr. +## Relabel to and from all temporary +## directory types. ## ## ## ## Domain allowed access. ## ## +## # -interface(`files_getattr_usr_files',` +interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; + type var_t; ') - getattr_files_pattern($1, usr_t, usr_t) + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Read generic files in /usr. +## Do not audit attempts to get the attributes +## of all tmp files. ## -## -##

    -## Allow the specified domain to read generic -## files in /usr. These files are various program -## files that do not have more specific SELinux types. -## Some examples of these files are: -##

    -##
      -##
    • /usr/include/*
    • -##
    • /usr/share/doc/*
    • -##
    • /usr/share/info/*
    • -##
    -##

    -## Generally, it is safe for many domains to have -## this access. -##

    -##
    ## ## -## Domain allowed access. +## Domain to not audit. ## ## -## # -interface(`files_read_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Execute generic programs in /usr in the caller domain. +## Allow attempts to get the attributes +## of all tmp files. ## ## ## @@ -4878,55 +5851,58 @@ interface(`files_read_usr_files',` ## ## # -interface(`files_exec_usr_files',` +interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file getattr; ') ######################################## ## -## dontaudit write of /usr files +## Relabel to and from all temporary +## file types. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## +## # -interface(`files_dontaudit_write_usr_files',` +interface(`files_relabel_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; + type var_t; ') - dontaudit $1 usr_t:file write; + allow $1 var_t:dir search_dir_perms; + relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Create, read, write, and delete files in the /usr directory. +## Do not audit attempts to get the attributes +## of all tmp sock_file. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_manage_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` - type usr_t; + attribute tmpfile; ') - manage_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:sock_file getattr; ') ######################################## ## -## Relabel a file to the type used in /usr. +## Read all tmp files. ## ## ## @@ -4934,67 +5910,70 @@ interface(`files_manage_usr_files',` ## ## # -interface(`files_relabelto_usr_files',` +interface(`files_read_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - relabelto_files_pattern($1, usr_t, usr_t) + read_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Relabel a file from the type used in /usr. +## Do not audit attempts to read or write +## all leaked tmpfiles files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_relabelfrom_usr_files',` +interface(`files_dontaudit_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') - relabelfrom_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Read symbolic links in /usr. +## Do allow attempts to read or write +## all leaked tmpfiles files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_read_usr_symlinks',` +interface(`files_rw_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') - read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Create objects in the /usr directory +## Create an object in the tmp directories, with a private +## type using a type transition. ## ## ## ## Domain allowed access. ## ## -## +## ## -## The type of the object to be created +## The type of the object to be created. ## ## -## +## ## -## The object class. +## The object class of the object being created. ## ## ## @@ -5003,35 +5982,50 @@ interface(`files_read_usr_symlinks',` ##
    ## # -interface(`files_usr_filetrans',` +interface(`files_tmp_filetrans',` gen_require(` - type usr_t; + type tmp_t; ') - filetrans_pattern($1, usr_t, $2, $3, $4) + filetrans_pattern($1, tmp_t, $2, $3, $4) ') ######################################## ## -## Do not audit attempts to search /usr/src. +## Delete the contents of /tmp. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_search_src',` +interface(`files_purge_tmp',` gen_require(` - type src_t; + attribute tmpfile; ') - dontaudit $1 src_t:dir search_dir_perms; + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1, tmpfile, tmpfile) + delete_files_pattern($1, tmpfile, tmpfile) + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) + delete_chr_files_pattern($1, tmpfile, tmpfile) + delete_blk_files_pattern($1, tmpfile, tmpfile) + files_list_isid_type_dirs($1) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) + files_delete_isid_type_symlinks($1) + files_delete_isid_type_fifo_files($1) + files_delete_isid_type_sock_files($1) + files_delete_isid_type_blk_files($1) + files_delete_isid_type_chr_files($1) ') ######################################## ## -## Get the attributes of files in /usr/src. +## Set the attributes of the /usr directory. ## ## ## @@ -5039,20 +6033,17 @@ interface(`files_dontaudit_search_src',` ## ## # -interface(`files_getattr_usr_src_files',` +interface(`files_setattr_usr_dirs',` gen_require(` - type usr_t, src_t; + type usr_t; ') - getattr_files_pattern($1, src_t, src_t) - - # /usr/src/linux symlink: - read_lnk_files_pattern($1, usr_t, src_t) + allow $1 usr_t:dir setattr; ') ######################################## ## -## Read files in /usr/src. +## Search the content of /usr. ## ## ## @@ -5060,20 +6051,18 @@ interface(`files_getattr_usr_src_files',` ## ## # -interface(`files_read_usr_src_files',` +interface(`files_search_usr',` gen_require(` - type usr_t, src_t; + type usr_t; ') allow $1 usr_t:dir search_dir_perms; - read_files_pattern($1, { usr_t src_t }, src_t) - read_lnk_files_pattern($1, { usr_t src_t }, src_t) - allow $1 src_t:dir list_dir_perms; ') ######################################## ## -## Execute programs in /usr/src in the caller domain. +## List the contents of generic +## directories in /usr. ## ## ## @@ -5081,38 +6070,35 @@ interface(`files_read_usr_src_files',` ## ## # -interface(`files_exec_usr_src_files',` +interface(`files_list_usr',` gen_require(` - type usr_t, src_t; + type usr_t; ') - list_dirs_pattern($1, usr_t, src_t) - exec_files_pattern($1, src_t, src_t) - read_lnk_files_pattern($1, src_t, src_t) + allow $1 usr_t:dir list_dir_perms; ') ######################################## ## -## Install a system.map into the /boot directory. +## Do not audit write of /usr dirs ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_create_kernel_symbol_table',` +interface(`files_dontaudit_write_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') - allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; - allow $1 system_map_t:file { create_file_perms rw_file_perms }; + dontaudit $1 usr_t:dir write; ') ######################################## ## -## Read system.map in the /boot directory. +## Add and remove entries from /usr directories. ## ## ## @@ -5120,37 +6106,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # -interface(`files_read_kernel_symbol_table',` +interface(`files_rw_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, system_map_t) + allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## -## Delete a system.map in the /boot directory. +## Do not audit attempts to add and remove +## entries from /usr directories. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_delete_kernel_symbol_table',` +interface(`files_dontaudit_rw_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') - allow $1 boot_t:dir list_dir_perms; - delete_files_pattern($1, boot_t, system_map_t) + dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## -## Search the contents of /var. +## Delete generic directories in /usr in the caller domain. ## ## ## @@ -5158,35 +6143,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # -interface(`files_search_var',` +interface(`files_delete_usr_dirs',` gen_require(` - type var_t; + type usr_t; ') - allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## -## Do not audit attempts to write to /var. +## Delete generic files in /usr in the caller domain. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_write_var_dirs',` +interface(`files_delete_usr_files',` gen_require(` - type var_t; + type usr_t; ') - dontaudit $1 var_t:dir write; + delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Allow attempts to write to /var.dirs +## Map files in /usr in the caller domain. ## ## ## @@ -5194,73 +6179,73 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # -interface(`files_write_var_dirs',` +interface(`files_mmap_usr_files',` gen_require(` - type var_t; + type usr_t; ') - allow $1 var_t:dir write; + allow $1 usr_t:file map; ') ######################################## ## -## Do not audit attempts to search -## the contents of /var. +## Get the attributes of files in /usr. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_search_var',` +interface(`files_getattr_usr_files',` gen_require(` - type var_t; + type usr_t; ') - dontaudit $1 var_t:dir search_dir_perms; + getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## List the contents of /var. +## Read generic files in /usr. ## +## +##

    +## Allow the specified domain to read generic +## files in /usr. These files are various program +## files that do not have more specific SELinux types. +## Some examples of these files are: +##

    +##
      +##
    • /usr/include/*
    • +##
    • /usr/share/doc/*
    • +##
    • /usr/share/info/*
    • +##
    +##

    +## Generally, it is safe for many domains to have +## this access. +##

    +##
    ## ## ## Domain allowed access. ## ## +## # -interface(`files_list_var',` +interface(`files_read_usr_files',` gen_require(` - type var_t; + type usr_t; ') - allow $1 var_t:dir list_dir_perms; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Create, read, write, and delete directories -## in the /var directory. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_manage_var_dirs',` - gen_require(` - type var_t; - ') - - allow $1 var_t:dir manage_dir_perms; -') - -######################################## -## -## Read files in the /var directory. +## Execute generic programs in /usr in the caller domain. ## ## ## @@ -5268,35 +6253,37 @@ interface(`files_manage_var_dirs',` ## ## # -interface(`files_read_var_files',` +interface(`files_exec_usr_files',` gen_require(` - type var_t; + type usr_t; ') - read_files_pattern($1, var_t, var_t) + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Append files in the /var directory. +## dontaudit write of /usr files ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_append_var_files',` +interface(`files_dontaudit_write_usr_files',` gen_require(` - type var_t; + type usr_t; ') - append_files_pattern($1, var_t, var_t) + dontaudit $1 usr_t:file write; ') ######################################## ## -## Read and write files in the /var directory. +## Create, read, write, and delete files in the /usr directory. ## ## ## @@ -5304,36 +6291,17 @@ interface(`files_append_var_files',` ## ## # -interface(`files_rw_var_files',` - gen_require(` - type var_t; - ') - - rw_files_pattern($1, var_t, var_t) -') - -######################################## -## -## Do not audit attempts to read and write -## files in the /var directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_rw_var_files',` +interface(`files_manage_usr_files',` gen_require(` - type var_t; + type usr_t; ') - dontaudit $1 var_t:file rw_file_perms; + manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Create, read, write, and delete files in the /var directory. +## Relabel a file to the type used in /usr. ## ## ## @@ -5341,17 +6309,17 @@ interface(`files_dontaudit_rw_var_files',` ## ## # -interface(`files_manage_var_files',` +interface(`files_relabelto_usr_files',` gen_require(` - type var_t; + type usr_t; ') - manage_files_pattern($1, var_t, var_t) + relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Read symbolic links in the /var directory. +## Relabel a file from the type used in /usr. ## ## ## @@ -5359,18 +6327,17 @@ interface(`files_manage_var_files',` ## ## # -interface(`files_read_var_symlinks',` +interface(`files_relabelfrom_usr_files',` gen_require(` - type var_t; + type usr_t; ') - read_lnk_files_pattern($1, var_t, var_t) + relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Create, read, write, and delete symbolic -## links in the /var directory. +## Read symbolic links in /usr. ## ## ## @@ -5378,17 +6345,17 @@ interface(`files_read_var_symlinks',` ## ## # -interface(`files_manage_var_symlinks',` +interface(`files_read_usr_symlinks',` gen_require(` - type var_t; + type usr_t; ') - manage_lnk_files_pattern($1, var_t, var_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## -## Create objects in the /var directory +## Create objects in the /usr directory ## ## ## @@ -5411,87 +6378,77 @@ interface(`files_manage_var_symlinks',` ## ## # -interface(`files_var_filetrans',` +interface(`files_usr_filetrans',` gen_require(` - type var_t; + type usr_t; ') - filetrans_pattern($1, var_t, $2, $3, $4) + filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## -## Get the attributes of the /var/lib directory. +## Do not audit attempts to search /usr/src. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_getattr_var_lib_dirs',` +interface(`files_dontaudit_search_src',` gen_require(` - type var_t, var_lib_t; + type src_t; ') - getattr_dirs_pattern($1, var_t, var_lib_t) + dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## -## Search the /var/lib directory. +## Get the attributes of files in /usr/src. ## -## -##

    -## Search the /var/lib directory. This is -## necessary to access files or directories under -## /var/lib that have a private type. For example, a -## domain accessing a private library file in the -## /var/lib directory: -##

    -##

    -## allow mydomain_t mylibfile_t:file read_file_perms; -## files_search_var_lib(mydomain_t) -##

    -##
    ## ## ## Domain allowed access. ## ## -## # -interface(`files_search_var_lib',` +interface(`files_getattr_usr_src_files',` gen_require(` - type var_t, var_lib_t; + type usr_t, src_t; ') - search_dirs_pattern($1, var_t, var_lib_t) + getattr_files_pattern($1, src_t, src_t) + + # /usr/src/linux symlink: + read_lnk_files_pattern($1, usr_t, src_t) ') ######################################## ## -## Do not audit attempts to search the -## contents of /var/lib. +## Read files in /usr/src. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## -## # -interface(`files_dontaudit_search_var_lib',` +interface(`files_read_usr_src_files',` gen_require(` - type var_lib_t; + type usr_t, src_t; ') - dontaudit $1 var_lib_t:dir search_dir_perms; + allow $1 usr_t:dir search_dir_perms; + read_files_pattern($1, { usr_t src_t }, src_t) + read_lnk_files_pattern($1, { usr_t src_t }, src_t) + allow $1 src_t:dir list_dir_perms; ') ######################################## ## -## List the contents of the /var/lib directory. +## Execute programs in /usr/src in the caller domain. ## ## ## @@ -5499,17 +6456,19 @@ interface(`files_dontaudit_search_var_lib',` ## ## # -interface(`files_list_var_lib',` +interface(`files_exec_usr_src_files',` gen_require(` - type var_t, var_lib_t; + type usr_t, src_t; ') - list_dirs_pattern($1, var_t, var_lib_t) + list_dirs_pattern($1, usr_t, src_t) + exec_files_pattern($1, src_t, src_t) + read_lnk_files_pattern($1, src_t, src_t) ') -########################################### +######################################## ## -## Read-write /var/lib directories +## Install a system.map into the /boot directory. ## ## ## @@ -5517,51 +6476,36 @@ interface(`files_list_var_lib',` ## ## # -interface(`files_rw_var_lib_dirs',` +interface(`files_create_kernel_symbol_table',` gen_require(` - type var_lib_t; + type boot_t, system_map_t; ') - rw_dirs_pattern($1, var_lib_t, var_lib_t) + allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; + allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ## -## Create objects in the /var/lib directory +## Dontaudit getattr attempts on the system.map file ## ## ## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. +## Domain to not audit. ## ## # -interface(`files_var_lib_filetrans',` +interface(`files_dontaduit_getattr_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type system_map_t; ') - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) + dontaudit $1 system_map_t:file getattr; ') ######################################## ## -## Read generic files in /var/lib. +## Read system.map in the /boot directory. ## ## ## @@ -5569,18 +6513,18 @@ interface(`files_var_lib_filetrans',` ## ## # -interface(`files_read_var_lib_files',` +interface(`files_read_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; ') - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + allow $1 boot_t:dir list_dir_perms; + read_files_pattern($1, boot_t, system_map_t) ') ######################################## ## -## Read generic symbolic links in /var/lib +## Delete a system.map in the /boot directory. ## ## ## @@ -5588,21 +6532,18 @@ interface(`files_read_var_lib_files',` ## ## # -interface(`files_read_var_lib_symlinks',` +interface(`files_delete_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; ') - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + allow $1 boot_t:dir list_dir_perms; + delete_files_pattern($1, boot_t, system_map_t) ') -# cjp: the next two interfaces really need to be fixed -# in some way. They really neeed their own types. - ######################################## ## -## Create, read, write, and delete the -## pseudorandom number generator seed. +## Search the contents of /var. ## ## ## @@ -5610,38 +6551,35 @@ interface(`files_read_var_lib_symlinks',` ## ## # -interface(`files_manage_urandom_seed',` +interface(`files_search_var',` gen_require(` - type var_t, var_lib_t; + type var_t; ') allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. +## Do not audit attempts to write to /var. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_manage_mounttab',` +interface(`files_dontaudit_write_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) + dontaudit $1 var_t:dir write; ') ######################################## ## -## Set the attributes of the generic lock directories. +## Allow attempts to write to /var.dirs ## ## ## @@ -5649,76 +6587,73 @@ interface(`files_manage_mounttab',` ## ## # -interface(`files_setattr_lock_dirs',` +interface(`files_write_var_dirs',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - setattr_dirs_pattern($1, var_t, var_lock_t) + allow $1 var_t:dir write; ') ######################################## ## -## Search the locks directory (/var/lock). +## Do not audit attempts to search +## the contents of /var. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_search_locks',` +interface(`files_dontaudit_search_var',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) + dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## -## Do not audit attempts to search the -## locks directory (/var/lock). +## List the contents of /var. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_search_locks',` +interface(`files_list_var',` gen_require(` - type var_lock_t; + type var_t; ') - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; + allow $1 var_t:dir list_dir_perms; ') ######################################## ## -## List generic lock directories. +## Do not audit listing of the var directory (/var). ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_list_locks',` +interface(`files_dontaudit_list_var',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) + dontaudit $1 var_t:dir list_dir_perms; ') ######################################## ## -## Add and remove entries in the /var/lock -## directories. +## Create, read, write, and delete directories +## in the /var directory. ## ## ## @@ -5726,60 +6661,35 @@ interface(`files_list_locks',` ## ## # -interface(`files_rw_lock_dirs',` - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - rw_dirs_pattern($1, var_t, var_lock_t) -') - -######################################## -## -## Create lock directories -## -## -## -## Domain allowed access -## -## -# -interface(`files_create_lock_dirs',` +interface(`files_manage_var_dirs',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) + allow $1 var_t:dir manage_dir_perms; ') ######################################## ## -## Relabel to and from all lock directory types. +## Read files in the /var directory. ## ## ## ## Domain allowed access. ## ## -## # -interface(`files_relabel_all_lock_dirs',` +interface(`files_read_var_files',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) + read_files_pattern($1, var_t, var_t) ') ######################################## ## -## Get the attributes of generic lock files. +## Append files in the /var directory. ## ## ## @@ -5787,20 +6697,17 @@ interface(`files_relabel_all_lock_dirs',` ## ## # -interface(`files_getattr_generic_locks',` +interface(`files_append_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) + append_files_pattern($1, var_t, var_t) ') ######################################## ## -## Delete generic lock files. +## Read and write files in the /var directory. ## ## ## @@ -5808,63 +6715,54 @@ interface(`files_getattr_generic_locks',` ## ## # -interface(`files_delete_generic_locks',` +interface(`files_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) + rw_files_pattern($1, var_t, var_t) ') ######################################## ## -## Create, read, write, and delete generic -## lock files. +## Do not audit attempts to read and write +## files in the /var directory. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_manage_generic_locks',` +interface(`files_dontaudit_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - manage_dirs_pattern($1, var_lock_t, var_lock_t) - manage_files_pattern($1, var_lock_t, var_lock_t) + dontaudit $1 var_t:file rw_inherited_file_perms; ') ######################################## ## -## Delete all lock files. +## Create, read, write, and delete files in the /var directory. ## ## ## ## Domain allowed access. ## ## -## # -interface(`files_delete_all_locks',` +interface(`files_manage_var_files',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, lockfile, lockfile) + manage_files_pattern($1, var_t, var_t) ') ######################################## ## -## Read all lock files. +## Read symbolic links in the /var directory. ## ## ## @@ -5872,22 +6770,18 @@ interface(`files_delete_all_locks',` ## ## # -interface(`files_read_all_locks',` +interface(`files_read_var_symlinks',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## -## manage all lock files. +## Create, read, write, and delete symbolic +## links in the /var directory. ## ## ## @@ -5895,37 +6789,31 @@ interface(`files_read_all_locks',` ## ## # -interface(`files_manage_all_locks',` +interface(`files_manage_var_symlinks',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## -## Create an object in the locks directory, with a private -## type using a type transition. +## Create objects in the /var directory ## ## ## ## Domain allowed access. ## ## -## +## ## -## The type of the object to be created. +## The type of the object to be created ## ## -## +## ## -## The object class of the object being created. +## The object class. ## ## ## @@ -5934,39 +6822,35 @@ interface(`files_manage_all_locks',` ##
    ## # -interface(`files_lock_filetrans',` +interface(`files_var_filetrans',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_lock_t, $2, $3, $4) + filetrans_pattern($1, var_t, $2, $3, $4) ') + ######################################## ## -## Do not audit attempts to get the attributes -## of the /var/run directory. +## Relabel dirs in the /var directory. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_relabel_var_dirs',` gen_require(` - type var_run_t; + type var_t; ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir getattr; + allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## -## Set the attributes of the /var/run directory. +## Get the attributes of the /var/lib directory. ## ## ## @@ -5974,59 +6858,69 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # -interface(`files_setattr_pid_dirs',` +interface(`files_getattr_var_lib_dirs',` gen_require(` - type var_run_t; + type var_t, var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir setattr; + getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## -## Search the contents of runtime process -## ID directories (/var/run). +## Search the /var/lib directory. ## +## +##

    +## Search the /var/lib directory. This is +## necessary to access files or directories under +## /var/lib that have a private type. For example, a +## domain accessing a private library file in the +## /var/lib directory: +##

    +##

    +## allow mydomain_t mylibfile_t:file read_file_perms; +## files_search_var_lib(mydomain_t) +##

    +##
    ## ## ## Domain allowed access. ## ## +## # -interface(`files_search_pids',` +interface(`files_search_var_lib',` gen_require(` - type var_t, var_run_t; + type var_t, var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) + search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## -## Do not audit attempts to search -## the /var/run directory. +## Do not audit attempts to search the +## contents of /var/lib. ## ## ## ## Domain to not audit. ## ## +## # -interface(`files_dontaudit_search_pids',` +interface(`files_dontaudit_search_var_lib',` gen_require(` - type var_run_t; + type var_lib_t; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir search_dir_perms; + dontaudit $1 var_lib_t:dir search_dir_perms; ') ######################################## ## -## List the contents of the runtime process -## ID directories (/var/run). +## List the contents of the /var/lib directory. ## ## ## @@ -6034,18 +6928,17 @@ interface(`files_dontaudit_search_pids',` ## ## # -interface(`files_list_pids',` +interface(`files_list_var_lib',` gen_require(` - type var_t, var_run_t; + type var_t, var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) + list_dirs_pattern($1, var_t, var_lib_t) ') -######################################## +########################################### ## -## Read generic process ID files. +## Read-write /var/lib directories ## ## ## @@ -6053,19 +6946,17 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` +interface(`files_rw_var_lib_dirs',` gen_require(` - type var_t, var_run_t; + type var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## -## Write named generic process ID pipes +## Create directories in /var/lib ## ## ## @@ -6073,43 +6964,1526 @@ interface(`files_read_generic_pids',` ## ## # -interface(`files_write_generic_pid_pipes',` +interface(`files_create_var_lib_dirs',` gen_require(` - type var_run_t; + type var_lib_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; + allow $1 var_lib_t:dir { create rw_dir_perms }; ') + ######################################## ## -## Create an object in the process ID directory, with a private type. +## Create objects in the /var/lib directory ## -## -##

    -## Create an object in the process ID directory (e.g., /var/run) -## with a private type. Typically this is used for creating -## private PID files in /var/run with the private type instead -## of the general PID file type. To accomplish this goal, -## either the program must be SELinux-aware, or use this interface. -##

    -##

    -## Related interfaces: -##

    -##
      -##
    • files_pid_file()
    • -##
    -##

    -## Example usage with a domain that can create and -## write its PID file with a private PID file type in the -## /var/run directory: -##

    -##

    -## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -## files_pid_filetrans(mydomain_t, mypidfile_t, file) +## +##

    +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_var_lib_filetrans',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_lib_t, $2, $3, $4) +') + +######################################## +## +## Read generic files in /var/lib. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_var_lib_files',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_lib_t:dir list_dir_perms; + read_files_pattern($1, { var_t var_lib_t }, var_lib_t) +') + +######################################## +## +## Read generic symbolic links in /var/lib +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_var_lib_symlinks',` + gen_require(` + type var_t, var_lib_t; + ') + + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) +') + +######################################## +## +## manage generic symbolic links +## in the /var/lib directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_var_lib_symlinks',` + gen_require(` + type var_lib_t; + ') + + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) +') + +# cjp: the next two interfaces really need to be fixed +# in some way. They really neeed their own types. + +######################################## +## +## Create, read, write, and delete the +## pseudorandom number generator seed. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_urandom_seed',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) +') + + +######################################## +## +## Relabel to dirs in the /var/lib directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + allow $1 var_lib_t:dir relabelto; +') + + +######################################## +## +## Relabel dirs in the /var/lib directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + allow $1 var_lib_t:dir relabel_dir_perms; +') + +######################################## +## +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_mounttab',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) +') + +######################################## +## +## List generic lock directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + list_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## +## Search the locks directory (/var/lock). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_pids($1) + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## +## Do not audit attempts to search the +## locks directory (/var/lock). +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_locks',` + gen_require(` + type var_lock_t; + ') + + dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; + dontaudit $1 var_lock_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to read/write inherited +## locks (/var/lock). +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_rw_inherited_locks',` + gen_require(` + type var_lock_t; + ') + + dontaudit $1 var_lock_t:file rw_inherited_file_perms; +') + +######################################## +## +## Set the attributes of the /var/lock directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_lock_dirs',` + gen_require(` + type var_lock_t; + ') + + allow $1 var_lock_t:dir setattr; +') + +######################################## +## +## Add and remove entries in the /var/lock +## directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + rw_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## +## Create lock directories +## +## +## +## Domain allowed access +## +## +# +interface(`files_create_lock_dirs',` + gen_require(` + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + create_dirs_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## +## Relabel to and from all lock directory types. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_lock_dirs',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + relabel_dirs_pattern($1, lockfile, lockfile) +') + +######################################## +## +## Relabel to and from all lock file types. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_lock_files',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + relabel_files_pattern($1, lockfile, lockfile) +') + +######################################## +## +## Get the attributes of generic lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_generic_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## +## Delete generic lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_generic_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + delete_files_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## +## Create, read, write, and delete generic +## lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_generic_locks',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + manage_files_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## +## Delete all lock files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_delete_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + delete_files_pattern($1, lockfile, lockfile) +') + +######################################## +## +## Read all lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + files_search_locks($1) + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, lockfile, lockfile) +') + +######################################## +## +## manage all lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_locks',` + gen_require(` + attribute lockfile; + type var_t, var_lock_t; + ') + + files_search_locks($1) + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +') + +######################################## +## +## Create an object in the locks directory, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_lock_filetrans',` + gen_require(` + type var_t, var_lock_t; + ') + + files_search_locks($1) + filetrans_pattern($1, var_lock_t, $2, $3, $4) +') + +######################################## +## +## Do not audit attempts to get the attributes +## of the /var/run directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_pid_dirs',` + gen_require(` + type var_run_t; + ') + + dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; + dontaudit $1 var_run_t:dir getattr; +') + +######################################## +## +## Set the attributes of the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_pid_dirs',` + gen_require(` + type var_run_t; + ') + + files_search_pids($1) + allow $1 var_run_t:dir setattr; +') + +######################################## +## +## Search the contents of runtime process +## ID directories (/var/run). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_pids',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) +') + +###################################### +## +## Add and remove entries from pid directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir rw_dir_perms; +') + +####################################### +## +## Create generic pid directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_var_run_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir create_dir_perms; +') + +######################################## +## +## Do not audit attempts to search +## the /var/run directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_pids',` + gen_require(` + type var_run_t; + ') + + dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; + dontaudit $1 var_run_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to search +## the all /var/run directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_all_pids',` + gen_require(` + attribute pidfile; + ') + + dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## +## Allow search the all /var/run directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_search_all_pids',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:dir search_dir_perms; +') + +######################################## +## +## List the contents of the runtime process +## ID directories (/var/run). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_pids',` + gen_require(` + type var_t, var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) +') + +######################################## +## +## Read generic process ID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_generic_pids',` + gen_require(` + type var_t, var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Write named generic process ID pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_generic_pid_pipes',` + gen_require(` + type var_run_t; + ') + + files_search_pids($1) + allow $1 var_run_t:fifo_file write; +') + +######################################## +## +## Create an object in the process ID directory, with a private type. +## +## +##

    +## Create an object in the process ID directory (e.g., /var/run) +## with a private type. Typically this is used for creating +## private PID files in /var/run with the private type instead +## of the general PID file type. To accomplish this goal, +## either the program must be SELinux-aware, or use this interface. +##

    +##

    +## Related interfaces: +##

    +##
      +##
    • files_pid_file()
    • +##
    +##

    +## Example usage with a domain that can create and +## write its PID file with a private PID file type in the +## /var/run directory: +##

    +##

    +## type mypidfile_t; +## files_pid_file(mypidfile_t) +## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +## files_pid_filetrans(mydomain_t, mypidfile_t, file) +##

    +##
    +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +## +# +interface(`files_pid_filetrans',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) +') + +######################################## +## +## Create a generic lock directory within the run directories +## +## +## +## Domain allowed access +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_pid_filetrans_lock_dir',` + gen_require(` + type var_lock_t; + ') + + files_pid_filetrans($1, var_lock_t, dir, $2) +') + +######################################## +## +## rw generic pid files inherited from another process +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_inherited_generic_pid_files',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## +## Read and write generic process ID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_generic_pids',` + gen_require(` + type var_t, var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Do not audit attempts to get the attributes of +## daemon runtime data files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_all_pids',` + gen_require(` + attribute pidfile; + type var_run_t; + ') + + dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; + dontaudit $1 pidfile:file getattr; +') + +######################################## +## +## Do not audit attempts to write to daemon runtime data files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_write_all_pids',` + gen_require(` + attribute pidfile; + ') + + dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; + dontaudit $1 pidfile:file write; +') + +######################################## +## +## Do not audit attempts to ioctl daemon runtime data files. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_ioctl_all_pids',` + gen_require(` + attribute pidfile; + type var_run_t; + ') + + dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; + dontaudit $1 pidfile:file ioctl; +') + +######################################## +## +## Relable all pid directories +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + + relabel_dirs_pattern($1, pidfile, pidfile) +') + +######################################## +## +## Delete all pid sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file delete_sock_file_perms; +') + +######################################## +## +## Create all pid sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file create_sock_file_perms; +') + +######################################## +## +## Create all pid named pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:fifo_file create_fifo_file_perms; +') + +######################################## +## +## Delete all pid named pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:fifo_file delete_fifo_file_perms; +') + +######################################## +## +## manage all pidfile directories +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + + manage_dirs_pattern($1,pidfile,pidfile) +') + + +######################################## +## +## Read all process ID files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_read_all_pids',` + gen_require(` + attribute pidfile; + type var_t; + ') + + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) +') + +######################################## +## +## Relable all pid files +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_pid_files',` + gen_require(` + attribute pidfile; + ') + + relabel_files_pattern($1, pidfile, pidfile) +') + +######################################## +## +## Execute generic programs in /var/run in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_generic_pid_files',` + gen_require(` + type var_run_t; + ') + + exec_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Write all sockets +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file write_sock_file_perms; +') + +######################################## +## +## manage all pidfiles +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; + ') + + manage_files_pattern($1,pidfile,pidfile) +') + +######################################## +## +## Mount filesystems on all polyinstantiation +## member directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_all_poly_members',` + gen_require(` + attribute polymember; + ') + + allow $1 polymember:dir mounton; +') + +######################################## +## +## Delete all process IDs. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_delete_all_pids',` + gen_require(` + attribute pidfile; + type var_t, var_run_t; + ') + + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +') + +######################################## +## +## Delete all process ID directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; + type var_t, var_run_t; + ') + + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') + +######################################## +## +## Make the specified type a file +## used for spool files. +## +## +##

    +## Make the specified type usable for spool files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a spool file may result in problems with +## purging spool files. +##

    +##

    +## Related interfaces: +##

    +##
      +##
    • files_spool_filetrans()
    • +##
    +##

    +## Example usage with a domain that can create and +## write its spool file in the system spool file +## directories (/var/spool): +##

    +##

    +## type myspoolfile_t; +## files_spool_file(myfile_spool_t) +## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; +## files_spool_filetrans(mydomain_t, myfile_spool_t, file) +##

    +##
    +## +## +## Type of the file to be used as a +## spool file. +## +## +## +# +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; + ') + + files_type($1) + typeattribute $1 spoolfile; +') + +######################################## +## +## Create all spool sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## +## Delete all spool sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## +## Relabel to and from all spool +## directory types. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabel_all_spool_dirs',` + gen_require(` + attribute spoolfile; + type var_t; + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) +') + +######################################## +## +## Search the contents of generic spool +## directories (/var/spool). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_spool',` + gen_require(` + type var_t, var_spool_t; + ') + + search_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## +## Do not audit attempts to search generic +## spool directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_search_spool',` + gen_require(` + type var_spool_t; + ') + + dontaudit $1 var_spool_t:dir search_dir_perms; +') + +######################################## +## +## List the contents of generic spool +## (/var/spool) directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_spool',` + gen_require(` + type var_t, var_spool_t; + ') + + list_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## +## Create, read, write, and delete generic +## spool directories (/var/spool). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_generic_spool_dirs',` + gen_require(` + type var_t, var_spool_t; + ') + + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## +## Read generic spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_generic_spool',` + gen_require(` + type var_t, var_spool_t; + ') + + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## +## Create, read, write, and delete generic +## spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_generic_spool',` + gen_require(` + type var_t, var_spool_t; + ') + + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## +## Create objects in the spool directory +## with a private type with a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## Type to which the created node will be transitioned. +## +## +## +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; + ') + + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) +') + +######################################## +## +## Allow access to manage all polyinstantiated +## directories on the system. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_polyinstantiate_all',` + gen_require(` + attribute polydir, polymember, polyparent; + type poly_t; + ') + + # Need to give access to /selinux/member + selinux_compute_member($1) + + # Need sys_admin capability for mounting + allow $1 self:capability { chown fsetid sys_admin fowner }; + + # Need to give access to the directories to be polyinstantiated + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; + + # Need to give access to the polyinstantiated subdirectories + allow $1 polymember:dir search_dir_perms; + + # Need to give access to parent directories where original + # is remounted for polyinstantiation aware programs (like gdm) + allow $1 polyparent:dir { getattr mounton }; + + # Need to give permission to create directories where applicable + allow $1 self:process setfscreate; + allow $1 polymember: dir { create setattr relabelto }; + allow $1 polydir: dir { write add_name open }; + allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; + + # Default type for mountpoints + allow $1 poly_t:dir { create mounton }; + fs_unmount_xattr_fs($1) + + fs_mount_tmpfs($1) + fs_unmount_tmpfs($1) + + ifdef(`distro_redhat',` + # namespace.init + files_search_tmp($1) + files_search_home($1) + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) + ') +') + +######################################## +## +## Unconfined access to files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_unconfined',` + gen_require(` + attribute files_unconfined_type; + ') + + typeattribute $1 files_unconfined_type; +') + +######################################## +## +## Create a core files in / +## +## +##

    +## Create a core file in /, ##

    ##
    ## @@ -6117,80 +8491,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ##
    ## -## +## +# +interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') + + manage_files_pattern($1, root_t, root_t) +') + +######################################## +## +## Create a default directory +## +## +##

    +## Create a default_t direcrory +##

    +##
    +## +## +## Domain allowed access. +## +## +## +# +interface(`files_create_default_dir',` + gen_require(` + type default_t; + ') + + allow $1 default_t:dir create; +') + +######################################## +## +## Create, default_t objects with an automatic +## type transition. +## +## ## -## The type of the object to be created. +## Domain allowed access. ## ## ## ## -## The object class of the object being created. +## The class of the object being created. +## +## +# +interface(`files_root_filetrans_default',` + gen_require(` + type root_t, default_t; + ') + + filetrans_pattern($1, root_t, default_t, $2) +') + +######################################## +## +## Create, lib_t objects with an automatic +## type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## Type of the directory to be transitioned from +## +## +## +## +## The class of the object being created. ## ## ## ## -## The name of the object being created. +## The name of the object being created. +## +## +# +interface(`files_filetrans_lib',` + gen_require(` + type lib_t, lib_t; + ') + + filetrans_pattern($1, $2, lib_t, $3, $4) +') + +######################################## +## +## manage generic symbolic links +## in the /var/run directory. +## +## +## +## Domain allowed access. ## ## -## # -interface(`files_pid_filetrans',` +interface(`files_manage_generic_pids_symlinks',` gen_require(` - type var_t, var_run_t; + type var_run_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) + manage_lnk_files_pattern($1,var_run_t,var_run_t) ') ######################################## ## -## Create a generic lock directory within the run directories +## Do not audit attempts to getattr +## all tmpfs files. ## ## -## -## Domain allowed access -## -## -## ## -## The name of the object being created. +## Domain to not audit. ## ## # -interface(`files_pid_filetrans_lock_dir',` +interface(`files_dontaudit_getattr_tmpfs_files',` gen_require(` - type var_lock_t; + attribute tmpfsfile; ') - files_pid_filetrans($1, var_lock_t, dir, $2) + allow $1 tmpfsfile:file getattr; ') ######################################## ## -## Read and write generic process ID files. +## Allow delete all tmpfs files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_rw_generic_pids',` +interface(`files_delete_tmpfs_files',` gen_require(` - type var_t, var_run_t; + attribute tmpfsfile; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file delete_file_perms; ') ######################################## ## -## Do not audit attempts to get the attributes of -## daemon runtime data files. +## Allow read write all tmpfs files ## ## ## @@ -6198,19 +8649,17 @@ interface(`files_rw_generic_pids',` ## ## # -interface(`files_dontaudit_getattr_all_pids',` +interface(`files_rw_tmpfs_files',` gen_require(` - attribute pidfile; - type var_run_t; + attribute tmpfsfile; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file { read write }; ') ######################################## ## -## Do not audit attempts to write to daemon runtime data files. +## Do not audit attempts to read security files ## ## ## @@ -6218,18 +8667,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # -interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_read_security_files',` gen_require(` - attribute pidfile; + attribute security_file_type; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:file read_file_perms; ') ######################################## ## -## Do not audit attempts to ioctl daemon runtime data files. +## Do not audit attempts to search security files ## ## ## @@ -6237,129 +8685,118 @@ interface(`files_dontaudit_write_all_pids',` ## ## # -interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_search_security_files',` gen_require(` - attribute pidfile; - type var_run_t; + attribute security_file_type; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:dir search_dir_perms; ') ######################################## ## -## Read all process ID files. +## Do not audit attempts to read security dirs ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## -## # -interface(`files_read_all_pids',` +interface(`files_dontaudit_list_security_dirs',` gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute security_file_type; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) + dontaudit $1 security_file_type:dir list_dir_perms; ') ######################################## ## -## Delete all process IDs. +## rw any files inherited from another process ## ## ## ## Domain allowed access. ## ## -## +## +## +## Object type. +## +## # -interface(`files_delete_all_pids',` +interface(`files_rw_all_inherited_files',` gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute file_type; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) - delete_fifo_files_pattern($1, pidfile, pidfile) - delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; ') ######################################## ## -## Delete all process ID directories. +## Allow any file point to be the entrypoint of this domain ## ## ## ## Domain allowed access. ## ## +## # -interface(`files_delete_all_pid_dirs',` +interface(`files_entrypoint_all_files',` gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute file_type; ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) + allow $1 file_type:file entrypoint; ') ######################################## ## -## Create, read, write and delete all -## var_run (pid) content +## Do not audit attempts to rw inherited file perms +## of non security files. ## ## ## -## Domain alloed access. +## Domain to not audit. ## ## # -interface(`files_manage_all_pids',` +interface(`files_dontaudit_all_non_security_leaks',` gen_require(` - attribute pidfile; + attribute non_security_file_type; ') - manage_dirs_pattern($1, pidfile, pidfile) - manage_files_pattern($1, pidfile, pidfile) - manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') ######################################## ## -## Mount filesystems on all polyinstantiation -## member directories. +## Do not audit attempts to read or write +## all leaked files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_mounton_all_poly_members',` +interface(`files_dontaudit_leaks',` gen_require(` - attribute polymember; + attribute file_type; ') - allow $1 polymember:dir mounton; + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; ') ######################################## ## -## Search the contents of generic spool -## directories (/var/spool). +## Allow domain to create_file_ass all types ## ## ## @@ -6367,18 +8804,19 @@ interface(`files_mounton_all_poly_members',` ## ## # -interface(`files_search_spool',` +interface(`files_create_as_is_all_files',` gen_require(` - type var_t, var_spool_t; + attribute file_type; + class kernel_service create_files_as; ') - search_dirs_pattern($1, var_t, var_spool_t) + allow $1 file_type:kernel_service create_files_as; ') ######################################## ## -## Do not audit attempts to search generic -## spool directories. +## Do not audit attempts to check the +## access on all files ## ## ## @@ -6386,132 +8824,227 @@ interface(`files_search_spool',` ## ## # -interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_all_access_check',` gen_require(` - type var_spool_t; + attribute file_type; ') - dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set audit_access; ') ######################################## ## -## List the contents of generic spool -## (/var/spool) directories. +## Do not audit attempts to write to all files ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_list_spool',` +interface(`files_dontaudit_write_all_files',` gen_require(` - type var_t, var_spool_t; + attribute file_type; ') - list_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set write; ') ######################################## ## -## Create, read, write, and delete generic -## spool directories (/var/spool). +## Allow domain to delete to all files ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_files',` gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; ') - allow $1 var_t:dir search_dir_perms; - manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; ') ######################################## ## -## Read generic spool files. +## Allow domain to delete to all dirs ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`files_read_generic_spool',` +interface(`files_delete_all_non_security_dirs',` gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; ') - list_dirs_pattern($1, var_t, var_spool_t) - read_files_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ') ######################################## ## -## Create, read, write, and delete generic -## spool files. +## Transition named content in the var_run_t directory ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # -interface(`files_manage_generic_spool',` +interface(`files_filetrans_named_content',` gen_require(` - type var_t, var_spool_t; + type etc_t; + type mnt_t; + type usr_t; + type tmp_t; + type var_t; + type var_run_t; + type var_lock_t; + type tmp_t; ') - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") + files_root_filetrans($1, mnt_t, dir, "afs") + files_root_filetrans($1, mnt_t, dir, "misc") + files_root_filetrans($1, mnt_t, dir, "net") + files_root_filetrans($1, usr_t, dir, "export") + files_root_filetrans($1, usr_t, dir, "opt") + files_root_filetrans($1, usr_t, dir, "ostree") + files_root_filetrans($1, usr_t, dir, "emul") + files_root_filetrans($1, var_t, dir, "srv") + files_root_filetrans($1, var_run_t, dir, "run") + files_root_filetrans($1, var_run_t, lnk_file, "run") + files_root_filetrans($1, var_lock_t, lnk_file, "lock") + files_root_filetrans($1, tmp_t, dir, "sandbox") + files_root_filetrans($1, tmp_t, dir, "tmp") + files_root_filetrans($1, var_t, dir, "nsr") + files_etc_filetrans($1, etc_t, file, "system-auth-ac") + files_etc_filetrans($1, etc_t, file, "postlogin-ac") + files_etc_filetrans($1, etc_t, file, "password-auth-ac") + files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") + files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") + files_etc_filetrans($1, etc_t, file, "hwdb.bin") + files_etc_filetrans_etc_runtime($1, file, ".updated") + files_etc_filetrans_etc_runtime($1, file, "runtime") + files_etc_filetrans_etc_runtime($1, dir, "blkid") + files_etc_filetrans_etc_runtime($1, dir, "cmtab") + files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE") + files_etc_filetrans_etc_runtime($1, file, "ioctl.save") + files_etc_filetrans_etc_runtime($1, file, "nologin") + files_etc_filetrans_etc_runtime($1, file, "securetty") + files_etc_filetrans_etc_runtime($1, file, "ifstate") + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") + files_var_filetrans($1, etc_runtime_t, file, ".updated") ') ######################################## ## -## Create objects in the spool directory -## with a private type with a type transition. +## Make the specified type a +## base file. ## -## +## +##

    +## Identify file type as base file type. Tools will use this attribute, +## to help users diagnose problems. +##

    +##
    +## ## -## Domain allowed access. +## Type to be used as a base files. ## ## -## +## +# +interface(`files_base_file',` + gen_require(` + attribute base_file_type; + ') + files_type($1) + typeattribute $1 base_file_type; +') + +######################################## +## +## Make the specified type a +## base read only file. +## +## +##

    +## Make the specified type readable for all domains. +##

    +##
    +## ## -## Type to which the created node will be transitioned. +## Type to be used as a base read only files. ## ## -## +## +# +interface(`files_ro_base_file',` + gen_require(` + attribute base_ro_file_type; + ') + files_base_file($1) + typeattribute $1 base_ro_file_type; +') + +######################################## +## +## Read all ro base files. +## +## ## -## Object class(es) (single or set including {}) for which this -## the transition will occur. +## Domain allowed access. ## ## -## +## +# +interface(`files_read_all_base_ro_files',` + gen_require(` + attribute base_ro_file_type; + ') + + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) +') + +######################################## +## +## Execute all base ro files. +## +## ## -## The name of the object being created. +## Domain allowed access. ## ## +## # -interface(`files_spool_filetrans',` +interface(`files_exec_all_base_ro_files',` gen_require(` - type var_t, var_spool_t; + attribute base_ro_file_type; ') - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3, $4) + can_exec($1, base_ro_file_type) ') ######################################## ## -## Allow access to manage all polyinstantiated -## directories on the system. +## Allow the specified domain to modify the systemd configuration of +## any file. ## ## ## @@ -6519,53 +9052,17 @@ interface(`files_spool_filetrans',` ## ## # -interface(`files_polyinstantiate_all',` +interface(`files_config_all_files',` gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; + attribute file_type; ') - # Need to give access to /selinux/member - selinux_compute_member($1) - - # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin fowner }; - - # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; - - # Need to give access to the polyinstantiated subdirectories - allow $1 polymember:dir search_dir_perms; - - # Need to give access to parent directories where original - # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; - - # Need to give permission to create directories where applicable - allow $1 self:process setfscreate; - allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; - - # Default type for mountpoints - allow $1 poly_t:dir { create mounton }; - fs_unmount_xattr_fs($1) - - fs_mount_tmpfs($1) - fs_unmount_tmpfs($1) - - ifdef(`distro_redhat',` - # namespace.init - files_search_tmp($1) - files_search_home($1) - corecmd_exec_bin($1) - seutil_domtrans_setfiles($1) - ') + allow $1 file_type:service all_service_perms; ') ######################################## ## -## Unconfined access to files. +## Get the status of etc_t files ## ## ## @@ -6573,10 +9070,10 @@ interface(`files_polyinstantiate_all',` ## ## # -interface(`files_unconfined',` +interface(`files_status_etc',` gen_require(` - attribute files_unconfined_type; + type etc_t; ') - typeattribute $1 files_unconfined_type; + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abdd7..3221f8018 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) # Declarations # +attribute base_file_type; +attribute base_ro_file_type; attribute file_type; attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; +attribute spoolfile; attribute configfile; +attribute etcfile; # For labeling types that are to be polyinstantiated attribute polydir; @@ -48,47 +52,53 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) +files_ro_base_file(boot_t) # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t; files_mountpoint(default_t) +files_base_file(default_t) # # etc_t is the type of the system etc directories. # type etc_t, configfile; -files_type(etc_t) +files_ro_base_file(etc_t) + # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; +# system_conf_t is a new type of various +# files in /etc/ that can be managed and +# created by several domains. +# +type system_conf_t, configfile; +files_ro_base_file(system_conf_t) +# compatibility aliases for removed type: +typealias system_conf_t alias iptables_conf_t; + +# system_db_t is a new type of various +# db files. +type system_db_t; +files_ro_base_file(system_db_t) + # # etc_runtime_t is the type of various # files in /etc that are automatically # generated during initialization. # -type etc_runtime_t; -files_type(etc_runtime_t) -#Temporarily in policy until FC5 dissappears -typealias etc_runtime_t alias firstboot_rw_t; - -# -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t; -files_mountpoint(file_t) -kernel_rootfs_mountpoint(file_t) -sid file gen_context(system_u:object_r:file_t,s0) +type etc_runtime_t, configfile; +files_ro_base_file(etc_runtime_t) # # home_root_t is the type for the directory where user home directories # are created # type home_root_t; +files_base_file(home_root_t) files_mountpoint(home_root_t) files_poly_parent(home_root_t) @@ -96,12 +106,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; -files_type(lost_found_t) +files_base_file(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t; +files_base_file(mnt_t) files_mountpoint(mnt_t) # @@ -123,6 +134,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; +files_base_file(root_t) files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) @@ -133,45 +145,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) +files_ro_base_file(src_t) # # system_map_t is for the system.map files in /boot # type system_map_t; files_type(system_map_t) +kernel_proc_type(system_map_t) genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) # # tmp_t is the type of the temporary directories # type tmp_t; +files_base_file(tmp_t) files_tmp_file(tmp_t) files_mountpoint(tmp_t) files_poly(tmp_t) files_poly_parent(tmp_t) +typealias tmp_t alias firstboot_tmp_t; # # usr_t is the type for /usr. # type usr_t; +files_ro_base_file(usr_t) files_mountpoint(usr_t) # # var_t is the type of /var # type var_t; +files_base_file(var_t) files_mountpoint(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t; +files_base_file(var_lib_t) files_mountpoint(var_lib_t) +files_poly(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t; +files_base_file(var_lock_t) files_lock_file(var_lock_t) files_mountpoint(var_lock_t) @@ -180,6 +201,7 @@ files_mountpoint(var_lock_t) # used for pid and other runtime files. # type var_run_t; +files_base_file(var_run_t) files_pid_file(var_run_t) files_mountpoint(var_run_t) @@ -187,7 +209,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; +files_base_file(var_spool_t) files_tmp_file(var_spool_t) +files_spool_file(var_spool_t) ######################################## # @@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:{ file chr_file } ~execmod; +allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint }; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; +allow files_unconfined_type file_type:service *; # Mount/unmount any filesystem with the context= option. -allow files_unconfined_type file_type:filesystem *; +allow files_unconfined_type file_type:filesystem all_filesystem_perms; -tunable_policy(`allow_execmod',` +tunable_policy(`selinuxuser_execmod',` allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index d7c11a0b3..f521a50f8 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,23 +1,28 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) /dev/hugepages(/.*)? <> -/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/dev/shm/.* <> -/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -/lib/udev/devices/hugepages/.* <> -/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/lib/udev/devices/shm/.* <> +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> +/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> +/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/user/[^/]*/gvfs/.* <> + +# for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.* <> /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) /sys/fs/pstore/.* <> -ifdef(`distro_debian',` /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 8416beb43..b0d8399f9 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -21,6 +21,25 @@ interface(`fs_type',` typeattribute $1 filesystem_type; ') + +######################################## +## +## Allow the type to associate to proc filesystems. +## +## +## +## The type of the object to be associated. +## +## +# +interface(`fs_associate_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem associate; +') + ######################################## ## ## Transform specified type into a filesystem @@ -629,6 +648,27 @@ interface(`fs_getattr_cgroup',` allow $1 cgroup_t:filesystem getattr; ') +######################################## +## +## Get attributes of cgroup files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + getattr_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) +') + ######################################## ## ## Search cgroup directories. @@ -646,9 +686,29 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') +######################################## +## +## Relabel cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_cgroup_dirs',` + gen_require(` + type cgroup_t; + + ') + + relabel_dirs_pattern($1, cgroup_t, cgroup_t) +') + ######################################## ## ## list cgroup directories. @@ -659,15 +719,35 @@ interface(`fs_search_cgroup_dirs',` ## ## # -interface(`fs_list_cgroup_dirs', ` +interface(`fs_list_cgroup_dirs',` gen_require(` type cgroup_t; ') list_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') +####################################### +## +## Do not audit attempts to search cgroup directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_search_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + dontaudit $1 cgroup_t:dir search_dir_perms; + dev_dontaudit_search_sysfs($1) +') + ######################################## ## ## Delete cgroup directories. @@ -684,6 +764,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -704,6 +785,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -724,6 +806,8 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) + read_lnk_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -743,6 +827,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -762,7 +847,9 @@ interface(`fs_rw_cgroup_files',` ') + read_lnk_files_pattern($1, cgroup_t, cgroup_t) rw_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -803,6 +890,8 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) + manage_lnk_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') @@ -824,6 +913,25 @@ interface(`fs_mounton_cgroup', ` allow $1 cgroup_t:dir mounton; ') +######################################## +## +## Read and write ceph files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_cephfs_files',` + gen_require(` + type cephfs_t; + + ') + + rw_files_pattern($1, cephfs_t, cephfs_t) +') + ######################################## ## ## Do not audit attempts to read @@ -918,6 +1026,24 @@ interface(`fs_getattr_cifs',` allow $1 cifs_t:filesystem getattr; ') +######################################## +## +## Set the attributes of cifs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_setattr_cifs_dirs',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:dir setattr; +') + ######################################## ## ## Search directories on a CIFS or SMB filesystem. @@ -1105,6 +1231,24 @@ interface(`fs_read_noxattr_fs_files',` read_files_pattern($1, noxattrfs, noxattrfs) ') +######################################## +## +## Read/Write all inherited noxattrfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_inherited_noxattr_fs_files',` + gen_require(` + attribute noxattrfs; + ') + + allow $1 noxattrfs:file rw_inherited_file_perms; +') + ######################################## ## ## Do not audit attempts to read all @@ -1245,7 +1389,7 @@ interface(`fs_append_cifs_files',` ######################################## ## -## dontaudit Append files +## Do not audit attempts to append files ## on a CIFS filesystem. ## ## @@ -1263,6 +1407,42 @@ interface(`fs_dontaudit_append_cifs_files',` dontaudit $1 cifs_t:file append_file_perms; ') +######################################## +## +## Read inherited files on a CIFS or SMB filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_inherited_cifs_files',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:file read_inherited_file_perms; +') + +######################################## +## +## Read/Write inherited files on a CIFS or SMB filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_inherited_cifs_files',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:file rw_inherited_file_perms; +') + ######################################## ## ## Do not audit attempts to read or @@ -1279,7 +1459,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') - dontaudit $1 cifs_t:file rw_file_perms; + dontaudit $1 cifs_t:file rw_inherited_file_perms; ') ######################################## @@ -1361,6 +1541,27 @@ interface(`fs_exec_cifs_files',` exec_files_pattern($1, cifs_t, cifs_t) ') +######################################## +## +## Mmap files on a CIFS or SMB +## network filesystem, in the caller +## domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_map_cifs_files',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:file map; +') + ######################################## ## ## Create, read, write, and delete directories @@ -1542,48 +1743,48 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') -####################################### +######################################## ## -## Create, read, write, and delete dirs -## on a configfs filesystem. +## Make general progams in cifs an entrypoint for +## the specified domain. ## ## ## -## Domain allowed access. +## The domain for which cifs_t is an entrypoint. ## ## # -interface(`fs_manage_configfs_dirs',` +interface(`fs_cifs_entry_type',` gen_require(` - type configfs_t; + type cifs_t; ') - manage_dirs_pattern($1, configfs_t, configfs_t) + domain_entry_file($1, cifs_t) ') -####################################### +######################################## ## -## Create, read, write, and delete files -## on a configfs filesystem. +## Make general progams in CIFS an entrypoint for +## the specified domain. ## ## ## -## Domain allowed access. +## The domain for which cifs_t is an entrypoint. ## ## # -interface(`fs_manage_configfs_files',` +interface(`fs_cifs_entrypoint',` gen_require(` - type configfs_t; + type cifs_t; ') - manage_files_pattern($1, configfs_t, configfs_t) + allow $1 cifs_t:file entrypoint; ') -######################################## +####################################### ## -## Mount a DOS filesystem, such as -## FAT32 or NTFS. +## dontaudit write dirs +## on a configfs filesystem. ## ## ## @@ -1591,19 +1792,18 @@ interface(`fs_manage_configfs_files',` ## ## # -interface(`fs_mount_dos_fs',` +interface(`fs_dontaudit_write_configfs_dirs',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:filesystem mount; + dontaudit $1 configfs_t:dir write; ') -######################################## +####################################### ## -## Remount a DOS filesystem, such as -## FAT32 or NTFS. This allows -## some mount options to be changed. +## Read dirs +## on a configfs filesystem. ## ## ## @@ -1611,18 +1811,18 @@ interface(`fs_mount_dos_fs',` ## ## # -interface(`fs_remount_dos_fs',` +interface(`fs_read_configfs_dirs',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:filesystem remount; + list_dirs_pattern($1, configfs_t, configfs_t) ') -######################################## +####################################### ## -## Unmount a DOS filesystem, such as -## FAT32 or NTFS. +## Create, read, write, and delete dirs +## on a configfs filesystem. ## ## ## @@ -1630,38 +1830,37 @@ interface(`fs_remount_dos_fs',` ## ## # -interface(`fs_unmount_dos_fs',` +interface(`fs_manage_configfs_dirs',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:filesystem unmount; + manage_dirs_pattern($1, configfs_t, configfs_t) ') -######################################## +####################################### ## -## Get the attributes of a DOS -## filesystem, such as FAT32 or NTFS. +## Read files +## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_getattr_dos_fs',` +interface(`fs_read_configfs_files',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:filesystem getattr; + read_files_pattern($1, configfs_t, configfs_t) ') -######################################## +####################################### ## -## Allow changing of the label of a -## DOS filesystem using the context= mount option. +## Create, read, write, and delete files +## on a configfs filesystem. ## ## ## @@ -1669,17 +1868,18 @@ interface(`fs_getattr_dos_fs',` ## ## # -interface(`fs_relabelfrom_dos_fs',` +interface(`fs_manage_configfs_files',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:filesystem relabelfrom; + manage_files_pattern($1, configfs_t, configfs_t) ') -######################################## +####################################### ## -## Search dosfs filesystem. +## Create, read, write, and delete files +## on a configfs filesystem. ## ## ## @@ -1687,17 +1887,17 @@ interface(`fs_relabelfrom_dos_fs',` ## ## # -interface(`fs_search_dos',` +interface(`fs_manage_configfs_lnk_files',` gen_require(` - type dosfs_t; + type configfs_t; ') - allow $1 dosfs_t:dir search_dir_perms; + manage_lnk_files_pattern($1, configfs_t, configfs_t) ') ######################################## ## -## List dirs DOS filesystem. +## Unmount a configfs filesystem ## ## ## @@ -1705,18 +1905,18 @@ interface(`fs_search_dos',` ## ## # -interface(`fs_list_dos',` +interface(`fs_unmount_configfs',` gen_require(` - type dosfs_t; + type configfs_t; ') - list_dirs_pattern($1, dosfs_t, dosfs_t) + allow $1 configfs_t:filesystem unmount; ') ######################################## ## -## Create, read, write, and delete dirs -## on a DOS filesystem. +## Mount a DOS filesystem, such as +## FAT32 or NTFS. ## ## ## @@ -1724,17 +1924,19 @@ interface(`fs_list_dos',` ## ## # -interface(`fs_manage_dos_dirs',` +interface(`fs_mount_dos_fs',` gen_require(` type dosfs_t; ') - manage_dirs_pattern($1, dosfs_t, dosfs_t) + allow $1 dosfs_t:filesystem mount; ') ######################################## ## -## Read files on a DOS filesystem. +## Remount a DOS filesystem, such as +## FAT32 or NTFS. This allows +## some mount options to be changed. ## ## ## @@ -1742,18 +1944,167 @@ interface(`fs_manage_dos_dirs',` ## ## # -interface(`fs_read_dos_files',` +interface(`fs_remount_dos_fs',` gen_require(` type dosfs_t; ') - read_files_pattern($1, dosfs_t, dosfs_t) + allow $1 dosfs_t:filesystem remount; ') ######################################## ## -## Create, read, write, and delete files -## on a DOS filesystem. +## Unmount a DOS filesystem, such as +## FAT32 or NTFS. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_unmount_dos_fs',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:filesystem unmount; +') + +######################################## +## +## Get the attributes of a DOS +## filesystem, such as FAT32 or NTFS. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_getattr_dos_fs',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:filesystem getattr; +') + +######################################## +## +## Allow changing of the label of a +## DOS filesystem using the context= mount option. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_dos_fs',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:filesystem relabelfrom; +') + +######################################## +## +## Search dosfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_search_dos',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:dir search_dir_perms; +') + +######################################## +## +## List dirs DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_dos',` + gen_require(` + type dosfs_t; + ') + + list_dirs_pattern($1, dosfs_t, dosfs_t) +') + +######################################## +## +## Create, read, write, and delete dirs +## on a DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_dos_dirs',` + gen_require(` + type dosfs_t; + ') + + manage_dirs_pattern($1, dosfs_t, dosfs_t) +') + +######################################## +## +## Mmap files on a DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_map_dos_files',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:file map; +') + +######################################## +## +## Read files on a DOS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_dos_files',` + gen_require(` + type dosfs_t; + ') + + read_files_pattern($1, dosfs_t, dosfs_t) +') + +######################################## +## +## Create, read, write, and delete files +## on a DOS filesystem. ## ## ## @@ -1771,31 +2122,517 @@ interface(`fs_manage_dos_files',` ######################################## ## -## Read eventpollfs files. +## Read eventpollfs files. +## +## +##

    +## Read eventpollfs files +##

    +##

    +## This interface has been deprecated, and will +## be removed in the future. +##

    +##
    +## +## +## Domain allowed access. +## +## +# +# eventpollfs was changed to task SID 20060628 +interface(`fs_read_eventpollfs',` + refpolicywarn(`$0($*) has been deprecated.') +') + + +####################################### +## +## Search directories +## on a ecrypt filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_search_ecryptfs',` + gen_require(` + type ecryptfs_t; + ') + + allow $1 ecryptfs_t:dir search_dir_perms; +') + +######################################## +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_ecryptfs_dirs',` + gen_require(` + type ecryptfs_t; + ') + + manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) + allow $1 ecryptfs_t:dir manage_dir_perms; +') + +####################################### +## +## Create, read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_read_ecryptfs_files',` + gen_require(` + type ecryptfs_t; + ') + + read_files_pattern($1, ecryptfs_t, ecryptfs_t) +') + +######################################## +## +## Create, read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_ecryptfs_files',` + gen_require(` + type ecryptfs_t; + ') + + manage_files_pattern($1, ecryptfs_t, ecryptfs_t) +') + +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_ecryptfs_files',` + gen_require(` + type ecryptfs_t; + ') + + dontaudit $1 ecryptfs_t:file manage_file_perms; +') + +######################################## +## +## Read symbolic links on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_ecryptfs_symlinks',` + gen_require(` + type ecryptfs_t; + ') + + allow $1 ecryptfs_t:dir list_dir_perms; + read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) +') + +####################################### +## +## Dontaudit append files on ecrypt filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_append_ecryptfs_files',` + gen_require(` + type ecryptfs_t; + ') + dontaudit $1 ecryptfs_t:file append; +') + +######################################## +## +## Manage symbolic links on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_ecryptfs_symlinks',` + gen_require(` + type ecryptfs_t; + ') + + manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) +') + +######################################## +## +## Execute a file on a FUSE filesystem +## in the specified domain. +## +## +##

    +## Execute a file on a FUSE filesystem +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified +## domain. This is not suggested. +##

    +##

    +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

    +##

    +## This interface was added to handle +## home directories on FUSE filesystems, +## in particular used by the ssh-agent policy. +##

    +##
    +## +## +## Domain allowed to transition. +## +## +## +## +## The type of the new process. +## +## +# +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; + ') + + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) +') + +######################################## +## +## Mount a FUSE filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:filesystem mount; +') + +######################################## +## +## Unmount a FUSE filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_unmount_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:filesystem unmount; +') + +######################################## +## +## Mounton a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:dir mounton; +') + +######################################## +## +## Search directories +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_search_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to list the contents +## of directories on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_list_fusefs',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:dir list_dir_perms; +') + +######################################## +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; +') + +######################################## +## +## Read, a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_read_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + read_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## +## Execute files on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_exec_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + exec_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## +## mmap files on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_mmap_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:file map; +') + +######################################## +## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which fusefs_t is an entrypoint. +## +## +# +interface(`fs_fusefs_entry_type',` + gen_require(` + type fusefs_t; + ') + + domain_entry_file($1, fusefs_t) +') + +######################################## +## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which fusefs_t is an entrypoint. +## +## +# +interface(`fs_fusefs_entrypoint',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:file entrypoint; +') + +######################################## +## +## Create, read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + manage_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:file manage_file_perms; +') + +######################################## +## +## Read symbolic links on a FUSEFS filesystem. ## -## -##

    -## Read eventpollfs files -##

    -##

    -## This interface has been deprecated, and will -## be removed in the future. -##

    -##
    ## ## ## Domain allowed access. ## ## # -# eventpollfs was changed to task SID 20060628 -interface(`fs_read_eventpollfs',` - refpolicywarn(`$0($*) has been deprecated.') +interface(`fs_read_fusefs_symlinks',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:dir list_dir_perms; + read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Mount a FUSE filesystem. +## Manage symbolic links on a FUSEFS filesystem. ## ## ## @@ -1803,210 +2640,227 @@ interface(`fs_read_eventpollfs',` ## ## # -interface(`fs_mount_fusefs',` +interface(`fs_manage_fusefs_symlinks',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:filesystem mount; + manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Unmount a FUSE filesystem. +## Execute a file on a FUSE filesystem +## in the specified domain. ## +## +##

    +## Execute a file on a FUSE filesystem +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified +## domain. This is not suggested. +##

    +##

    +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

    +##

    +## This interface was added to handle +## home directories on FUSE filesystems, +## in particular used by the ssh-agent policy. +##

    +##
    ## ## -## Domain allowed access. +## Domain allowed to transition. +## +## +## +## +## The type of the new process. ## ## # -interface(`fs_unmount_fusefs',` +interface(`fs_fusefs_domtrans',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:filesystem unmount; + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) ') ######################################## ## -## Mounton a FUSEFS filesystem. +## Get the attributes of a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## +## # -interface(`fs_mounton_fusefs',` +interface(`fs_getattr_fusefs',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:dir mounton; + allow $1 fusefs_t:filesystem getattr; ') ######################################## ## -## Search directories -## on a FUSEFS filesystem. +## Get the attributes of an hugetlbfs +## filesystem. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_search_fusefs',` +interface(`fs_getattr_hugetlbfs',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - allow $1 fusefs_t:dir search_dir_perms; + allow $1 hugetlbfs_t:filesystem getattr; ') ######################################## ## -## Do not audit attempts to list the contents -## of directories on a FUSEFS filesystem. +## List hugetlbfs. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_list_fusefs',` +interface(`fs_list_hugetlbfs',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - dontaudit $1 fusefs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:dir list_dir_perms; ') ######################################## ## -## Create, read, write, and delete directories -## on a FUSEFS filesystem. +## Manage hugetlbfs dirs. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_manage_fusefs_dirs',` +interface(`fs_manage_hugetlbfs_dirs',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - allow $1 fusefs_t:dir manage_dir_perms; + manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## -## Do not audit attempts to create, read, -## write, and delete directories -## on a FUSEFS filesystem. +## Read hugetlbfs files. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_manage_fusefs_dirs',` +interface(`fs_read_hugetlbfs_files',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - dontaudit $1 fusefs_t:dir manage_dir_perms; + read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## -## Read, a FUSEFS filesystem. +## Read and write hugetlbfs files. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_read_fusefs_files',` +interface(`fs_rw_hugetlbfs_files',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - read_files_pattern($1, fusefs_t, fusefs_t) + allow $1 hugetlbfs_t:file map; + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## -## Execute files on a FUSEFS filesystem. +## Manage hugetlbfs files. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_exec_fusefs_files',` +interface(`fs_manage_hugetlbfs_files',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) + manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## -## Create, read, write, and delete files -## on a FUSEFS filesystem. +## Execute hugetlbfs files. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_manage_fusefs_files',` +interface(`fs_exec_hugetlbfs_files',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) + allow $1 hugetlbfs_t:dir list_dir_perms; + exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. +## Allow the type to associate to hugetlbfs filesystems. ## -## +## ## -## Domain to not audit. +## The type of the object to be associated. ## ## # -interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_associate_hugetlbfs',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 hugetlbfs_t:filesystem associate; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. +## List oracleasmfs. ## ## ## @@ -2014,18 +2868,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # -interface(`fs_read_fusefs_symlinks',` +interface(`fs_list_oracleasmfs',` gen_require(` - type fusefs_t; + type oracleasmfs_t; ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 oracleasmfs_t:dir list_dir_perms; ') ######################################## ## -## Get the attributes of an hugetlbfs +## Get the attributes of an oracleasmfs ## filesystem. ## ## @@ -2034,17 +2887,18 @@ interface(`fs_read_fusefs_symlinks',` ##
    ## # -interface(`fs_getattr_hugetlbfs',` +interface(`fs_getattr_oracleasmfs_fs',` gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; ') - allow $1 hugetlbfs_t:filesystem getattr; + allow $1 oracleasmfs_t:filesystem getattr; ') ######################################## ## -## List hugetlbfs. +## Get the attributes of an oracleasmfs +## filesystem. ## ## ## @@ -2052,17 +2906,18 @@ interface(`fs_getattr_hugetlbfs',` ## ## # -interface(`fs_list_hugetlbfs',` +interface(`fs_getattr_oracleasmfs',` gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 oracleasmfs_t:file getattr; ') ######################################## ## -## Manage hugetlbfs dirs. +## Get the attributes of an oracleasmfs +## filesystem. ## ## ## @@ -2070,17 +2925,18 @@ interface(`fs_list_hugetlbfs',` ## ## # -interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_setattr_oracleasmfs',` gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 oracleasmfs_t:file setattr; ') ######################################## ## -## Read and write hugetlbfs files. +## Get the attributes of an oracleasmfs +## filesystem. ## ## ## @@ -2088,30 +2944,32 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # -interface(`fs_rw_hugetlbfs_files',` +interface(`fs_setattr_oracleasmfs_dirs',` gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 oracleasmfs_t:dir setattr; ') ######################################## ## -## Allow the type to associate to hugetlbfs filesystems. +## Read and write the oracleasm device. ## -## +## ## -## The type of the object to be associated. +## Domain allowed access. ## ## # -interface(`fs_associate_hugetlbfs',` +interface(`fs_manage_oracleasm',` gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; ') - allow $1 hugetlbfs_t:filesystem associate; + manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) + manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) + dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") ') ######################################## @@ -2148,11 +3006,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. +## Do not audit attempts to list inotifyfs filesystem. ## ## ## @@ -2396,6 +3255,24 @@ interface(`fs_getattr_nfs',` allow $1 nfs_t:filesystem getattr; ') +######################################## +## +## Set the attributes of nfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_setattr_nfs_dirs',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:dir setattr; +') + ######################################## ## ## Search directories on a NFS filesystem. @@ -2453,138 +3330,214 @@ interface(`fs_dontaudit_list_nfs',` ######################################## ## -## Mounton a NFS filesystem. +## Mounton a NFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_nfs',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:dir mounton; +') + +######################################## +## +## Read files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_read_nfs_files',` + gen_require(` + type nfs_t; + ') + + fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1, nfs_t, nfs_t) +') + +######################################## +## +## Do not audit attempts to read +## files on a NFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_read_nfs_files',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:file read_file_perms; +') + +######################################## +## +## Read files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_write_nfs_files',` + gen_require(` + type nfs_t; + ') + + fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) +') + +######################################## +## +## Execute files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## +## # -interface(`fs_mounton_nfs',` +interface(`fs_exec_nfs_files',` gen_require(` type nfs_t; ') - allow $1 nfs_t:dir mounton; + allow $1 nfs_t:dir list_dir_perms; + exec_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## -## Read files on a NFS filesystem. +## Make general progams in nfs an entrypoint for +## the specified domain. ## ## ## -## Domain allowed access. +## The domain for which nfs_t is an entrypoint. ## ## -## # -interface(`fs_read_nfs_files',` +interface(`fs_nfs_entry_type',` gen_require(` type nfs_t; ') - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) + domain_entry_file($1, nfs_t) ') ######################################## ## -## Do not audit attempts to read -## files on a NFS filesystem. +## Make general progams in NFS an entrypoint for +## the specified domain. ## ## ## -## Domain to not audit. +## The domain for which nfs_t is an entrypoint. ## ## # -interface(`fs_dontaudit_read_nfs_files',` +interface(`fs_nfs_entrypoint',` gen_require(` type nfs_t; ') - dontaudit $1 nfs_t:file read_file_perms; + allow $1 nfs_t:file entrypoint; ') ######################################## ## -## Read files on a NFS filesystem. +## Append files +## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## +## # -interface(`fs_write_nfs_files',` +interface(`fs_append_nfs_files',` gen_require(` type nfs_t; ') - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) + append_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## -## Execute files on a NFS filesystem. +## Do not audit attempts to append files +## on a NFS filesystem. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## ## # -interface(`fs_exec_nfs_files',` +interface(`fs_dontaudit_append_nfs_files',` gen_require(` type nfs_t; ') - allow $1 nfs_t:dir list_dir_perms; - exec_files_pattern($1, nfs_t, nfs_t) + dontaudit $1 nfs_t:file append_file_perms; ') ######################################## ## -## Append files -## on a NFS filesystem. +## Read inherited files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## -## # -interface(`fs_append_nfs_files',` +interface(`fs_read_inherited_nfs_files',` gen_require(` type nfs_t; ') - append_files_pattern($1, nfs_t, nfs_t) + allow $1 nfs_t:file read_inherited_file_perms; ') ######################################## ## -## dontaudit Append files -## on a NFS filesystem. +## Read/write inherited files on a NFS filesystem. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## -## # -interface(`fs_dontaudit_append_nfs_files',` +interface(`fs_rw_inherited_nfs_files',` gen_require(` type nfs_t; ') - dontaudit $1 nfs_t:file append_file_perms; + allow $1 nfs_t:file rw_inherited_file_perms; ') ######################################## @@ -2603,7 +3556,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') - dontaudit $1 nfs_t:file rw_file_perms; + dontaudit $1 nfs_t:file rw_inherited_file_perms; ') ######################################## @@ -2627,7 +3580,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## -## Dontaudit read symbolic links on a NFS filesystem. +## Do not audit attempts to read symbolic links on a NFS filesystem. ## ## ## @@ -2717,6 +3670,47 @@ interface(`fs_search_rpc',` allow $1 rpc_pipefs_t:dir search_dir_perms; ') +######################################## +## +## Do not audit attempts to list removable storage directories. +## +## +##

    +## Do not audit attempts to list removable storage directories +##

    +##

    +## This interface has been deprecated, and will +## be removed in the future. +##

    +##
    +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_pstorefs',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## +## Do not audit attempts to list removable storage directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_list_pstore',` + gen_require(` + type pstore_t; + ') + + allow $1 pstore_t:dir list_dir_perms; +') + ######################################## ## ## Search removable storage directories. @@ -2741,7 +3735,7 @@ interface(`fs_search_removable',` ## ## ## -## Domain not to audit. +## Domain to not audit. ## ## # @@ -2771,13 +3765,33 @@ interface(`fs_read_removable_files',` read_files_pattern($1, removable_t, removable_t) ') + +######################################## +## +## mmap files on a removable files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_mmap_removable_files',` + gen_require(` + type removable_t; + ') + + allow $1 removable_t:file map; +') + ######################################## ## ## Do not audit attempts to read removable storage files. ## ## ## -## Domain not to audit. +## Domain to not audit. ## ## # @@ -2970,6 +3984,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') + fs_search_auto_mountpoints($1) allow $1 nfs_t:dir manage_dir_perms; ') @@ -3010,9 +4025,29 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') + fs_search_auto_mountpoints($1) manage_files_pattern($1, nfs_t, nfs_t) ') +######################################## +## +## mmap files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_mmap_nfs_files',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:file map; +') + ######################################## ## ## Do not audit attempts to create, @@ -3050,6 +4085,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') + fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -3135,6 +4171,24 @@ interface(`fs_nfs_domtrans',` domain_auto_transition_pattern($1, nfs_t, $2) ') +######################################## +## +## Mount on nfsd_fs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_nfsd_fs', ` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:dir mounton; +') + ######################################## ## ## Mount a NFS server pseudo filesystem. @@ -3172,28 +4226,155 @@ interface(`fs_remount_nfsd_fs',` allow $1 nfsd_fs_t:filesystem remount; ') -######################################## +######################################## +## +## Unmount a NFS server pseudo filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_unmount_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:filesystem unmount; +') + +######################################## +## +## Get the attributes of a NFS server +## pseudo filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:filesystem getattr; +') + +######################################## +## +## Search NFS server directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_search_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:dir search_dir_perms; +') + +######################################## +## +## List NFS server directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:dir list_dir_perms; +') + +######################################## +## +## Getattr files on an nfsd filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') + + getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + +####################################### +## +## read files on an nfsd filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') + + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + +####################################### +## +## Read and write NFS server files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + + +####################################### ## -## Unmount a NFS server pseudo filesystem. +## Read nsfs inodes (e.g. /proc/pid/ns/uts) ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -interface(`fs_unmount_nfsd_fs',` +interface(`fs_read_nsfs_files',` gen_require(` - type nfsd_fs_t; - ') + type nsfs_t; + ') - allow $1 nfsd_fs_t:filesystem unmount; + allow $1 nsfs_t:file read_file_perms; ') -######################################## +####################################### ## -## Get the attributes of a NFS server -## pseudo filesystem. +## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) ## ## ## @@ -3201,17 +4382,18 @@ interface(`fs_unmount_nfsd_fs',` ## ## # -interface(`fs_getattr_nfsd_fs',` +interface(`fs_rw_nsfs_files',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') - allow $1 nfsd_fs_t:filesystem getattr; + rw_files_pattern($1, nsfs_t, nsfs_t) ') + ######################################## ## -## Search NFS server directories. +## Mount a nsfs filesystem. ## ## ## @@ -3219,17 +4401,18 @@ interface(`fs_getattr_nfsd_fs',` ## ## # -interface(`fs_search_nfsd_fs',` +interface(`fs_mount_nsfs',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') - allow $1 nfsd_fs_t:dir search_dir_perms; + allow $1 nsfs_t:filesystem mount; ') + ######################################## ## -## List NFS server directories. +## Remount a tmpfs filesystem. ## ## ## @@ -3237,17 +4420,17 @@ interface(`fs_search_nfsd_fs',` ## ## # -interface(`fs_list_nfsd_fs',` +interface(`fs_remount_nsfs',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') - allow $1 nfsd_fs_t:dir list_dir_perms; + allow $1 nsfs_t:filesystem remount; ') ######################################## ## -## Getattr files on an nfsd filesystem +## Unmount a tmpfs filesystem. ## ## ## @@ -3255,17 +4438,17 @@ interface(`fs_list_nfsd_fs',` ## ## # -interface(`fs_getattr_nfsd_files',` +interface(`fs_unmount_nsfs',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + allow $1 nsfs_t:filesystem unmount; ') ######################################## ## -## Read and write NFS server files. +## Manage NFS server files. ## ## ## @@ -3273,12 +4456,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # -interface(`fs_rw_nfsd_fs',` +interface(`fs_manage_nfsd_fs',` gen_require(` type nfsd_fs_t; ') - rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## @@ -3392,7 +4575,7 @@ interface(`fs_search_ramfs',` ######################################## ## -## Dontaudit Search directories on a ramfs +## Do not audit attempts to search directories on a ramfs ## ## ## @@ -3429,7 +4612,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## -## Dontaudit read on a ramfs files. +## Do not audit attempts to read on a ramfs files. ## ## ## @@ -3447,7 +4630,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## -## Dontaudit read on a ramfs fifo_files. +## Do not audit attempts to read on a ramfs fifo_files. ## ## ## @@ -3777,6 +4960,24 @@ interface(`fs_mount_tmpfs',` allow $1 tmpfs_t:filesystem mount; ') +######################################## +## +## Dontaudit remount a tmpfs filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:filesystem remount; +') + ######################################## ## ## Remount a tmpfs filesystem. @@ -3813,6 +5014,24 @@ interface(`fs_unmount_tmpfs',` allow $1 tmpfs_t:filesystem unmount; ') +######################################## +## +## Mount on tmpfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_tmpfs', ` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir mounton; +') + ######################################## ## ## Get the attributes of a tmpfs @@ -3908,7 +5127,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## -## Mount on tmpfs directories. +## Set the attributes of tmpfs directories. ## ## ## @@ -3916,17 +5135,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # -interface(`fs_mounton_tmpfs',` +interface(`fs_setattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir mounton; + allow $1 tmpfs_t:dir setattr; ') ######################################## ## -## Set the attributes of tmpfs directories. +## Search tmpfs directories. ## ## ## @@ -3934,17 +5153,17 @@ interface(`fs_mounton_tmpfs',` ## ## # -interface(`fs_setattr_tmpfs_dirs',` +interface(`fs_search_tmpfs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir setattr; + allow $1 tmpfs_t:dir search_dir_perms; ') ######################################## ## -## Search tmpfs directories. +## List the contents of generic tmpfs directories. ## ## ## @@ -3952,17 +5171,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # -interface(`fs_search_tmpfs',` +interface(`fs_list_tmpfs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir search_dir_perms; + allow $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## -## List the contents of generic tmpfs directories. +## Do not audit attempts to list the +## contents of generic tmpfs directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_list_tmpfs',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:dir list_dir_perms; +') + +######################################## +## +## Relabel directory on tmpfs filesystems. ## ## ## @@ -3970,31 +5208,48 @@ interface(`fs_search_tmpfs',` ## ## # -interface(`fs_list_tmpfs',` +interface(`fs_relabel_tmpfs_dirs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; + relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Do not audit attempts to list the -## contents of generic tmpfs directories. +## Relabel fifo_file on tmpfs filesystems. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_list_tmpfs',` +interface(`fs_relabel_tmpfs_fifo_files',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir list_dir_perms; + relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## +## Relabel files on tmpfs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + relabel_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## @@ -4061,38 +5316,166 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## # -interface(`fs_tmpfs_filetrans',` +interface(`fs_tmpfs_filetrans',` + gen_require(` + type tmpfs_t; + ') + + allow $2 tmpfs_t:filesystem associate; + filetrans_pattern($1, tmpfs_t, $2, $3, $4) +') + +######################################## +## +## Do not audit attempts to getattr +## generic tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_getattr_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:file getattr; +') + +######################################## +## +## Do not audit attempts to read or write +## generic tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_rw_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:file rw_inherited_file_perms; +') + +######################################## +## +## Create, read, write, and delete +## auto moutpoints. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_auto_mountpoints',` + gen_require(` + type autofs_t; + ') + + allow $1 autofs_t:dir manage_dir_perms; +') + +######################################## +## +## Read generic tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + read_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## +## Read and write generic tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + rw_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## +## Read and write generic tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_inherited_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file { read write }; +') + +######################################## +## +## Read tmpfs link files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_tmpfs_symlinks',` gen_require(` type tmpfs_t; ') - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, tmpfs_t, $2, $3, $4) + read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Do not audit attempts to getattr -## generic tmpfs files. +## Read and write character nodes on tmpfs filesystems. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_getattr_tmpfs_files',` +interface(`fs_rw_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:file getattr; + allow $1 tmpfs_t:dir list_dir_perms; + rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Do not audit attempts to read or write -## generic tmpfs files. +## Do not audit attempts to read and write character nodes on tmpfs filesystems. ## ## ## @@ -4100,72 +5483,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # -interface(`fs_dontaudit_rw_tmpfs_files',` +interface(`fs_dontaudit_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:file rw_file_perms; + dontaudit $1 tmpfs_t:dir list_dir_perms; + dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ') ######################################## ## -## Create, read, write, and delete -## auto moutpoints. +## Do not audit attempts to create character nodes on tmpfs filesystems. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`fs_manage_auto_mountpoints',` +interface(`fs_dontaudit_create_tmpfs_chr_dev',` gen_require(` - type autofs_t; + type tmpfs_t; ') - allow $1 autofs_t:dir manage_dir_perms; + dontaudit $1 tmpfs_t:chr_file create; ') ######################################## ## -## Read generic tmpfs files. +## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`fs_read_tmpfs_files',` +interface(`fs_dontaudit_read_tmpfs_blk_dev',` gen_require(` type tmpfs_t; ') - read_files_pattern($1, tmpfs_t, tmpfs_t) + dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ') ######################################## ## -## Read and write generic tmpfs files. +## Do not audit attempts to read files on tmpfs filesystems. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`fs_rw_tmpfs_files',` +interface(`fs_dontaudit_read_tmpfs_files',` gen_require(` type tmpfs_t; ') - rw_files_pattern($1, tmpfs_t, tmpfs_t) + dontaudit $1 tmpfs_t:blk_file read; ') ######################################## ## -## Read tmpfs link files. +## Relabel character nodes on tmpfs filesystems. ## ## ## @@ -4173,17 +5556,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # -interface(`fs_read_tmpfs_symlinks',` +interface(`fs_relabel_tmpfs_chr_file',` gen_require(` type tmpfs_t; ') - read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) + allow $1 tmpfs_t:dir list_dir_perms; + relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Read and write character nodes on tmpfs filesystems. +## Read and write block nodes on tmpfs filesystems. ## ## ## @@ -4191,37 +5575,37 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # -interface(`fs_rw_tmpfs_chr_files',` +interface(`fs_rw_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; - rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) + rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## dontaudit Read and write character nodes on tmpfs filesystems. +## Relabel block nodes on tmpfs filesystems. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_use_tmpfs_chr_dev',` +interface(`fs_relabel_tmpfs_blk_file',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir list_dir_perms; - dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; + allow $1 tmpfs_t:dir list_dir_perms; + relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Relabel character nodes on tmpfs filesystems. +## Relabel sock nodes on tmpfs filesystems. ## ## ## @@ -4229,18 +5613,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # -interface(`fs_relabel_tmpfs_chr_file',` +interface(`fs_relabel_tmpfs_sock_file',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; - relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) + relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Read and write block nodes on tmpfs filesystems. +## Delete generic files in tmpfs directory. ## ## ## @@ -4248,18 +5632,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # -interface(`fs_rw_tmpfs_blk_files',` +interface(`fs_delete_tmpfs_files',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; - rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) + allow $1 tmpfs_t:dir del_entry_dir_perms; + allow $1 tmpfs_t:file_class_set delete_file_perms; ') ######################################## ## -## Relabel block nodes on tmpfs filesystems. +## Read and write, create and delete generic +## files on tmpfs filesystems. ## ## ## @@ -4267,32 +5652,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # -interface(`fs_relabel_tmpfs_blk_file',` +interface(`fs_manage_tmpfs_files',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; - relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) + manage_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Read and write, create and delete generic -## files on tmpfs filesystems. +## Execute files on a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## +## # -interface(`fs_manage_tmpfs_files',` +interface(`fs_exec_tmpfs_files',` gen_require(` type tmpfs_t; ') - manage_files_pattern($1, tmpfs_t, tmpfs_t) + exec_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## @@ -4407,6 +5791,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') + +######################################## +## +## Read files on a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:file read_file_perms; +') + ######################################## ## ## Create, read, write, and delete directories @@ -4503,6 +5906,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; +# Mount checks write access on the dir + allow $1 filesystem_type:dir write; ') ######################################## @@ -4549,7 +5954,7 @@ interface(`fs_unmount_all_fs',` ## ##

    ## Allow the specified domain to -## et the attributes of all filesystems. +## get the attributes of all filesystems. ## Example attributes: ##

    ##
      @@ -4594,6 +5999,26 @@ interface(`fs_dontaudit_getattr_all_fs',` dontaudit $1 filesystem_type:filesystem getattr; ') +######################################## +## +## Do not audit attempts to check the +## access on all filesystems. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_all_access_check',` + gen_require(` + attribute filesystem_type; + ') + + dontaudit $1 filesystem_type:dir_file_class_set audit_access; +') + + ######################################## ## ## Get the quotas of all filesystems. @@ -4669,6 +6094,25 @@ interface(`fs_getattr_all_dirs',` allow $1 filesystem_type:dir getattr; ') +######################################## +## +## Dontaudit Get the attributes of all directories +## with a filesystem type. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_getattr_all_dirs',` + gen_require(` + attribute filesystem_type; + ') + + dontaudit $1 filesystem_type:dir getattr; +') + ######################################## ## ## Search all directories with a filesystem type. @@ -4912,3 +6356,174 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') + +######################################## +## +## Do not audit attempts to read or write +## all leaked filesystems files. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_leaks',` + gen_require(` + attribute filesystem_type; + ') + + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') + + +######################################## +## +## Transition named content in tmpfs_t directory +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_tmpfs_filetrans_named_content',` + gen_require(` + type cgroup_t; + ') + + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') + +####################################### +## +## Read files in efivarfs +## - contains Linux Kernel configuration options for UEFI systems +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_read_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + read_files_pattern($1, efivarfs_t, efivarfs_t) +') + +######################################## +## +## Read and write sockets of ONLOAD file system pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_onload_sockets',` + gen_require(` + type onload_fs_t; + ') + + rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) + allow $1 onload_fs_t:sock_file ioctl; +') + +######################################## +## +## Read and write tracefs_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + rw_files_pattern($1, tracefs_t, tracefs_t) +') + +######################################## +## +## Create, read, write, and delete dirs +## labeled as tracefs_t. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + manage_dirs_pattern($1, tracefs_t, tracefs_t) +') + +######################################## +## +## Mount tracefs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_tracefs', ` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:filesystem mount; +') + +######################################## +## +## Remount tracefs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_remount_tracefs', ` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:filesystem remount; +') + +######################################## +## +## Unmount tracefs filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_unmount_tracefs', ` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:filesystem unmount; +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e7d173844..622029da6 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -17,6 +17,7 @@ attribute noxattrfs; type fs_t; fs_type(fs_t) sid fs gen_context(system_u:object_r:fs_t,s0) +typealias fs_t alias vxfs_t; # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. @@ -26,14 +27,22 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. @@ -43,6 +52,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); +fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0); ############################## # @@ -53,6 +63,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) +mls_trusted_object(anon_inodefs_t) type bdev_t; fs_type(bdev_t) @@ -63,12 +74,23 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) +type oracleasmfs_t; +fs_type(oracleasmfs_t) +dev_node(oracleasmfs_t) +files_mountpoint(oracleasmfs_t) +genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) + type capifs_t; fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) -type cgroup_t; +type cephfs_t; +fs_type(cephfs_t) +files_mountpoint(cephfs_t) +genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0) + +type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) @@ -88,6 +110,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) +type efivarfs_t; +fs_noxattr_type(efivarfs_t) +files_mountpoint(efivarfs_t) +genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0) + type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) @@ -96,6 +123,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); +dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) @@ -118,13 +146,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) +files_mountpoint(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) +type nsfs_t; +fs_type(nsfs_t) +genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) + +type onload_fs_t; +fs_type(onload_fs_t) +files_mountpoint(onload_fs_t) +genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0) + type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) -type pstore_t; +type pstore_t alias pstorefs_t; fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) @@ -150,17 +188,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) -type squash_t; -fs_type(squash_t) -genfscon squash / gen_context(system_u:object_r:squash_t,s0) -files_mountpoint(squash_t) - type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) +type tracefs_t; +fs_type(tracefs_t) +genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) @@ -168,11 +205,6 @@ genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) -type vxfs_t; -fs_noxattr_type(vxfs_t) -files_mountpoint(vxfs_t) -genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) - # # tmpfs_t is the type for tmpfs filesystems # @@ -182,6 +214,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) +dev_associate(tmpfs_t) +mls_trusted_object(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, @@ -261,6 +295,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) +files_type(removable_t) +dev_node(removable_t) files_mountpoint(removable_t) # @@ -280,6 +316,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) ######################################## # @@ -301,9 +338,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # -allow filesystem_unconfined_type filesystem_type:filesystem *; +allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. -allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; +allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint; +allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc index 7be4ddf74..9710b3336 100644 --- a/policy/modules/kernel/kernel.fc +++ b/policy/modules/kernel/kernel.fc @@ -1 +1,5 @@ -# This module currently does not have any file contexts. + +/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index e100d886b..d16dc1f1b 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -124,6 +124,24 @@ interface(`kernel_setsched',` allow $1 kernel_t:process setsched; ') +######################################## +## +## Dontaudit attempts to set the priority of kernel threads. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_dontaudit_setsched',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:process setsched; +') + ######################################## ## ## Send a SIGCHLD signal to kernel threads. @@ -178,6 +196,24 @@ interface(`kernel_signal',` allow $1 kernel_t:process signal; ') +######################################## +## +## Send signull to kernel threads. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_signull',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:process signull; +') + ######################################## ## ## Allows the kernel to share state information with @@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',` type kernel_t; ') - allow $1 kernel_t:unix_dgram_socket { read write ioctl }; + allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; ') ######################################## @@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',` ') manage_files_pattern($1, debugfs_t, debugfs_t) + manage_dirs_pattern($1,debugfs_t, debugfs_t) read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) ') ######################################## @@ -784,6 +820,24 @@ interface(`kernel_mount_kvmfs',` allow $1 kvmfs_t:filesystem mount; ') +######################################## +## +## Mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + ######################################## ## ## Unmount the proc filesystem. @@ -802,6 +856,24 @@ interface(`kernel_unmount_proc',` allow $1 proc_t:filesystem unmount; ') +######################################## +## +## Mounton a proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + ######################################## ## ## Get the attributes of the proc filesystem. @@ -839,6 +911,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',` dontaudit $1 proc_t:dir setattr; ') +######################################## +## +## Do not audit attempts to set the +## attributes of files in /proc. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_setattr_proc_files',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:file setattr; +') + ######################################## ## ## Search directories in /proc. @@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` gen_require(` - type proc_t; + attribute kernel_system_state_reader; ') - read_files_pattern($1, proc_t, proc_t) - read_lnk_files_pattern($1, proc_t, proc_t) - - list_dirs_pattern($1, proc_t, proc_t) + typeattribute $1 kernel_system_state_reader; ') ######################################## @@ -1023,6 +1111,44 @@ interface(`kernel_write_proc_files',` write_files_pattern($1, proc_t, proc_t) ') +######################################## +## +## Do not audit attempts to write the +## file in /proc. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_write_proc_files',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:file write; +') + +######################################## +## +## Do not audit attempts to check the +## access on generic proc entries. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_access_check_proc',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:dir_file_class_set audit_access; +') + ######################################## ## ## Do not audit attempts by caller to @@ -1061,6 +1187,26 @@ interface(`kernel_dontaudit_read_proc_symlinks',` dontaudit $1 proc_t:lnk_file read; ') +####################################### +## +## Allow caller to read state information for AFS. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_read_afs_state',` + gen_require(` + type proc_t, proc_afs_t; + ') + + list_dirs_pattern($1, proc_t, proc_t) + read_files_pattern($1, proc_afs_t, proc_afs_t) +') + ####################################### ## ## Allow caller to read and write state information for AFS. @@ -1206,6 +1352,24 @@ interface(`kernel_read_messages',` typeattribute $1 can_receive_kernel_messages; ') +######################################## +## +## Allow caller to mounton the kernel messages file +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_messages',` + gen_require(` + type proc_kmsg_t; + ') + + allow $1 proc_kmsg_t:file mounton; +') + ######################################## ## ## Allow caller to get the attributes of kernel message @@ -1456,6 +1620,25 @@ interface(`kernel_list_all_proc',` allow $1 proc_type:file getattr; ') +######################################## +## +## Allow attempts to mounton all proc directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_all_proc',` + gen_require(` + attribute proc_type; + ') + + allow $1 proc_type:dir mounton; + allow $1 proc_type:file mounton; +') + ######################################## ## ## Do not audit attempts to list all proc directories. @@ -1475,6 +1658,24 @@ interface(`kernel_dontaudit_list_all_proc',` dontaudit $1 proc_type:file getattr; ') +######################################## +## +## Allow attempts to read all proc types. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_all_proc',` + gen_require(` + attribute proc_type; + ') + + read_files_pattern($1, proc_type, proc_type) +') + ######################################## ## ## Do not audit attempts by caller to search @@ -1672,7 +1873,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - + read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') @@ -1693,7 +1894,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - + read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') @@ -1715,7 +1916,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') @@ -1750,16 +1950,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## -## # interface(`kernel_read_hotplug_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -1771,16 +1964,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## -## # interface(`kernel_rw_hotplug_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -1792,16 +1978,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## -## # interface(`kernel_read_modprobe_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -1813,16 +1992,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## -## # interface(`kernel_rw_modprobe_sysctls',` - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -2048,6 +2220,26 @@ interface(`kernel_read_rpc_sysctls',` list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') + +######################################## +## +## Read RPC sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_rw_rpc_sysctls_dirs',` + gen_require(` + type proc_t, proc_net_t, sysctl_rpc_t; + ') + + rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) +') + ######################################## ## ## Read and write RPC sysctls. @@ -2069,6 +2261,26 @@ interface(`kernel_rw_rpc_sysctls',` list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') +######################################## +## +## Read and write RPC sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_create_rpc_sysctls',` + gen_require(` + type proc_t, proc_net_t, sysctl_rpc_t; + ') + + create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) + +') + ######################################## ## ## Do not audit attempts to list all sysctl directories. @@ -2085,9 +2297,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; + dontaudit $1 sysctl_type:file read_file_perms; +') + +######################################## +## +## Allow attempts to mounton all sysctl directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_all_sysctls',` + gen_require(` + attribute sysctl_type; + ') + + allow $1 sysctl_type:dir mounton; ') + ######################################## ## ## Allow caller to read all sysctls. @@ -2282,7 +2513,7 @@ interface(`kernel_list_unlabeled',` ######################################## ## -## Read the process state (/proc/pid) of all unlabeled_t. +## Delete unlabeled files ## ## ## @@ -2290,12 +2521,31 @@ interface(`kernel_list_unlabeled',` ## ## # -interface(`kernel_read_unlabeled_state',` +interface(`kernel_delete_unlabeled',` gen_require(` type unlabeled_t; ') - allow $1 unlabeled_t:dir list_dir_perms; + allow $1 unlabeled_t:dir delete_dir_perms; + allow $1 unlabeled_t:dir_file_class_set delete_file_perms; +') + +######################################## +## +## Read the process state (/proc/pid) of all unlabeled_t. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_unlabeled_state',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir list_dir_perms; read_files_pattern($1, unlabeled_t, unlabeled_t) read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') @@ -2306,7 +2556,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -2486,6 +2736,24 @@ interface(`kernel_rw_unlabeled_blk_files',` allow $1 unlabeled_t:blk_file getattr; ') +######################################## +## +## Read and write unlabeled sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_rw_unlabeled_socket',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:socket rw_socket_perms; +') + ######################################## ## ## Do not audit attempts by caller to get attributes for @@ -2523,6 +2791,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; ') +######################################## +## +## Allow caller to relabel unlabeled filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelfrom_unlabeled_fs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:filesystem relabelfrom; +') + ######################################## ## ## Allow caller to relabel unlabeled files. @@ -2665,6 +2951,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` dontaudit $1 unlabeled_t:association { sendto recvfrom }; ') +######################################## +## +## Receive DCCP packets from an unlabeled connection. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_dccp_recvfrom_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dccp_socket recvfrom; +') + ######################################## ## ## Receive TCP packets from an unlabeled connection. @@ -2692,6 +2996,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` allow $1 unlabeled_t:tcp_socket recvfrom; ') +######################################## +## +## Do not audit attempts to receive DCCP packets from an unlabeled +## connection. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:dccp_socket recvfrom; +') + ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled @@ -2803,6 +3126,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') +######################################## +## +## Read/Write Raw IP packets from an unlabeled connection. +## +## +##

      +## Receive Raw IP packets from an unlabeled connection. +##

      +##

      +## The corenetwork interface corenet_raw_recv_unlabeled() should +## be used instead of this one. +##

      +##
      +## +## +## Domain allowed access. +## +## +# +interface(`kernel_rw_unlabeled_rawip_socket',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:rawip_socket rw_socket_perms; +') + ######################################## ## @@ -2956,6 +3306,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` allow $1 unlabeled_t:db_blob { setattr relabelfrom }; ') +######################################## +## +## Relabel to unlabeled context . +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelto_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set relabelto; +') + ######################################## ## ## Unconfined access to kernel module resources. @@ -2972,5 +3340,683 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; - kernel_load_module($1) + kernel_load_module($1) +') + +######################################## +## +## Allow the specified domain to getattr on +## the kernel with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_stream_read',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:unix_stream_socket { read getattr }; +') + +####################################### +## +## Allow the specified domain to write on +## the kernel with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_stream_write',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:unix_stream_socket { write getattr }; +') + +####################################### +## +## Allow the specified domain to read/write on +## the kernel with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_rw_stream_socket_perms',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:unix_stream_socket rw_socket_perms; + allow $1 kernel_t:fd use; +') + +######################################## +## +## Make the specified type usable for regular entries in proc +## +## +## +## Type to be used for /proc entries. +## +## +# +interface(`kernel_proc_type',` + gen_require(` + attribute proc_type; + ') + + typeattribute $1 proc_type; +') + +######################################## +## +## Do not audit attempts by caller to get attributes on all sysctls. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_getattr_all_sysctls',` + gen_require(` + attribute sysctl_type; + ') + + dontaudit $1 sysctl_type:file getattr; +') + +######################################## +## +## Read the process state (/proc/pid) of the kernel. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_state',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:dir search_dir_perms; + allow $1 kernel_t:file read_file_perms; + allow $1 kernel_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Dontaudit attempts to read the process state (/proc/pid) of the kernel. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_dontaudit_read_state',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:dir search_dir_perms; + dontaudit $1 kernel_t:file read_file_perms; + dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Allow searching of numa state directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_search_numa_state',` + gen_require(` + type proc_t, proc_numa_t; + ') + + search_dirs_pattern($1, proc_t, proc_numa_t) +') + +######################################## +## +## Do not audit attempts to search the numa +## state directory. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`kernel_dontaudit_search_numa_state',` + gen_require(` + type proc_numa_t; + ') + + dontaudit $1 proc_numa_t:dir search; +') + +######################################## +## +## Allow caller to read the numa state information. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_read_numa_state',` + gen_require(` + type proc_t, proc_numa_t; + ') + + read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) + read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) + + list_dirs_pattern($1, proc_t, proc_numa_t) +') + +######################################## +## +## Allow caller to read the numa state symbolic links. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_read_numa_state_symlinks',` + gen_require(` + type proc_t, proc_numa_t; + ') + + read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) + + list_dirs_pattern($1, proc_t, proc_numa_t) +') + +######################################## +## +## Allow caller to write numa state information. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_write_numa_state',` + gen_require(` + type proc_t, proc_numa_t; + ') + + write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) +') + +######################################## +## +## Allow caller to search virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_search_vm_overcommit_sysctl',` + gen_require(` + type sysctl_vm_overcommit_t; + ') + + kernel_search_vm_sysctl($1) + search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) +') + +######################################## +## +## Allow caller to read virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_read_vm_overcommit_sysctls',` + gen_require(` + type sysctl_vm_overcommit_t; + ') + + kernel_search_vm_sysctl($1) + read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) +') + +######################################## +## +## Read and write virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_rw_vm_overcommit_sysctls',` + gen_require(` + type sysctl_vm_overcommit_t; + ') + + kernel_search_vm_sysctl($1) + rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) +') + +######################################## +## +## Do not audit attempts to search the security +## state directory. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`kernel_dontaudit_search_security_state',` + gen_require(` + type proc_security_t; + ') + + dontaudit $1 proc_security_t:dir search; +') + +######################################## +## +## Allow searching of security state directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_search_security_state',` + gen_require(` + type proc_security_t; + ') + + search_dirs_pattern($1, proc_t, proc_security_t) +') + +######################################## +## +## Read the security state information. +## +## +##

      +## Allow the specified domain to read the security +## state information. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +# +interface(`kernel_read_security_state',` + gen_require(` + type proc_t, proc_security_t; + attribute sysctl_type; + ') + + read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + + list_dirs_pattern($1, proc_t, proc_security_t) + allow $1 sysctl_type:dir search_dir_perms; +') + +######################################## +## +## Write the security state information. +## +## +##

      +## Allow the specified domain to write the security +## state information. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +# +interface(`kernel_write_security_state',` + gen_require(` + type proc_t, proc_security_t; + ') + + write_files_pattern($1, { proc_t proc_security_t }, proc_security_t) +') + +######################################## +## +## Allow caller to read the security state symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_security_state_symlinks',` + gen_require(` + type proc_t, proc_security_t; + ') + + read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + + list_dirs_pattern($1, proc_t, proc_security_t) +') + +######################################## +## +## Access unlabeled infiniband pkeys. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_ib_access_unlabeled_pkeys',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:infiniband_pkey access; +') + +######################################## +## +## Manage subnet on unlabeled Infiniband endports. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_ib_manage_subnet_unlabeled_endports',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:infiniband_endport manage_subnet; +') + +######################################## +## +## Allow caller to read the security state symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_rw_security_state',` + gen_require(` + type proc_t, proc_security_t; + ') + + rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + + list_dirs_pattern($1, proc_t, proc_security_t) +') + +######################################## +## +## Do not audit attempts to search the usermodehelper +## state directory. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`kernel_dontaudit_search_usermodehelper_state',` + gen_require(` + type usermodehelper_t; + ') + + dontaudit $1 usermodehelper_t:dir search; +') + +######################################## +## +## Allow searching of usermodehelper state directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_search_usermodehelper_state',` + gen_require(` + type usermodehelper_t; + ') + + search_dirs_pattern($1, proc_t, usermodehelper_t) +') + +######################################## +## +## Read the usermodehelper state information. +## +## +##

      +## Allow the specified domain to read the usermodehelpering +## state information. This includes several pieces +## of usermodehelpering information, such as usermodehelper interface +## names, usermodehelperfilter (iptables) statistics, protocol +## information, routes, and remote procedure call (RPC) +## information. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +# +interface(`kernel_read_usermodehelper_state',` + gen_require(` + type proc_t, usermodehelper_t; + ') + + read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) + read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) + + list_dirs_pattern($1, proc_t, usermodehelper_t) +') + +######################################## +## +## Allow caller to read the usermodehelper state symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_usermodehelper_state_symlinks',` + gen_require(` + type proc_t, usermodehelper_t; + ') + + read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) + + list_dirs_pattern($1, proc_t, usermodehelper_t) +') + +######################################## +## +## Read and write usermodehelper state +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_rw_usermodehelper_state',` + gen_require(` + type proc_t, usermodehelper_t; + ') + + dev_search_sysfs($1) + rw_files_pattern($1, proc_t, usermodehelper_t) + list_dirs_pattern($1, proc_t, usermodehelper_t) +') + +######################################## +## +## Relabel to usermodehelper context . +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelto_usermodehelper',` + gen_require(` + type usermodehelper_t; + ') + + allow $1 usermodehelper_t:file relabelto; +') + +######################################## +## +## Read netlink audit socket +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_netlink_audit_socket',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms; +') + +######################################## +## +## Execute an unlabeled file in the specified domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The type of the new process. +## +## +# +interface(`kernel_unlabeled_domtrans',` + gen_require(` + type unlabeled_t; + ') + + read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) + domain_transition_pattern($1, unlabeled_t, $2) + type_transition $1 unlabeled_t:process $2; +') + +######################################## +## +## Make general progams without labeles an entrypoint for +## the specified domain. +## +## +## +## The domain for which unlabeled_t is an entrypoint. +## +## +# +interface(`kernel_unlabeled_entry_type',` + gen_require(` + type unlabeled_t; + ') + + domain_entry_file($1, unlabeled_t) +') + +######################################## +## +## Allow view the kernel key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_view_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key view; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8dbab4c5e..36a42c060 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; # regular entries in proc attribute proc_type; +# attribute for domains which read proc_t +attribute kernel_system_state_reader; + # sysctls attribute sysctl_type; @@ -48,6 +51,7 @@ ifdef(`enable_mls',` type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) +mls_trusted_object(kernel_t) role system_r types kernel_t; sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) type debugfs_t; files_mountpoint(debugfs_t) fs_type(debugfs_t) +dev_associate_sysfs(debugfs_t) + allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) +type proc_numa_t, proc_type; +genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0) +mls_trusted_object(proc_numa_t) + type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) +type proc_security_t, proc_type; +genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/fs/suid_dumpable gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/kernel/dmesg_restrict gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/kernel/kptr_restrict gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0) + +type usermodehelper_t, proc_type, sysctl_type; +typealias usermodehelper_t alias sysctl_hotplug_t; +typealias usermodehelper_t alias sysctl_modprobe_t; +dev_associate_sysfs(usermodehelper_t) +genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/poweroff_cmd gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/usermodehelper gen_context(system_u:object_r:usermodehelper_t,s0) + type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) @@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) # /proc/irq directory and files type sysctl_irq_t, sysctl_type; +fs_associate_proc(sysctl_irq_t) genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; +fs_associate_proc(sysctl_rpc_t) genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys/crypto directory and files @@ -131,16 +162,9 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) # /proc/sys/kernel directory and files type sysctl_kernel_t, sysctl_type; +fs_associate(sysctl_kernel_t) genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) -# /proc/sys/kernel/modprobe file -type sysctl_modprobe_t, sysctl_type; -genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) - -# /proc/sys/kernel/hotplug file -type sysctl_hotplug_t, sysctl_type; -genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0) - # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) @@ -153,6 +177,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) +# /proc/sys/vm/overcommit_memory +type sysctl_vm_overcommit_t, sysctl_type; +genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) + # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) @@ -165,6 +193,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +allow unlabeled_t self:filesystem associate; + +# Need the following because we are type alias of file_t. +files_mountpoint(unlabeled_t) +files_base_file(unlabeled_t) +kernel_rootfs_mountpoint(unlabeled_t) +sid file gen_context(system_u:object_r:unlabeled_t,s0) +typealias unlabeled_t alias file_t; # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -189,6 +225,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # +allow kernel_t self:capability2 mac_admin; allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; @@ -233,7 +270,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) -corenet_all_recvfrom_unlabeled(kernel_t) corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) @@ -244,17 +280,26 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +corenet_filetrans_all_named_dev(kernel_t) + +corenet_ib_access_all_pkeys(kernel_t) +corenet_ib_access_unlabeled_pkeys(kernel_t) +corenet_ib_manage_subnet_all_endports(kernel_t) +corenet_ib_manage_subnet_unlabeled_endports(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: dev_create_generic_dirs(kernel_t) dev_delete_generic_dirs(kernel_t) -dev_create_generic_blk_files(kernel_t) -dev_delete_generic_blk_files(kernel_t) -dev_create_generic_chr_files(kernel_t) -dev_delete_generic_chr_files(kernel_t) +dev_create_all_blk_files(kernel_t) +dev_delete_all_blk_files(kernel_t) +dev_create_all_chr_files(kernel_t) +dev_delete_all_chr_files(kernel_t) dev_mounton(kernel_t) +dev_filetrans_all_named_dev(kernel_t) +storage_filetrans_all_named_dev(kernel_t) +term_filetrans_all_named_dev(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem @@ -263,7 +308,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) -term_use_console(kernel_t) +term_use_all_terms(kernel_t) +term_use_ptmx(kernel_t) corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) @@ -277,25 +323,54 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) +files_manage_mounttab(kernel_t) +files_manage_generic_spool_dirs(kernel_t) mcs_process_set_categories(kernel_t) +mcs_file_read_all(kernel_t) +mcs_file_write_all(kernel_t) +mcs_socket_write_all_levels(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) +mls_file_downgrade(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) +mls_fd_share_all_levels(kernel_t) +mls_fd_use_all_levels(kernel_t) +mls_process_set_level(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') + +optional_policy(` + abrt_filetrans_named_content(kernel_t) + abrt_dump_oops_domtrans(kernel_t) +') + +optional_policy(` + apache_filetrans_home_content(kernel_t) +') + +optional_policy(` + gnome_filetrans_home_content(kernel_t) +') + +optional_policy(` + kerberos_filetrans_home_content(kernel_t) +') + optional_policy(` hotplug_search_config(kernel_t) ') optional_policy(` init_sigchld(kernel_t) + init_dyntrans(kernel_t) ') optional_policy(` @@ -305,12 +380,30 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) + logging_manage_generic_logs(kernel_t) +') + +optional_policy(` + mta_filetrans_home_content(kernel_t) +') + +optional_policy(` + ssh_filetrans_home_content(kernel_t) +') + +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) ') optional_policy(` nis_use_ypbind(kernel_t) ') +optional_policy(` + plymouthd_create_log(kernel_t) + plymouthd_filetrans_named_content(kernel_t) +') + optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. @@ -332,9 +425,6 @@ optional_policy(` sysnet_read_config(kernel_t) - rpc_manage_nfs_ro_content(kernel_t) - rpc_manage_nfs_rw_content(kernel_t) - rpc_tcp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` @@ -343,9 +433,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) - files_list_non_auth_dirs(kernel_t) - files_read_non_auth_files(kernel_t) - files_read_non_auth_symlinks(kernel_t) + files_read_non_security_files(kernel_t) ') tunable_policy(`nfs_export_all_rw',` @@ -354,7 +442,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) - files_manage_non_auth_files(kernel_t) + files_manage_non_security_files(kernel_t) ') ') @@ -367,6 +455,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') +optional_policy(` + virt_filetrans_home_content(kernel_t) +') + +optional_policy(` + xserver_xdm_manage_spool(kernel_t) + xserver_filetrans_home_content(kernel_t) +') + ######################################## # # Unlabeled process local policy @@ -388,6 +485,8 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; + files_load_kernel_modules(can_load_kernmodule) + # load_module() calls stop_machine() which # calls sched_setscheduler() allow can_load_kernmodule self:capability sys_nice; @@ -399,14 +498,39 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # -allow kern_unconfined proc_type:{ dir file lnk_file } *; +allow kern_unconfined proc_type:{ file } ~entrypoint; +allow kern_unconfined proc_type:{ dir lnk_file } *; -allow kern_unconfined sysctl_type:{ dir file } *; +allow kern_unconfined sysctl_type:{ file } ~entrypoint; +allow kern_unconfined sysctl_type:{ dir } *; allow kern_unconfined kernel_t:system *; -allow kern_unconfined unlabeled_t:dir_file_class_set *; +allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; +allow kern_unconfined unlabeled_t:file ~entrypoint; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; -allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; +allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; + +gen_require(` + bool secure_mode_insmod; +') + +if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + allow can_load_kernmodule self:capability2 compromise_kernel; + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; + kernel_setsched(can_load_kernmodule) +} + +####################################### +# +# Kernel system state reader policy +# + +read_files_pattern(kernel_system_state_reader, proc_t, proc_t) +read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) +list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index b08a6e849..43d504b88 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',` typeattribute $1 mcssetcats; ') + +######################################## +## +## Make specified domain MCS trusted +## for writing to sockets at any level. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mcs_socket_write_all_levels',` + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 2da98c257..31bed0a7c 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -11,3 +11,4 @@ attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; attribute mcs_constrained_type; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index d178478da..42bf05bcd 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -97,6 +97,26 @@ interface(`mls_file_write_to_clearance',` typeattribute $1 mlsfilewritetoclr; ') +######################################## +## +## Make specified domain MLS trusted +## for relabelto to files up to its clearance. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_relabel_to_clearance',` + gen_require(` + attribute mlsfilerelabeltoclr; + ') + + typeattribute $1 mlsfilerelabeltoclr; +') + ######################################## ## ## Make specified domain MLS trusted diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 8c7bd90d2..66ee5b9a1 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr; attribute mlsfilewriteinrange; attribute mlsfileupgrade; attribute mlsfiledowngrade; +attribute mlsfilerelabeltoclr; attribute mlsnetread; attribute mlsnetreadtoclr; diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc index 7be4ddf74..4d4c577ad 100644 --- a/policy/modules/kernel/selinux.fc +++ b/policy/modules/kernel/selinux.fc @@ -1 +1 @@ -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 6d0811da3..c10081b23 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` # because of this statement, any module which # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) +# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ') ######################################## @@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',` type security_t; ') + allow $1 security_t:lnk_file read_lnk_file_perms; + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs @@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',` # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:filesystem getattr; # read /proc/filesystems to see if selinuxfs is supported @@ -109,6 +113,9 @@ interface(`selinux_mount_fs',` type security_t; ') + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem mount; ') @@ -128,6 +135,9 @@ interface(`selinux_remount_fs',` type security_t; ') + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem remount; ') @@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',` type security_t; ') + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem unmount; ') @@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',` type security_t; ') + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem getattr; ') @@ -221,7 +235,12 @@ interface(`selinux_search_fs',` ') dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir search_dir_perms; + + optional_policy(` + seutil_search_config($1) + ') ') ######################################## @@ -242,6 +261,28 @@ interface(`selinux_dontaudit_search_fs',` dontaudit $1 security_t:dir search_dir_perms; ') +######################################## +## +## Mount on selinuxfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_mounton_fs',` + gen_require(` + type security_t; + ') + + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir mounton; +') + + ######################################## ## ## Do not audit attempts to read @@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') + selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') @@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',` ') dev_search_sysfs($1) + selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; - bool secure_mode_policyload; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; - - if(!secure_mode_policyload) { - allow $1 security_t:security setenforce; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setenforce; - ') - } ') ######################################## @@ -342,22 +376,13 @@ interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; - bool secure_mode_policyload; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; typeattribute $1 can_load_policy; - - if(!secure_mode_policyload) { - allow $1 security_t:security load_policy; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security load_policy; - ') - } ') ######################################## @@ -378,6 +403,7 @@ interface(`selinux_read_policy',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:security read_policy; ') @@ -438,19 +464,15 @@ interface(`selinux_set_boolean',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; + attribute can_setbool; ') + typeattribute $1 can_setbool; dev_search_sysfs($1) - + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setbool; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setbool; - ') ') ######################################## @@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; - bool secure_mode_policyload; + attribute can_setbool; ') + typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) - + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; - - allow $1 security_t:security setbool; - - ifdef(`distro_rhel4',` - # needed for systems without audit support - auditallow $1 security_t:security setbool; - ') - - if(!secure_mode_policyload) { - allow $1 secure_mode_policyload_t:file write_file_perms; - } + allow $1 boolean_type:dir list_dir_perms; + allow $1 boolean_type:file rw_file_perms; ') ######################################## @@ -528,7 +541,9 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; @@ -552,9 +567,11 @@ interface(`selinux_validate_context',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file { map rw_file_perms }; allow $1 security_t:security check_context; ') @@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; @@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; @@ -639,7 +660,9 @@ interface(`selinux_compute_member',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; @@ -669,12 +692,37 @@ interface(`selinux_compute_relabel_context',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; ') +######################################## +## +## Allows caller to setcheckreqprot +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_setcheckreqprot',` + gen_require(` + type security_t; + ') + + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security setcheckreqprot; +') + ######################################## ## ## Allows caller to compute possible contexts for a user. @@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',` type security_t; ') + dev_getattr_sysfs_fs($1) dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; @@ -712,4 +762,28 @@ interface(`selinux_unconfined',` ') typeattribute $1 selinux_unconfined_type; + selinux_set_all_booleans($1) + selinux_load_policy($1) + selinux_set_parameters($1) + selinux_set_enforce_mode($1) +') + +######################################## +## +## Generate a file context for a boolean type +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_genbool',` + gen_require(` + attribute boolean_type; + ') + + type $1, boolean_type; + fs_type($1) + mls_trusted_object($1) ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index e0a973ba1..7d3e431ee 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) attribute boolean_type; attribute can_load_policy; attribute can_setenforce; +attribute can_setbool; attribute can_setsecparam; attribute selinux_unconfined_type; @@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) -neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; -neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; -neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; +neverallow ~{ can_load_policy } security_t:security load_policy; +neverallow ~{ can_setenforce } security_t:security setenforce; +neverallow ~{ can_setsecparam } security_t:security setsecparam; ######################################## # @@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; +allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; ifdef(`distro_rhel4',` # needed for systems without audit support @@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` ') if(!secure_mode_policyload) { - allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; + allow can_setenforce security_t:security setenforce; + dev_getattr_sysfs_fs(can_setenforce) + dev_search_sysfs(can_setenforce) + allow can_setenforce security_t:dir list_dir_perms; + allow can_setenforce security_t:file rw_file_perms; ifdef(`distro_rhel4',` # needed for systems without audit support - auditallow selinux_unconfined_type security_t:security { load_policy setenforce }; + auditallow can_setenforce security_t:security setenforce; + ') + + allow can_load_policy security_t:security load_policy; + + ifdef(`distro_rhel4',` + # needed for systems without audit support + auditallow can_load_policy security_t:security load_policy; + ') + + allow can_setbool boolean_type:security setbool; + + ifdef(`distro_rhel4',` + # needed for systems without audit support + auditallow can_setbool boolean_type:security setbool; ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 54f182702..a45a1f8df 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -7,6 +7,7 @@ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) +/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) @@ -28,10 +29,12 @@ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) -/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid_sas_ioctl_node -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/mtd.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) @@ -42,6 +45,7 @@ /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/rb.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ifdef(`distro_redhat', ` /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ') @@ -51,7 +55,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) -/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0) +/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -81,3 +86,6 @@ ifdef(`distro_redhat', ` /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) + +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 64c4cd01c..962b6858f 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -20,6 +20,26 @@ interface(`storage_getattr_fixed_disk_dev',` allow $1 fixed_disk_device_t:blk_file getattr; ') +######################################## +## +## Allow the caller to read/write inherited fixed disk +## device nodes. +## +## +## +## The domain allowed access. +## +## +# +interface(`storage_rw_inherited_fixed_disk_dev',` + gen_require(` + type fixed_disk_device_t; + ') + + allow $1 fixed_disk_device_t:chr_file { read write }; + allow $1 fixed_disk_device_t:blk_file { read write }; +') + ######################################## ## ## Do not audit attempts made by the caller to get @@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',` dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + #577012 + allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; typeattribute $1 fixed_disk_raw_read; ') @@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` interface(`storage_raw_rw_fixed_disk',` storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) + dev_rw_generic_blk_files($1) ') ######################################## @@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; dev_add_entry_generic_dirs($1) ') @@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',` dev_filetrans($1, fixed_disk_device_t, blk_file, $2) ') +####################################### +## +## Create block devices in /dev with the fixed disk type +## via an automatic type transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_dev_filetrans_named_fixed_disk',` + gen_require(` + type fixed_disk_device_t; + ') + + dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") + dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") + dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") +') + ######################################## ## ## Create block devices in on a tmpfs filesystem with the @@ -293,6 +359,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) ') +######################################## +## +## Create block devices in on a tmp filesystem with the +## fixed disk type via an automatic type transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_tmp_filetrans_fixed_disk',` + gen_require(` + type fixed_disk_device_t; + ') + + files_tmp_filetrans($1, fixed_disk_device_t, blk_file) +') + ######################################## ## ## Relabel fixed disk device nodes. @@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') +####################################### +## +## Alow read and write inherited removable devices. +## +## +## +## Domain to not audit. +## +## +# +interface(`storage_rw_inherited_removable_device',` + gen_require(` + type removable_device_t; + ') + + dontaudit $1 removable_device_t:blk_file { read write }; +') + ######################################## ## ## Allow the caller to directly read @@ -813,3 +916,462 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') + +######################################## +## +## Create all named devices with the correct label +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_filetrans_all_named_dev',` + + gen_require(` + type tape_device_t; + type fixed_disk_device_t; + type removable_device_t; + type scsi_generic_device_t; + type fuse_device_t; + ') + + dev_filetrans($1, tape_device_t, chr_file, "ht00") + dev_filetrans($1, tape_device_t, chr_file, "ht01") + dev_filetrans($1, tape_device_t, chr_file, "ht02") + dev_filetrans($1, tape_device_t, chr_file, "ht03") + dev_filetrans($1, tape_device_t, chr_file, "ht04") + dev_filetrans($1, tape_device_t, chr_file, "ht05") + dev_filetrans($1, tape_device_t, chr_file, "ht06") + dev_filetrans($1, tape_device_t, chr_file, "ht07") + dev_filetrans($1, tape_device_t, chr_file, "ht08") + dev_filetrans($1, tape_device_t, chr_file, "ht09") + dev_filetrans($1, tape_device_t, chr_file, "st00") + dev_filetrans($1, tape_device_t, chr_file, "st01") + dev_filetrans($1, tape_device_t, chr_file, "st02") + dev_filetrans($1, tape_device_t, chr_file, "st03") + dev_filetrans($1, tape_device_t, chr_file, "st04") + dev_filetrans($1, tape_device_t, chr_file, "st05") + dev_filetrans($1, tape_device_t, chr_file, "st06") + dev_filetrans($1, tape_device_t, chr_file, "st07") + dev_filetrans($1, tape_device_t, chr_file, "st08") + dev_filetrans($1, tape_device_t, chr_file, "st09") + dev_filetrans($1, tape_device_t, chr_file, "qft0") + dev_filetrans($1, tape_device_t, chr_file, "qft1") + dev_filetrans($1, tape_device_t, chr_file, "qft2") + dev_filetrans($1, tape_device_t, chr_file, "qft3") + dev_filetrans($1, tape_device_t, chr_file, "osst00") + dev_filetrans($1, tape_device_t, chr_file, "osst01") + dev_filetrans($1, tape_device_t, chr_file, "osst02") + dev_filetrans($1, tape_device_t, chr_file, "osst03") + dev_filetrans($1, tape_device_t, chr_file, "osst04") + dev_filetrans($1, tape_device_t, chr_file, "osst05") + dev_filetrans($1, tape_device_t, chr_file, "osst06") + dev_filetrans($1, tape_device_t, chr_file, "osst07") + dev_filetrans($1, tape_device_t, chr_file, "osst08") + dev_filetrans($1, tape_device_t, chr_file, "osst09") + dev_filetrans($1, tape_device_t, chr_file, "pt0") + dev_filetrans($1, tape_device_t, chr_file, "pt1") + dev_filetrans($1, tape_device_t, chr_file, "pt2") + dev_filetrans($1, tape_device_t, chr_file, "pt3") + dev_filetrans($1, tape_device_t, chr_file, "pt4") + dev_filetrans($1, tape_device_t, chr_file, "pt5") + dev_filetrans($1, tape_device_t, chr_file, "pt6") + dev_filetrans($1, tape_device_t, chr_file, "pt7") + dev_filetrans($1, tape_device_t, chr_file, "pt8") + dev_filetrans($1, tape_device_t, chr_file, "pt9") + dev_filetrans($1, tape_device_t, chr_file, "tpqic0") + dev_filetrans($1, tape_device_t, chr_file, "tpqic1") + dev_filetrans($1, tape_device_t, chr_file, "tpqic2") + dev_filetrans($1, tape_device_t, chr_file, "tpqic3") + dev_filetrans($1, tape_device_t, chr_file, "tpqic4") + dev_filetrans($1, tape_device_t, chr_file, "tpqic5") + dev_filetrans($1, tape_device_t, chr_file, "tpqic6") + dev_filetrans($1, tape_device_t, chr_file, "tpqic7") + dev_filetrans($1, tape_device_t, chr_file, "tpqic8") + dev_filetrans($1, tape_device_t, chr_file, "tpqic9") + dev_filetrans($1, removable_device_t, blk_file, "aztcd") + dev_filetrans($1, removable_device_t, blk_file, "bpcd") + dev_filetrans($1, removable_device_t, blk_file, "cdu0") + dev_filetrans($1, removable_device_t, blk_file, "cdu1") + dev_filetrans($1, removable_device_t, blk_file, "cdu2") + dev_filetrans($1, removable_device_t, blk_file, "cdu3") + dev_filetrans($1, removable_device_t, blk_file, "cdu4") + dev_filetrans($1, removable_device_t, blk_file, "cdu5") + dev_filetrans($1, removable_device_t, blk_file, "cdu6") + dev_filetrans($1, removable_device_t, blk_file, "cdu7") + dev_filetrans($1, removable_device_t, blk_file, "cdu8") + dev_filetrans($1, removable_device_t, blk_file, "cdu9") + dev_filetrans($1, removable_device_t, blk_file, "cm200") + dev_filetrans($1, removable_device_t, blk_file, "cm201") + dev_filetrans($1, removable_device_t, blk_file, "cm202") + dev_filetrans($1, removable_device_t, blk_file, "cm203") + dev_filetrans($1, removable_device_t, blk_file, "cm204") + dev_filetrans($1, removable_device_t, blk_file, "cm205") + dev_filetrans($1, removable_device_t, blk_file, "cm206") + dev_filetrans($1, removable_device_t, blk_file, "cm207") + dev_filetrans($1, removable_device_t, blk_file, "cm208") + dev_filetrans($1, removable_device_t, blk_file, "cm209") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9") + dev_filetrans($1, removable_device_t, blk_file, "gscd") + dev_filetrans($1, removable_device_t, blk_file, "hitcd") + dev_filetrans($1, tape_device_t, blk_file, "ht0") + dev_filetrans($1, tape_device_t, blk_file, "ht1") + dev_filetrans($1, removable_device_t, blk_file, "hwcdrom") + dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd") + dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd") + dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9") + dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") + dev_filetrans($1, removable_device_t, blk_file, "mcd") + dev_filetrans($1, removable_device_t, blk_file, "mcdx") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk0") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk1") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk2") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk3") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk4") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk5") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk6") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk7") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk8") + dev_filetrans($1, removable_device_t, blk_file, "mmcblk9") + dev_filetrans($1, removable_device_t, blk_file, "mspblk0") + dev_filetrans($1, removable_device_t, blk_file, "mspblk1") + dev_filetrans($1, removable_device_t, blk_file, "mspblk2") + dev_filetrans($1, removable_device_t, blk_file, "mspblk3") + dev_filetrans($1, removable_device_t, blk_file, "mspblk4") + dev_filetrans($1, removable_device_t, blk_file, "mspblk5") + dev_filetrans($1, removable_device_t, blk_file, "mspblk6") + dev_filetrans($1, removable_device_t, blk_file, "mspblk7") + dev_filetrans($1, removable_device_t, blk_file, "mspblk8") + dev_filetrans($1, removable_device_t, blk_file, "mspblk9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd9") + dev_filetrans($1, removable_device_t, blk_file, "optcd") + dev_filetrans($1, removable_device_t, blk_file, "pf0") + dev_filetrans($1, removable_device_t, blk_file, "pf1") + dev_filetrans($1, removable_device_t, blk_file, "pf2") + dev_filetrans($1, removable_device_t, blk_file, "pf3") + dev_filetrans($1, removable_device_t, blk_file, "pg0") + dev_filetrans($1, removable_device_t, blk_file, "pg1") + dev_filetrans($1, removable_device_t, blk_file, "pg2") + dev_filetrans($1, removable_device_t, blk_file, "pg3") + dev_filetrans($1, removable_device_t, blk_file, "pcd0") + dev_filetrans($1, removable_device_t, blk_file, "pcd1") + dev_filetrans($1, removable_device_t, blk_file, "pcd2") + dev_filetrans($1, removable_device_t, blk_file, "pcd3") + dev_filetrans($1, removable_device_t, chr_file, "pg0") + dev_filetrans($1, removable_device_t, chr_file, "pg1") + dev_filetrans($1, removable_device_t, chr_file, "pg2") + dev_filetrans($1, removable_device_t, chr_file, "pg3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14") + dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8") + dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "root") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd0") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd1") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd2") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd3") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd4") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd5") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd6") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd7") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd8") + dev_filetrans($1, removable_device_t, blk_file, "sbpcd9") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49") + dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50") + dev_filetrans($1, removable_device_t, blk_file, "sr0") + dev_filetrans($1, removable_device_t, blk_file, "sr1") + dev_filetrans($1, removable_device_t, blk_file, "sr2") + dev_filetrans($1, removable_device_t, blk_file, "sr3") + dev_filetrans($1, removable_device_t, blk_file, "sr4") + dev_filetrans($1, removable_device_t, blk_file, "sr5") + dev_filetrans($1, removable_device_t, blk_file, "sr6") + dev_filetrans($1, removable_device_t, blk_file, "sr7") + dev_filetrans($1, removable_device_t, blk_file, "sr8") + dev_filetrans($1, removable_device_t, blk_file, "sr9") + dev_filetrans($1, removable_device_t, blk_file, "sjcd") + dev_filetrans($1, removable_device_t, blk_file, "sonycd") + dev_filetrans($1, tape_device_t, chr_file, "tape0") + dev_filetrans($1, tape_device_t, chr_file, "tape1") + dev_filetrans($1, tape_device_t, chr_file, "tape2") + dev_filetrans($1, tape_device_t, chr_file, "tape3") + dev_filetrans($1, tape_device_t, chr_file, "tape4") + dev_filetrans($1, tape_device_t, chr_file, "tape5") + dev_filetrans($1, tape_device_t, chr_file, "tape6") + dev_filetrans($1, tape_device_t, chr_file, "tape7") + dev_filetrans($1, tape_device_t, chr_file, "tape8") + dev_filetrans($1, tape_device_t, chr_file, "tape9") + dev_filetrans($1, fuse_device_t, chr_file, "fuse") + dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") + dev_filetrans($1, removable_device_t, chr_file, "rio500") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18") + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") + +') diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 156c33310..02f5a3c91 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -57,3 +57,9 @@ dev_node(tape_device_t) allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; + +# Since block devices are some times used before being labeled correctly +ifdef(`hide_broken_symptoms',` + dev_read_generic_blk_files(fixed_disk_raw_read) + dev_manage_generic_blk_files(fixed_disk_raw_write) +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 0ea25b653..37069ae93 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -14,12 +14,13 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) -/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) -/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) @@ -42,3 +43,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index cbb729b66..f118b2a3b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,13 +124,32 @@ interface(`term_user_tty',` type_change $1 ttynode:chr_file $2; ') - tunable_policy(`console_login',` + tunable_policy(`login_console_enabled',` # When user logs in from /dev/console, relabel it # to user tty type as well. type_change $1 console_device_t:chr_file $2; ') ') +######################################## +## +## Create the /dev/pts directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_create_pty_dir',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir create_dir_perms; + dev_filetrans($1, devpts_t, dir, "devpts") +') + ######################################## ## ## Create a pty in the /dev/pts directory. @@ -206,6 +225,27 @@ interface(`term_use_all_terms',` allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ') +######################################## +## +## Read and write the inherited console, all inherited +## ttys and ptys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_use_all_inherited_terms',` + gen_require(` + attribute ttynode, ptynode; + type console_device_t, devpts_t, tty_device_t; + ') + + allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms; +') + ######################################## ## ## Write to the console. @@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',` ## Domain allowed access. ## ## -## # interface(`term_use_console',` gen_require(` @@ -299,9 +338,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; + type tty_device_t; ') - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; + init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## @@ -382,6 +424,42 @@ interface(`term_getattr_pty_fs',` allow $1 devpts_t:filesystem getattr; ') +######################################## +## +## Mount a pty filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`term_mount_pty_fs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:filesystem mount; +') + +######################################## +## +## Unmount a pty filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`term_unmount_pty_fs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:filesystem unmount; +') + ######################################## ## ## Relabel from and to pty filesystem. @@ -479,6 +557,24 @@ interface(`term_list_ptys',` allow $1 devpts_t:dir list_dir_perms; ') +######################################## +## +## Relabel the /dev/pts directory +## +## +## +## Domain allowed access. +## +## +# +interface(`term_relabel_ptys_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir relabel_dir_perms; +') + ######################################## ## ## Do not audit attempts to read the @@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` ######################################## ## -## Dot not audit attempts to read and +## Do not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. ## @@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') + init_dontaudit_use_fds($1) dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') @@ -877,6 +974,26 @@ interface(`term_use_all_ptys',` allow $1 ptynode:chr_file { rw_term_perms lock append }; ') +######################################## +## +## Read and write all inherited ptys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_use_all_inherited_ptys',` + gen_require(` + attribute ptynode; + type devpts_t; + ') + + allow $1 ptynode:chr_file { rw_inherited_term_perms lock }; +') + ######################################## ## ## Do not audit attempts to read or write any ptys. @@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') - dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; + dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; ') ######################################## @@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) - relabel_chr_files_pattern($1, devpts_t, ptynode) + relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } ) ') ######################################## @@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -1065,6 +1182,28 @@ interface(`term_getattr_unallocated_ttys',` allow $1 tty_device_t:chr_file getattr; ') +######################################## +## +## Allow open access for all unallocated +## tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_open_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file open; +') + + + ######################################## ## ## Do not audit attempts to get the attributes @@ -1163,6 +1302,25 @@ interface(`term_relabel_unallocated_ttys',` allow $1 tty_device_t:chr_file relabel_chr_file_perms; ') +######################################## +## +## Mounton unallocated tty device nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_mounton_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + allow $1 tty_device_t:chr_file mounton; +') + ######################################## ## ## Relabel from all user tty types to @@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + init_dontaudit_use_fds($1) + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## Read and write USB tty character +## device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_use_usb_ttys',` + gen_require(` + type usbtty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 usbtty_device_t:chr_file rw_chr_file_perms; +') + +####################################### +## +## Setattr on USB tty character +## device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_setattr_usb_ttys',` + gen_require(` + type usbtty_device_t; + ') + + allow $1 usbtty_device_t:chr_file setattr; ') ######################################## @@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` + type tty_device_t; attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; + allow $1 tty_device_t:chr_file getattr; ') ######################################## @@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; + type tty_device_t; ') dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; + dontaudit $1 tty_device_t:chr_file getattr; ') ######################################## @@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file rw_chr_file_perms; + allow $1 ttynode:chr_file rw_term_perms; +') + +######################################## +## +## Read and write all inherited ttys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_use_all_inherited_ttys',` + gen_require(` + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file rw_inherited_term_perms; ') ######################################## @@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') - dontaudit $1 ttynode:chr_file rw_chr_file_perms; + dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; ') ######################################## @@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',` term_dontaudit_use_all_ttys($1) ') +#################################### +## +## Getattr on the virtio console. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_getattr_virtio_console',` + gen_require(` + type virtio_device_t; + ') + + allow $1 virtio_device_t:chr_file getattr_chr_file_perms; +') + ##################################### ## -## Read from and write virtio console. +## Read from and write to the virtio console. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`term_use_virtio_console',` - gen_require(` - type virtio_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 virtio_device_t:chr_file rw_term_perms; + gen_require(` + type virtio_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 virtio_device_t:chr_file rw_chr_file_perms; +') + +######################################## +## +## Create all named term devices with the correct label +## +## +## +## Domain allowed access. +## +## +# +interface(`term_filetrans_all_named_dev',` + + gen_require(` + type tty_device_t; + type bsdpty_device_t; + type console_device_t; + type ptmx_t; + type devtty_t; + type virtio_device_t; + type devpts_t; + type usbtty_device_t; + ') + + dev_filetrans($1, devtty_t, chr_file, "tty") + dev_filetrans($1, tty_device_t, chr_file, "tty0") + dev_filetrans($1, tty_device_t, chr_file, "tty1") + dev_filetrans($1, tty_device_t, chr_file, "tty2") + dev_filetrans($1, tty_device_t, chr_file, "tty3") + dev_filetrans($1, tty_device_t, chr_file, "tty4") + dev_filetrans($1, tty_device_t, chr_file, "tty5") + dev_filetrans($1, tty_device_t, chr_file, "tty6") + dev_filetrans($1, tty_device_t, chr_file, "tty7") + dev_filetrans($1, tty_device_t, chr_file, "tty8") + dev_filetrans($1, tty_device_t, chr_file, "tty9") + dev_filetrans($1, tty_device_t, chr_file, "tty10") + dev_filetrans($1, tty_device_t, chr_file, "tty11") + dev_filetrans($1, tty_device_t, chr_file, "tty12") + dev_filetrans($1, tty_device_t, chr_file, "tty13") + dev_filetrans($1, tty_device_t, chr_file, "tty14") + dev_filetrans($1, tty_device_t, chr_file, "tty15") + dev_filetrans($1, tty_device_t, chr_file, "tty16") + dev_filetrans($1, tty_device_t, chr_file, "tty17") + dev_filetrans($1, tty_device_t, chr_file, "tty18") + dev_filetrans($1, tty_device_t, chr_file, "tty19") + dev_filetrans($1, tty_device_t, chr_file, "tty20") + dev_filetrans($1, tty_device_t, chr_file, "tty21") + dev_filetrans($1, tty_device_t, chr_file, "tty22") + dev_filetrans($1, tty_device_t, chr_file, "tty23") + dev_filetrans($1, tty_device_t, chr_file, "tty24") + dev_filetrans($1, tty_device_t, chr_file, "tty25") + dev_filetrans($1, tty_device_t, chr_file, "tty26") + dev_filetrans($1, tty_device_t, chr_file, "tty27") + dev_filetrans($1, tty_device_t, chr_file, "tty28") + dev_filetrans($1, tty_device_t, chr_file, "tty29") + dev_filetrans($1, tty_device_t, chr_file, "tty30") + dev_filetrans($1, tty_device_t, chr_file, "tty31") + dev_filetrans($1, tty_device_t, chr_file, "tty32") + dev_filetrans($1, tty_device_t, chr_file, "tty33") + dev_filetrans($1, tty_device_t, chr_file, "tty34") + dev_filetrans($1, tty_device_t, chr_file, "tty35") + dev_filetrans($1, tty_device_t, chr_file, "tty36") + dev_filetrans($1, tty_device_t, chr_file, "tty37") + dev_filetrans($1, tty_device_t, chr_file, "tty38") + dev_filetrans($1, tty_device_t, chr_file, "tty39") + dev_filetrans($1, tty_device_t, chr_file, "tty40") + dev_filetrans($1, tty_device_t, chr_file, "tty41") + dev_filetrans($1, tty_device_t, chr_file, "tty42") + dev_filetrans($1, tty_device_t, chr_file, "tty43") + dev_filetrans($1, tty_device_t, chr_file, "tty44") + dev_filetrans($1, tty_device_t, chr_file, "tty45") + dev_filetrans($1, tty_device_t, chr_file, "tty46") + dev_filetrans($1, tty_device_t, chr_file, "tty47") + dev_filetrans($1, tty_device_t, chr_file, "tty48") + dev_filetrans($1, tty_device_t, chr_file, "tty49") + dev_filetrans($1, tty_device_t, chr_file, "tty50") + dev_filetrans($1, tty_device_t, chr_file, "tty51") + dev_filetrans($1, tty_device_t, chr_file, "tty52") + dev_filetrans($1, tty_device_t, chr_file, "tty53") + dev_filetrans($1, tty_device_t, chr_file, "tty54") + dev_filetrans($1, tty_device_t, chr_file, "tty55") + dev_filetrans($1, tty_device_t, chr_file, "tty56") + dev_filetrans($1, tty_device_t, chr_file, "tty57") + dev_filetrans($1, tty_device_t, chr_file, "tty58") + dev_filetrans($1, tty_device_t, chr_file, "tty59") + dev_filetrans($1, tty_device_t, chr_file, "tty60") + dev_filetrans($1, tty_device_t, chr_file, "tty61") + dev_filetrans($1, tty_device_t, chr_file, "tty62") + dev_filetrans($1, tty_device_t, chr_file, "tty63") + dev_filetrans($1, tty_device_t, chr_file, "tty64") + dev_filetrans($1, tty_device_t, chr_file, "tty65") + dev_filetrans($1, tty_device_t, chr_file, "tty66") + dev_filetrans($1, tty_device_t, chr_file, "tty67") + dev_filetrans($1, tty_device_t, chr_file, "tty68") + dev_filetrans($1, tty_device_t, chr_file, "tty69") + dev_filetrans($1, tty_device_t, chr_file, "tty70") + dev_filetrans($1, tty_device_t, chr_file, "tty71") + dev_filetrans($1, tty_device_t, chr_file, "tty72") + dev_filetrans($1, tty_device_t, chr_file, "tty73") + dev_filetrans($1, tty_device_t, chr_file, "tty74") + dev_filetrans($1, tty_device_t, chr_file, "tty75") + dev_filetrans($1, tty_device_t, chr_file, "tty76") + dev_filetrans($1, tty_device_t, chr_file, "tty77") + dev_filetrans($1, tty_device_t, chr_file, "tty78") + dev_filetrans($1, tty_device_t, chr_file, "tty79") + dev_filetrans($1, tty_device_t, chr_file, "tty80") + dev_filetrans($1, tty_device_t, chr_file, "tty81") + dev_filetrans($1, tty_device_t, chr_file, "tty82") + dev_filetrans($1, tty_device_t, chr_file, "tty83") + dev_filetrans($1, tty_device_t, chr_file, "tty84") + dev_filetrans($1, tty_device_t, chr_file, "tty85") + dev_filetrans($1, tty_device_t, chr_file, "tty86") + dev_filetrans($1, tty_device_t, chr_file, "tty87") + dev_filetrans($1, tty_device_t, chr_file, "tty88") + dev_filetrans($1, tty_device_t, chr_file, "tty89") + dev_filetrans($1, tty_device_t, chr_file, "tty90") + dev_filetrans($1, tty_device_t, chr_file, "tty91") + dev_filetrans($1, tty_device_t, chr_file, "tty92") + dev_filetrans($1, tty_device_t, chr_file, "tty93") + dev_filetrans($1, tty_device_t, chr_file, "tty94") + dev_filetrans($1, tty_device_t, chr_file, "tty95") + dev_filetrans($1, tty_device_t, chr_file, "tty96") + dev_filetrans($1, tty_device_t, chr_file, "tty97") + dev_filetrans($1, tty_device_t, chr_file, "tty98") + dev_filetrans($1, tty_device_t, chr_file, "tty99") + dev_filetrans($1, tty_device_t, chr_file, "pty") + dev_filetrans($1, tty_device_t, chr_file, "pty0") + dev_filetrans($1, tty_device_t, chr_file, "pty1") + dev_filetrans($1, tty_device_t, chr_file, "pty2") + dev_filetrans($1, tty_device_t, chr_file, "pty3") + dev_filetrans($1, tty_device_t, chr_file, "pty4") + dev_filetrans($1, tty_device_t, chr_file, "pty5") + dev_filetrans($1, tty_device_t, chr_file, "pty6") + dev_filetrans($1, tty_device_t, chr_file, "pty7") + dev_filetrans($1, tty_device_t, chr_file, "pty8") + dev_filetrans($1, tty_device_t, chr_file, "pty9") + dev_filetrans($1, tty_device_t, chr_file, "pty10") + dev_filetrans($1, tty_device_t, chr_file, "pty11") + dev_filetrans($1, tty_device_t, chr_file, "pty12") + dev_filetrans($1, tty_device_t, chr_file, "pty13") + dev_filetrans($1, tty_device_t, chr_file, "pty14") + dev_filetrans($1, tty_device_t, chr_file, "pty15") + dev_filetrans($1, tty_device_t, chr_file, "pty16") + dev_filetrans($1, tty_device_t, chr_file, "pty17") + dev_filetrans($1, tty_device_t, chr_file, "pty18") + dev_filetrans($1, tty_device_t, chr_file, "pty19") + dev_filetrans($1, tty_device_t, chr_file, "pty20") + dev_filetrans($1, tty_device_t, chr_file, "pty21") + dev_filetrans($1, tty_device_t, chr_file, "pty22") + dev_filetrans($1, tty_device_t, chr_file, "pty23") + dev_filetrans($1, tty_device_t, chr_file, "pty24") + dev_filetrans($1, tty_device_t, chr_file, "pty25") + dev_filetrans($1, tty_device_t, chr_file, "pty26") + dev_filetrans($1, tty_device_t, chr_file, "pty27") + dev_filetrans($1, tty_device_t, chr_file, "pty28") + dev_filetrans($1, tty_device_t, chr_file, "pty29") + dev_filetrans($1, tty_device_t, chr_file, "pty30") + dev_filetrans($1, tty_device_t, chr_file, "pty31") + dev_filetrans($1, tty_device_t, chr_file, "pty32") + dev_filetrans($1, tty_device_t, chr_file, "pty33") + dev_filetrans($1, tty_device_t, chr_file, "pty34") + dev_filetrans($1, tty_device_t, chr_file, "pty35") + dev_filetrans($1, tty_device_t, chr_file, "pty36") + dev_filetrans($1, tty_device_t, chr_file, "pty37") + dev_filetrans($1, tty_device_t, chr_file, "pty38") + dev_filetrans($1, tty_device_t, chr_file, "pty39") + dev_filetrans($1, tty_device_t, chr_file, "pty40") + dev_filetrans($1, tty_device_t, chr_file, "pty41") + dev_filetrans($1, tty_device_t, chr_file, "pty42") + dev_filetrans($1, tty_device_t, chr_file, "pty43") + dev_filetrans($1, tty_device_t, chr_file, "pty44") + dev_filetrans($1, tty_device_t, chr_file, "pty45") + dev_filetrans($1, tty_device_t, chr_file, "pty46") + dev_filetrans($1, tty_device_t, chr_file, "pty47") + dev_filetrans($1, tty_device_t, chr_file, "pty48") + dev_filetrans($1, tty_device_t, chr_file, "pty49") + dev_filetrans($1, tty_device_t, chr_file, "pty50") + dev_filetrans($1, tty_device_t, chr_file, "pty51") + dev_filetrans($1, tty_device_t, chr_file, "pty52") + dev_filetrans($1, tty_device_t, chr_file, "pty53") + dev_filetrans($1, tty_device_t, chr_file, "pty54") + dev_filetrans($1, tty_device_t, chr_file, "pty55") + dev_filetrans($1, tty_device_t, chr_file, "pty56") + dev_filetrans($1, tty_device_t, chr_file, "pty57") + dev_filetrans($1, tty_device_t, chr_file, "pty58") + dev_filetrans($1, tty_device_t, chr_file, "pty59") + dev_filetrans($1, tty_device_t, chr_file, "pty60") + dev_filetrans($1, tty_device_t, chr_file, "pty61") + dev_filetrans($1, tty_device_t, chr_file, "pty62") + dev_filetrans($1, tty_device_t, chr_file, "pty63") + dev_filetrans($1, tty_device_t, chr_file, "pty64") + dev_filetrans($1, tty_device_t, chr_file, "pty65") + dev_filetrans($1, tty_device_t, chr_file, "pty66") + dev_filetrans($1, tty_device_t, chr_file, "pty67") + dev_filetrans($1, tty_device_t, chr_file, "pty68") + dev_filetrans($1, tty_device_t, chr_file, "pty69") + dev_filetrans($1, tty_device_t, chr_file, "pty70") + dev_filetrans($1, tty_device_t, chr_file, "pty71") + dev_filetrans($1, tty_device_t, chr_file, "pty72") + dev_filetrans($1, tty_device_t, chr_file, "pty73") + dev_filetrans($1, tty_device_t, chr_file, "pty74") + dev_filetrans($1, tty_device_t, chr_file, "pty75") + dev_filetrans($1, tty_device_t, chr_file, "pty76") + dev_filetrans($1, tty_device_t, chr_file, "pty77") + dev_filetrans($1, tty_device_t, chr_file, "pty78") + dev_filetrans($1, tty_device_t, chr_file, "pty79") + dev_filetrans($1, tty_device_t, chr_file, "pty80") + dev_filetrans($1, tty_device_t, chr_file, "pty81") + dev_filetrans($1, tty_device_t, chr_file, "pty82") + dev_filetrans($1, tty_device_t, chr_file, "pty83") + dev_filetrans($1, tty_device_t, chr_file, "pty84") + dev_filetrans($1, tty_device_t, chr_file, "pty85") + dev_filetrans($1, tty_device_t, chr_file, "pty86") + dev_filetrans($1, tty_device_t, chr_file, "pty87") + dev_filetrans($1, tty_device_t, chr_file, "pty88") + dev_filetrans($1, tty_device_t, chr_file, "pty89") + dev_filetrans($1, tty_device_t, chr_file, "pty90") + dev_filetrans($1, tty_device_t, chr_file, "pty91") + dev_filetrans($1, tty_device_t, chr_file, "pty92") + dev_filetrans($1, tty_device_t, chr_file, "pty93") + dev_filetrans($1, tty_device_t, chr_file, "pty94") + dev_filetrans($1, tty_device_t, chr_file, "pty95") + dev_filetrans($1, tty_device_t, chr_file, "pty96") + dev_filetrans($1, tty_device_t, chr_file, "pty97") + dev_filetrans($1, tty_device_t, chr_file, "pty98") + dev_filetrans($1, tty_device_t, chr_file, "pty99") + dev_filetrans($1, tty_device_t, chr_file, "adb0") + dev_filetrans($1, tty_device_t, chr_file, "adb1") + dev_filetrans($1, tty_device_t, chr_file, "adb2") + dev_filetrans($1, tty_device_t, chr_file, "adb3") + dev_filetrans($1, tty_device_t, chr_file, "adb4") + dev_filetrans($1, tty_device_t, chr_file, "adb5") + dev_filetrans($1, tty_device_t, chr_file, "adb6") + dev_filetrans($1, tty_device_t, chr_file, "adb7") + dev_filetrans($1, tty_device_t, chr_file, "adb8") + dev_filetrans($1, tty_device_t, chr_file, "adb9") + dev_filetrans($1, tty_device_t, chr_file, "capi0") + dev_filetrans($1, tty_device_t, chr_file, "capi1") + dev_filetrans($1, tty_device_t, chr_file, "capi2") + dev_filetrans($1, tty_device_t, chr_file, "capi3") + dev_filetrans($1, tty_device_t, chr_file, "capi4") + dev_filetrans($1, tty_device_t, chr_file, "capi5") + dev_filetrans($1, tty_device_t, chr_file, "capi6") + dev_filetrans($1, tty_device_t, chr_file, "capi7") + dev_filetrans($1, tty_device_t, chr_file, "capi8") + dev_filetrans($1, tty_device_t, chr_file, "capi9") + dev_filetrans($1, console_device_t, chr_file, "console") + dev_filetrans($1, tty_device_t, chr_file, "cu0") + dev_filetrans($1, tty_device_t, chr_file, "cu1") + dev_filetrans($1, tty_device_t, chr_file, "cu2") + dev_filetrans($1, tty_device_t, chr_file, "cu3") + dev_filetrans($1, tty_device_t, chr_file, "cu4") + dev_filetrans($1, tty_device_t, chr_file, "cu5") + dev_filetrans($1, tty_device_t, chr_file, "cu6") + dev_filetrans($1, tty_device_t, chr_file, "cu7") + dev_filetrans($1, tty_device_t, chr_file, "cu8") + dev_filetrans($1, tty_device_t, chr_file, "cu9") + dev_filetrans($1, tty_device_t, chr_file, "dcbri0") + dev_filetrans($1, tty_device_t, chr_file, "dcbri1") + dev_filetrans($1, tty_device_t, chr_file, "dcbri2") + dev_filetrans($1, tty_device_t, chr_file, "dcbri3") + dev_filetrans($1, tty_device_t, chr_file, "dcbri4") + dev_filetrans($1, tty_device_t, chr_file, "dcbri5") + dev_filetrans($1, tty_device_t, chr_file, "dcbri6") + dev_filetrans($1, tty_device_t, chr_file, "dcbri7") + dev_filetrans($1, tty_device_t, chr_file, "dcbri8") + dev_filetrans($1, tty_device_t, chr_file, "dcbri9") + dev_filetrans($1, tty_device_t, chr_file, "vcsa") + dev_filetrans($1, tty_device_t, chr_file, "vcsb") + dev_filetrans($1, tty_device_t, chr_file, "vcsc") + dev_filetrans($1, tty_device_t, chr_file, "vcsd") + dev_filetrans($1, tty_device_t, chr_file, "vcse") + dev_filetrans($1, tty_device_t, chr_file, "hvc0") + dev_filetrans($1, tty_device_t, chr_file, "hvc1") + dev_filetrans($1, tty_device_t, chr_file, "hvc2") + dev_filetrans($1, tty_device_t, chr_file, "hvc3") + dev_filetrans($1, tty_device_t, chr_file, "hvc4") + dev_filetrans($1, tty_device_t, chr_file, "hvc5") + dev_filetrans($1, tty_device_t, chr_file, "hvc6") + dev_filetrans($1, tty_device_t, chr_file, "hvc7") + dev_filetrans($1, tty_device_t, chr_file, "hvc8") + dev_filetrans($1, tty_device_t, chr_file, "hvc9") + dev_filetrans($1, tty_device_t, chr_file, "hvsi0") + dev_filetrans($1, tty_device_t, chr_file, "hvsi1") + dev_filetrans($1, tty_device_t, chr_file, "hvsi2") + dev_filetrans($1, tty_device_t, chr_file, "hvsi3") + dev_filetrans($1, tty_device_t, chr_file, "hvsi4") + dev_filetrans($1, tty_device_t, chr_file, "hvsi5") + dev_filetrans($1, tty_device_t, chr_file, "hvsi6") + dev_filetrans($1, tty_device_t, chr_file, "hvsi7") + dev_filetrans($1, tty_device_t, chr_file, "hvsi8") + dev_filetrans($1, tty_device_t, chr_file, "hvsi9") + dev_filetrans($1, tty_device_t, chr_file, "ircomm0") + dev_filetrans($1, tty_device_t, chr_file, "ircomm1") + dev_filetrans($1, tty_device_t, chr_file, "ircomm2") + dev_filetrans($1, tty_device_t, chr_file, "ircomm3") + dev_filetrans($1, tty_device_t, chr_file, "ircomm4") + dev_filetrans($1, tty_device_t, chr_file, "ircomm5") + dev_filetrans($1, tty_device_t, chr_file, "ircomm6") + dev_filetrans($1, tty_device_t, chr_file, "ircomm7") + dev_filetrans($1, tty_device_t, chr_file, "ircomm8") + dev_filetrans($1, tty_device_t, chr_file, "ircomm9") + dev_filetrans($1, tty_device_t, chr_file, "isdn0") + dev_filetrans($1, tty_device_t, chr_file, "isdn1") + dev_filetrans($1, tty_device_t, chr_file, "isdn2") + dev_filetrans($1, tty_device_t, chr_file, "isdn3") + dev_filetrans($1, tty_device_t, chr_file, "isdn4") + dev_filetrans($1, tty_device_t, chr_file, "isdn5") + dev_filetrans($1, tty_device_t, chr_file, "isdn6") + dev_filetrans($1, tty_device_t, chr_file, "isdn7") + dev_filetrans($1, tty_device_t, chr_file, "isdn8") + dev_filetrans($1, tty_device_t, chr_file, "isdn9") + filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx") + dev_filetrans($1, ptmx_t, chr_file, "ptmx") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm0") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm1") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm2") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm3") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm4") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm5") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm6") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm7") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm8") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm9") + dev_filetrans($1, tty_device_t, chr_file, "slamr0") + dev_filetrans($1, tty_device_t, chr_file, "slamr1") + dev_filetrans($1, tty_device_t, chr_file, "slamr2") + dev_filetrans($1, tty_device_t, chr_file, "slamr3") + dev_filetrans($1, tty_device_t, chr_file, "slamr4") + dev_filetrans($1, tty_device_t, chr_file, "slamr5") + dev_filetrans($1, tty_device_t, chr_file, "slamr6") + dev_filetrans($1, tty_device_t, chr_file, "slamr7") + dev_filetrans($1, tty_device_t, chr_file, "slamr8") + dev_filetrans($1, tty_device_t, chr_file, "slamr9") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM0") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM1") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM2") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM3") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM4") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM5") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM6") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM7") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM8") + dev_filetrans($1, tty_device_t, chr_file, "ttyACM9") + dev_filetrans($1, tty_device_t, chr_file, "ttyS0") + dev_filetrans($1, tty_device_t, chr_file, "ttyS1") + dev_filetrans($1, tty_device_t, chr_file, "ttyS2") + dev_filetrans($1, tty_device_t, chr_file, "ttyS3") + dev_filetrans($1, tty_device_t, chr_file, "ttyS4") + dev_filetrans($1, tty_device_t, chr_file, "ttyS5") + dev_filetrans($1, tty_device_t, chr_file, "ttyS6") + dev_filetrans($1, tty_device_t, chr_file, "ttyS7") + dev_filetrans($1, tty_device_t, chr_file, "ttyS8") + dev_filetrans($1, tty_device_t, chr_file, "ttyS9") + dev_filetrans($1, tty_device_t, chr_file, "ttySG0") + dev_filetrans($1, tty_device_t, chr_file, "ttySG1") + dev_filetrans($1, tty_device_t, chr_file, "ttySG2") + dev_filetrans($1, tty_device_t, chr_file, "ttySG3") + dev_filetrans($1, tty_device_t, chr_file, "ttySG4") + dev_filetrans($1, tty_device_t, chr_file, "ttySG5") + dev_filetrans($1, tty_device_t, chr_file, "ttySG6") + dev_filetrans($1, tty_device_t, chr_file, "ttySG7") + dev_filetrans($1, tty_device_t, chr_file, "ttySG8") + dev_filetrans($1, tty_device_t, chr_file, "ttySG9") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p3") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p4") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p5") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p6") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p7") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p8") + dev_filetrans($1, virtio_device_t, chr_file, "vport0p9") + dev_filetrans($1, devpts_t, dir, "pts") + dev_filetrans($1, tty_device_t, chr_file, "xvc0") + dev_filetrans($1, tty_device_t, chr_file, "xvc1") + dev_filetrans($1, tty_device_t, chr_file, "xvc2") + dev_filetrans($1, tty_device_t, chr_file, "xvc3") + dev_filetrans($1, tty_device_t, chr_file, "xvc4") + dev_filetrans($1, tty_device_t, chr_file, "xvc5") + dev_filetrans($1, tty_device_t, chr_file, "xvc6") + dev_filetrans($1, tty_device_t, chr_file, "xvc7") + dev_filetrans($1, tty_device_t, chr_file, "xvc8") + dev_filetrans($1, tty_device_t, chr_file, "xvc9") ') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 66e116a3f..a0a5d90fe 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) fs_associate_tmpfs(devpts_t) fs_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); +dev_associate(devpts_t) # # devtty_t is the type of /dev/tty. @@ -57,5 +58,8 @@ dev_node(tty_device_t) type usbtty_device_t, serial_device; dev_node(usbtty_device_t) +# +# virtio_device_t is the type of /dev/vport[0-9]p[0-9] +# type virtio_device_t, serial_device; dev_node(virtio_device_t) diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc new file mode 100644 index 000000000..f310b9d55 --- /dev/null +++ b/policy/modules/kernel/unlabelednet.fc @@ -0,0 +1 @@ +# No unlabelednet file contexts. diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if new file mode 100644 index 000000000..0ce04703a --- /dev/null +++ b/policy/modules/kernel/unlabelednet.if @@ -0,0 +1 @@ +## Policy for allowing confined domains to use unlabeled_t packets diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te new file mode 100644 index 000000000..48caabc7e --- /dev/null +++ b/policy/modules/kernel/unlabelednet.te @@ -0,0 +1,12 @@ +policy_module(unlabelednet, 1.0.0) + +corenet_enable_unlabeled_packets() + +gen_require(` + type unlabeled_t; + attribute domain; +') + +# temporary hack until labeling on packets is supported +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index 834a065de..ff9369756 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) role auditadm_r; role system_r; -userdom_unpriv_user_template(auditadm) +userdom_confined_admin_template(auditadm) ######################################## # @@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) domain_kill_all_domains(auditadm_t) +mls_file_read_all_levels(auditadm_t) + +selinux_read_policy(auditadm_t) + logging_send_syslog_msg(auditadm_t) logging_read_generic_logs(auditadm_t) logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t, auditadm_r) logging_run_auditd(auditadm_t, auditadm_r) +logging_stream_connect_syslog(auditadm_t) seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) +userdom_dontaudit_search_admin_dir(auditadm_t) + optional_policy(` consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te index 3a45a3ef0..7499f24b5 100644 --- a/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te @@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) role logadm_r; -userdom_base_user_template(logadm) +userdom_confined_admin_template(logadm) ######################################## # # logadmin local policy # -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index da111206f..21ab89b20 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) role secadm_r; -userdom_unpriv_user_template(secadm) -userdom_security_admin_template(secadm_t, secadm_r) +userdom_confined_admin_template(secadm) +userdom_security_admin(secadm_t, secadm_r) +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) +userdom_manage_tmp_role(secadm_r, secadm_t) ######################################## # @@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) allow secadm_t self:capability { dac_read_search dac_override }; +kernel_read_system_state(secadm_t) + corecmd_exec_shell(secadm_t) dev_relabel_all_dev_nodes(secadm_t) +dev_read_urand(secadm_t) domain_obj_id_change_exemption(secadm_t) @@ -30,14 +36,15 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_role(secadm_r, secadm_t) -files_relabel_non_auth_files(secadm_t) -auth_relabel_shadow(secadm_t) +files_relabel_all_files(secadm_t) init_exec(secadm_t) logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) +logging_map_audit_config(secadm_t) +logging_map_audit_log(secadm_t) optional_policy(` aide_run(secadm_t, secadm_r) diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if index 234a940f9..d340f20b9 100644 --- a/policy/modules/roles/staff.if +++ b/policy/modules/roles/staff.if @@ -1,4 +1,4 @@ -## Administrator's unprivileged user role +## Administrator's unprivileged user ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 0fef1fca2..c03a52c04 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,11 +8,74 @@ policy_module(staff, 2.4.0) role staff_r; userdom_unpriv_user_template(staff) +fs_exec_noxattr(staff_t) + +## +##

      +## allow staff user to create and transition to svirt domains. +##

      +##
      +gen_tunable(staff_use_svirt, false) ######################################## # # Local policy # +corenet_ib_access_unlabeled_pkeys(staff_t) + +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) +kernel_read_fs_sysctls(staff_t) +kernel_read_numa_state(staff_t) +kernel_write_numa_state(staff_t) + +fs_read_hugetlbfs_files(staff_t) +files_dontaudit_read_all_symlinks(staff_t) + +dev_read_cpuid(staff_t) +dev_read_kmsg(staff_t) +dev_map_video_dev(staff_t) + +domain_read_all_domains_state(staff_t) +domain_getcap_all_domains(staff_t) +domain_getsched_all_domains(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) + +files_read_kernel_modules(staff_t) + +seutil_read_module_store(staff_t) +seutil_run_newrole(staff_t, staff_r) +seutil_dbus_chat_semanage(staff_t) +seutil_read_login_config(staff_t) + +storage_read_scsi_generic(staff_t) +storage_write_scsi_generic(staff_t) + +term_use_unallocated_ttys(staff_t) + +auth_domtrans_pam_console(staff_t) + +init_dbus_chat(staff_t) +init_dbus_chat_script(staff_t) +init_status(staff_t) + +miscfiles_read_hwdata(staff_t) +miscfiles_map_generic_certs(staff_t) + +ifndef(`enable_mls',` + selinux_read_policy(staff_t) +') + +optional_policy(` + abrt_read_cache(staff_t) +') + +optional_policy(` + accountsd_read_lib_files(staff_t) +') optional_policy(` apache_role(staff_r, staff_t) @@ -22,33 +85,205 @@ optional_policy(` auditadm_role_change(staff_r) ') +optional_policy(` + blueman_dbus_chat(staff_t) +') + +optional_policy(` + kdumpgui_dbus_chat(staff_t) +') + +optional_policy(` + bluetooth_role(staff_r, staff_t) +') + +optional_policy(` + chrome_role(staff_r, staff_t) +') + +optional_policy(` + colord_dbus_chat(staff_t) +') + optional_policy(` dbadm_role_change(staff_r) ') optional_policy(` - git_role(staff_r, staff_t) + dnsmasq_read_pid_files(staff_t) +') + +optional_policy(` + dmesg_exec(staff_t) +') + +optional_policy(` + dirsrv_stream_connect(staff_t) + dirsrv_manage_log(staff_t) + dirsrv_manage_var_lib(staff_t) + dirsrv_manage_var_run(staff_t) + dirsrv_manage_config(staff_t) +') + + + +optional_policy(` + container_stream_connect(staff_t) + container_runtime_exec(staff_t) +') + +optional_policy(` + firewalld_dbus_chat(staff_t) +') + +optional_policy(` + firewallgui_dbus_chat(staff_t) +') + +optional_policy(` + freqset_run(staff_t, staff_r) +') + +optional_policy(` + irc_role(staff_r, staff_t) +') + +optional_policy(` + journalctl_role(staff_r, staff_t) +') + +optional_policy(` + kerneloops_dbus_chat(staff_t) +') + +optional_policy(` + logadm_role_change(staff_r) +') + +optional_policy(` + lpd_list_spool(staff_t) +') + +optional_policy(` + mandb_map_cache_files(staff_t) +') + +optional_policy(` + mock_role(staff_r, staff_t) +') + +optional_policy(` + mozilla_run_plugin(staff_t, staff_r) +') + +optional_policy(` + modutils_read_module_config(staff_t) + modutils_read_module_deps(staff_t) +') + +optional_policy(` + netutils_run_ping(staff_t, staff_r) + netutils_run_traceroute(staff_t, staff_r) + netutils_signal_ping(staff_t) + netutils_kill_ping(staff_t) +') + +optional_policy(` + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) +') + +optional_policy(` + mta_role(staff_r, staff_t) +') + +optional_policy(` + mysql_exec(staff_t) +') + +optional_policy(` + polipo_role(staff_r, staff_t) + polipo_named_filetrans_cache_home_dirs(staff_t) + polipo_named_filetrans_config_home_files(staff_t) +') + +optional_policy(` + openvpn_exec(staff_t) ') optional_policy(` postgresql_role(staff_r, staff_t) ') +optional_policy(` + rtkit_scheduled(staff_t) +') + +optional_policy(` + rpm_dbus_chat(staff_t) +') + +optional_policy(` + rwho_read_spool_files(staff_t) +') + optional_policy(` secadm_role_change(staff_r) ') optional_policy(` - ssh_role_template(staff, staff_r, staff_t) + sandbox_transition(staff_t, staff_r) ') optional_policy(` - sudo_role_template(staff, staff_r, staff_t) + sandbox_x_transition(staff_t, staff_r) +') + +optional_policy(` + screen_role_template(staff, staff_r, staff_t) ') optional_policy(` sysadm_role_change(staff_r) userdom_dontaudit_use_user_terminals(staff_t) + userdom_dontaudit_read_admin_home_files(staff_t) +') + +optional_policy(` + systemd_read_unit_files(staff_t) + systemd_exec_systemctl(staff_t) +') + +optional_policy(` + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) + setroubleshoot_dbus_chat_fixit(staff_t) +') + +optional_policy(` + ssh_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + sudo_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_t) +') + +optional_policy(` + unconfined_role_change(staff_r) +') + +optional_policy(` + usbmuxd_stream_connect(staff_t) +') + +optional_policy(` + virt_getattr_exec(staff_t) + virt_search_images(staff_t) + virt_stream_connect(staff_t) ') optional_policy(` @@ -56,7 +291,24 @@ optional_policy(` ') optional_policy(` - xserver_role(staff_r, staff_t) + vmtools_run_helper(staff_t, staff_r) +') + +optional_policy(` + vnstatd_read_lib_files(staff_t) +') + +optional_policy(` + webadm_role_change(staff_r) +') + +optional_policy(` + wireshark_role(staff_r, staff_t) +') + +optional_policy(` + xserver_read_log(staff_t) + xserver_run(staff_t, staff_r) ') ifndef(`distro_redhat',` @@ -64,10 +316,6 @@ ifndef(`distro_redhat',` auth_role(staff_r, staff_t) ') - optional_policy(` - bluetooth_role(staff_r, staff_t) - ') - optional_policy(` cdrecord_role(staff_r, staff_t) ') @@ -78,10 +326,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) - - optional_policy(` - gnome_role_template(staff, staff_r, staff_t) - ') ') optional_policy(` @@ -100,10 +344,6 @@ ifndef(`distro_redhat',` gpg_role(staff_r, staff_t) ') - optional_policy(` - irc_role(staff_r, staff_t) - ') - optional_policy(` java_role(staff_r, staff_t) ') @@ -124,10 +364,6 @@ ifndef(`distro_redhat',` mplayer_role(staff_r, staff_t) ') - optional_policy(` - mta_role(staff_r, staff_t) - ') - optional_policy(` pyzor_role(staff_r, staff_t) ') @@ -140,10 +376,6 @@ ifndef(`distro_redhat',` rssh_role(staff_r, staff_t) ') - optional_policy(` - screen_role_template(staff, staff_r, staff_t) - ') - optional_policy(` spamassassin_role(staff_r, staff_t) ') @@ -176,3 +408,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') + +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(staff_t) +') + +optional_policy(` + virt_transition_svirt(staff_t, staff_r) + virt_filetrans_home_content(staff_t) +') + +optional_policy(` + tunable_policy(`staff_use_svirt',` + allow staff_t self:fifo_file relabelfrom; + dev_rw_kvm(staff_t) + virt_manage_images(staff_t) + virt_stream_connect_svirt(staff_t) + virt_systemctl(staff_t) + virt_rw_stream_sockets_svirt(staff_t) + virt_exec(staff_t) + ') +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if index ff9243078..36740eab3 100644 --- a/policy/modules/roles/sysadm.if +++ b/policy/modules/roles/sysadm.if @@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` allow sysadm_t $1:process sigchld; ') +####################################### +## +## sysadm stub interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`sysadm_stub',` + gen_require(` + type sysadm_t; + role sysadm_r; + ') +') + ######################################## ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 2522ca6c0..aaa5a272d 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,112 @@ policy_module(sysadm, 2.6.1) # Declarations # -## -##

      -## Allow sysadm to debug or ptrace all processes. -##

      -##
      -gen_tunable(allow_ptrace, false) - role sysadm_r; userdom_admin_user_template(sysadm) +allow sysadm_t self:socket { accept listen }; +allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow sysadm_t self:tipc_socket create_socket_perms; +allow sysadm_t self:netlink_generic_socket create_socket_perms; +allow sysadm_t self:sctp_socket create_socket_perms; +allow sysadm_t self:rawip_socket create_socket_perms; -ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -') ######################################## # # Local policy # +kernel_read_fs_sysctls(sysadm_t) +kernel_read_all_proc(sysadm_t) corecmd_exec_shell(sysadm_t) +dev_filetrans_all_named_dev(sysadm_t) + +domain_dontaudit_read_all_domains_state(sysadm_t) + +files_read_kernel_modules(sysadm_t) +files_filetrans_named_content(sysadm_t) +files_status_etc(sysadm_t) + +fs_mount_fusefs(sysadm_t) + +storage_filetrans_all_named_dev(sysadm_t) + +term_filetrans_all_named_dev(sysadm_t) + mls_process_read_up(sysadm_t) +mls_file_read_all_levels(sysadm_t) +mls_file_write_all_levels(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) + +storage_setattr_fixed_disk_dev(sysadm_t) ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) +application_exec(sysadm_t) + +init_filetrans_named_content(sysadm_t) +init_disable_services(sysadm_t) +init_enable_services(sysadm_t) +init_reload_services(sysadm_t) init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) +init_script_role_transition(sysadm_r) +init_status(sysadm_t) +init_reboot(sysadm_t) +init_halt(sysadm_t) +init_undefined(sysadm_t) +init_ioctl_stream_sockets(sysadm_t) + +logging_filetrans_named_content(sysadm_t) +logging_map_audit_config(sysadm_t) +logging_map_audit_log(sysadm_t) + +miscfiles_filetrans_named_content(sysadm_t) +miscfiles_read_hwdata(sysadm_t) +miscfiles_map_generic_certs(sysadm_t) + +sysnet_filetrans_named_content(sysadm_t) # Add/remove user home directories +userdom_manage_user_tmp_chr_files(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +userdom_manage_tmp_role(sysadm_r, sysadm_t) +userdom_exec_admin_home_files(sysadm_t) +userdom_manage_admin_files(sysadm_t) +userdom_manage_admin_dirs(sysadm_t) + +corenet_ib_access_unlabeled_pkeys(sysadm_t) +corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) + +optional_policy(` + abrt_filetrans_named_content(sysadm_t) +') + +optional_policy(` + alsa_filetrans_named_content(sysadm_t) +') + +optional_policy(` + dirsrv_domtrans(sysadm_t) + dirsrv_stream_connect(sysadm_t) + dirsrv_manage_log(sysadm_t) + dirsrv_manage_var_lib(sysadm_t) + dirsrv_manage_var_run(sysadm_t) + dirsrv_manage_config(sysadm_t) + dirsrv_run(sysadm_t, sysadm_r) +') + +optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) + ssh_filetrans_keys(sysadm_t) +') ifdef(`direct_sysadm_daemon',` optional_policy(` @@ -55,13 +128,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') -ifndef(`enable_mls',` - logging_manage_audit_log(sysadm_t) - logging_manage_audit_config(sysadm_t) - logging_run_auditctl(sysadm_t, sysadm_r) -') - -tunable_policy(`allow_ptrace',` +tunable_policy(`deny_ptrace',`',` domain_ptrace_all_domains(sysadm_t) ') @@ -71,9 +138,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) + apache_filetrans_named_content(sysadm_t) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -87,6 +154,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) + asterisk_exec(sysadm_t) ') optional_policy(` @@ -109,12 +177,18 @@ optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') +optional_policy(` + certmonger_dbus_chat(sysadm_t) +') + optional_policy(` certwatch_run(sysadm_t, sysadm_r) ') optional_policy(` clock_run(sysadm_t, sysadm_r) + clock_manage_adjtime(sysadm_t) + clock_filetrans_named_content(sysadm_t) ') optional_policy(` @@ -122,11 +196,31 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) +') + +optional_policy(` + consoletype_exec(sysadm_t) +') + +optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + +optional_policy(` + gen_require(` + type sysadm_dbusd_t; + ') + + dontaudit sysadm_dbusd_t self:capability net_admin; + ') optional_policy(` - cvs_exec(sysadm_t) + systemd_dbus_chat_timedated(sysadm_t) + systemd_dbus_chat_hostnamed(sysadm_t) + systemd_dbus_chat_localed(sysadm_t) + systemd_hwdb_mmap_config(sysadm_t) ') optional_policy(` @@ -139,6 +233,10 @@ optional_policy(` ddcprobe_run(sysadm_t, sysadm_r) ') +optional_policy(` + devicekit_filetrans_named_content(sysadm_t) +') + optional_policy(` dmesg_exec(sysadm_t) ') @@ -155,6 +253,10 @@ optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') +optional_policy(` + firewalld_dbus_chat(sysadm_t) +') + optional_policy(` fstools_run(sysadm_t, sysadm_r) ') @@ -163,6 +265,11 @@ optional_policy(` hostname_run(sysadm_t, sysadm_r) ') +optional_policy(` + hwloc_admin(sysadm_t) + hwloc_run_dhwd(sysadm_t, sysadm_r) +') + optional_policy(` hadoop_role(sysadm_r, sysadm_t) ') @@ -175,10 +282,27 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) + ipsec_run_setkey(sysadm_t, sysadm_r) + ipsec_run_racoon(sysadm_t, sysadm_r) + ipsec_stream_connect_racoon(sysadm_t) + + optional_policy(` + ipsec_mgmt_dbus_chat(sysadm_t) + ') ') optional_policy(` iptables_run(sysadm_t, sysadm_r) + iptables_filetrans_named_content(sysadm_t) +') + +optional_policy(` + irc_role(sysadm_r, sysadm_t) +') + +optional_policy(` + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ') optional_policy(` @@ -190,11 +314,12 @@ optional_policy(` ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) + logrotate_run(sysadm_t, sysadm_r) ') optional_policy(` - logrotate_run(sysadm_t, sysadm_r) + corenet_tcp_bind_ldap_port(sysadm_t) + ldap_admin(sysadm_t, sysadm_r) ') optional_policy(` @@ -210,22 +335,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) + modutils_read_module_deps(sysadm_t) + modules_filetrans_named_content(sysadm_t) ') optional_policy(` mount_run(sysadm_t, sysadm_r) -') - -optional_policy(` - mozilla_role(sysadm_r, sysadm_t) -') - -optional_policy(` - mplayer_role(sysadm_r, sysadm_t) + mount_run_showmount(sysadm_t, sysadm_r) ') optional_policy(` mta_role(sysadm_r, sysadm_t) + # this is defined in userdom_common_user_template + #mta_filetrans_home_content(sysadm_t) + mta_filetrans_admin_home_content(sysadm_t) + mta_rw_aliases(sysadm_t) ') optional_policy(` @@ -236,25 +360,53 @@ optional_policy(` mysql_stream_connect(sysadm_t) ') +optional_policy(` + ncftool_run(sysadm_t, sysadm_r) +') + optional_policy(` netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) ') +optional_policy(` + networkmanager_filetrans_named_content(sysadm_t) + networkmanager_stream_connect(sysadm_t) +') + optional_policy(` ntp_stub() corenet_udp_bind_ntp_port(sysadm_t) + ntp_admin(sysadm_t, sysadm_r) +') + +optional_policy(` + nx_filetrans_named_content(sysadm_t) +') + +optional_policy(` + oddjob_dbus_chat(sysadm_t) ') optional_policy(` oav_run_update(sysadm_t, sysadm_r) ') +optional_policy(` + openvpn_run(sysadm_t, sysadm_r) +') + optional_policy(` pcmcia_run_cardctl(sysadm_t, sysadm_r) ') +optional_policy(` + polipo_role(sysadm_r, sysadm_t) + polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) + polipo_named_filetrans_admin_config_home_files(sysadm_t) +') + optional_policy(` portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) @@ -266,35 +418,47 @@ optional_policy(` ') optional_policy(` - pyzor_role(sysadm_r, sysadm_t) + postfix_admin(sysadm_t, sysadm_r) ') optional_policy(` - quota_run(sysadm_t, sysadm_r) + postgresql_admin(sysadm_t, sysadm_r) + postgresql_run(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) + journalctl_role(sysadm_r, sysadm_t) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) + prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - rpc_domtrans_nfsd(sysadm_t) + puppet_run_puppetca(sysadm_t, sysadm_r) + puppet_run(sysadm_t, sysadm_r) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) + quota_filetrans_named_content(sysadm_t) ') optional_policy(` - rssh_role(sysadm_r, sysadm_t) + raid_run_mdadm(sysadm_r,sysadm_t) +') + +optional_policy(` + rpc_domtrans_nfsd(sysadm_t) +') + +optional_policy(` + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') optional_policy(` rsync_exec(sysadm_t) + rsync_filetrans_named_content(sysadm_t) ') optional_policy(` @@ -308,19 +472,28 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) + allow sysadm_screen_t self:capability { dac_read_search dac_override }; ') optional_policy(` secadm_role_change(sysadm_r) ') +optional_policy(` + setroubleshoot_stream_connect(sysadm_t) + setroubleshoot_dbus_chat(sysadm_t) + setroubleshoot_dbus_chat_fixit(sysadm_t) +') + optional_policy(` seutil_run_setfiles(sysadm_t, sysadm_r) seutil_run_runinit(sysadm_t, sysadm_r) + seutil_dbus_chat_semanage(sysadm_t) + seutil_read_login_config(sysadm_t) ') optional_policy(` - spamassassin_role(sysadm_r, sysadm_t) + shutdown_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -345,30 +518,38 @@ optional_policy(` ') optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) + systemd_passwd_agent_run(sysadm_t, sysadm_r) + systemd_config_all_services(sysadm_t) + systemd_manage_all_unit_files(sysadm_t) + systemd_manage_all_unit_lnk_files(sysadm_t) + systemd_login_status(sysadm_t) + systemd_login_reboot(sysadm_t) + systemd_login_halt(sysadm_t) + systemd_login_undefined(sysadm_t) + systemd_tmpfiles_run(sysadm_t, sysadm_r) ') optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) - tripwire_run_twadmin(sysadm_t, sysadm_r) - tripwire_run_twprint(sysadm_t, sysadm_r) + systemd_exec_sysctl(sysadm_t) ') optional_policy(` - tvtime_role(sysadm_r, sysadm_t) + tftp_filetrans_named_content(sysadm_t) ') optional_policy(` - tzdata_domtrans(sysadm_t) + tripwire_run_siggen(sysadm_t, sysadm_r) + tripwire_run_tripwire(sysadm_t, sysadm_r) + tripwire_run_twadmin(sysadm_t, sysadm_r) + tripwire_run_twprint(sysadm_t, sysadm_r) ') optional_policy(` - uml_role(sysadm_r, sysadm_t) + tzdata_domtrans(sysadm_t) ') optional_policy(` - unconfined_domtrans(sysadm_t) + udev_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -379,10 +560,6 @@ optional_policy(` usbmodules_run(sysadm_t, sysadm_r) ') -optional_policy(` - userhelper_role_template(sysadm, sysadm_r, sysadm_t) -') - optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) @@ -391,6 +568,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) + virt_filetrans_home_content(sysadm_t) + virt_manage_pid_dirs(sysadm_t) + virt_transition_svirt_sandbox(sysadm_t, sysadm_r) ') optional_policy(` @@ -398,19 +578,19 @@ optional_policy(` ') optional_policy(` - vpn_run(sysadm_t, sysadm_r) + vlock_run(sysadm_t, sysadm_r) ') optional_policy(` - webalizer_run(sysadm_t, sysadm_r) + vpn_run(sysadm_t, sysadm_r) ') optional_policy(` - wireshark_role(sysadm_r, sysadm_t) + webalizer_run(sysadm_t, sysadm_r) ') optional_policy(` - vlock_run(sysadm_t, sysadm_r) + wireshark_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -421,53 +601,11 @@ optional_policy(` yam_run(sysadm_t, sysadm_r) ') -ifndef(`distro_redhat',` - optional_policy(` - auth_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - bluetooth_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - dbus_role_template(sysadm, sysadm_r, sysadm_t) - - optional_policy(` - gnome_role_template(sysadm, sysadm_r, sysadm_t) - ') - ') - - optional_policy(` - evolution_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - games_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - gift_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - gpg_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - irc_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - java_role(sysadm_r, sysadm_t) - ') +optional_policy(` + zebra_stream_connect(sysadm_t) ') +optional_policy(` + gnome_role_template(sysadm, sysadm_r, sysadm_t) + gnome_filetrans_admin_home_content(sysadm_t) +') diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc new file mode 100644 index 000000000..ae3b6db92 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.fc @@ -0,0 +1 @@ +# No context diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if new file mode 100644 index 000000000..bd83148e1 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.if @@ -0,0 +1 @@ +## No Interfaces diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te new file mode 100644 index 000000000..63bc79792 --- /dev/null +++ b/policy/modules/roles/sysadm_secadm.te @@ -0,0 +1,25 @@ +policy_module(sysadm_secadm, 1.0.0) + +######################################## +# +# Declarations +# + +gen_require(` + type sysadm_t; + role sysadm_r; +') + +userdom_security_admin_template(sysadm_t, sysadm_r) + +####################################### +# +# Local policy +# + +mls_file_write_all_levels(sysadm_t) + +logging_manage_audit_log(sysadm_t) +logging_manage_audit_config(sysadm_t) +logging_run_auditctl(sysadm_t, sysadm_r) +logging_stream_connect_syslog(sysadm_t) diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc new file mode 100644 index 000000000..d9efb902a --- /dev/null +++ b/policy/modules/roles/unconfineduser.fc @@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +#/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) + +#/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 index 000000000..623345242 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if @@ -0,0 +1,708 @@ +## Unconfined user role + +######################################## +## +## Change from the unconfineduser role. +## +## +##

      +## Change from the unconfineduser role to +## the specified role. +##

      +##

      +## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

      +##
      +## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change_to',` + gen_require(` + role unconfined_r; + ') + + allow unconfined_r $1; +') + +######################################## +## +## Transition to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_domtrans',` + gen_require(` + type unconfined_t, unconfined_exec_t; + ') + + domtrans_pattern($1,unconfined_exec_t,unconfined_t) +') + +######################################## +## +## Execute specified programs in the unconfined domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to allow the unconfined domain. +## +## +# +interface(`unconfined_run',` + gen_require(` + type unconfined_t; + ') + + unconfined_domtrans($1) + role $2 types unconfined_t; +') + +######################################## +## +## Transition to the unconfined domain by executing a shell. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_shell_domtrans',` + gen_require(` + attribute unconfined_login_domain; + ') + typeattribute $1 unconfined_login_domain; +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. +## +## +##

      +## Allow unconfined to execute the specified program in +## the specified domain. +##

      +##

      +## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

      +##
      +## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_domtrans_to',` + gen_require(` + type unconfined_t; + ') + + domtrans_pattern(unconfined_t,$2,$1) +') + +######################################## +## +## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +## +## +##

      +## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +##

      +##

      +## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

      +##
      +## +## +## Domain to execute in. +## +## +## +## +## Domain entry point file. +## +## +# +interface(`unconfined_run_to',` + gen_require(` + type unconfined_t; + role unconfined_r; + ') + + domtrans_pattern(unconfined_t,$2,$1) + role unconfined_r types $1; + userdom_use_user_terminals($1) +') + +###################################### +## +## Stub unconfined role. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_stub_role',` + gen_require(` + role unconfined_r; + ') +') + +######################################## +## +## Inherit file descriptors from the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_use_fds',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fd use; +') + +######################################## +## +## Send a SIGCHLD signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_sigchld',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process sigchld; +') + +######################################## +## +## Send a SIGNULL signal to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signull',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signull; +') + +######################################## +## +## Send generic signals to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_signal',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process signal; +') + +######################################## +## +## Send generic signals to the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_setsched',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process setsched; +') + +######################################## +## +## Read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file read_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dontaudit_read_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file read; +') + +######################################## +## +## Read and write unconfined domain unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_pipes',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:fifo_file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_stream',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Connect to the unconfined domain using +## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_stream_connect',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket connectto; +') + +######################################## +## +## Do not audit attempts to read or write +## unconfined domain tcp sockets. +## +## +##

      +## Do not audit attempts to read or write +## unconfined domain tcp sockets. +##

      +##

      +## This interface was added due to a broken +## symptom in ldconfig. +##

      +##
      +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_tcp_sockets',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:tcp_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read or write +## unconfined domain packet sockets. +## +## +##

      +## Do not audit attempts to read or write +## unconfined domain packet sockets. +##

      +##

      +## This interface was added due to a broken +## symptom. +##

      +##
      +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_packet_sockets',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:packet_socket { read write }; +') + +######################################## +## +## Create keys for the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_create_keys',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:key create; +') + +######################################## +## +## Dontaudit write process information for unconfined process. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dontaudit_write_state',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:file write; +') + +######################################## +## +## Write keys for the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_write_keys',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:key write; +') + +######################################## +## +## Send messages to the unconfined domain over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_send',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## unconfined_t over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_chat',` + gen_require(` + type unconfined_t; + class dbus send_msg; + ') + + allow $1 unconfined_t:dbus send_msg; + allow unconfined_t $1:dbus send_msg; +') + +######################################## +## +## Connect to the the unconfined DBUS +## for service (acquire_svc). +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; + class dbus acquire_svc; + ') + + allow $1 unconfined_t:dbus acquire_svc; +') + +######################################## +## +## Allow ptrace of unconfined domain +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process ptrace; +') + +######################################## +## +## Read and write to unconfined shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`unconfined_rw_shm',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:shm rw_shm_perms; +') + +######################################## +## +## Allow apps to set rlimits on unconfined user +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_set_rlimitnh',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process rlimitinh; +') + +######################################## +## +## Get the process group of unconfined. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_getpgid',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:process getpgid; +') + +######################################## +## +## Change to the unconfined role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`unconfined_role_change',` + gen_require(` + role unconfined_r; + ') + + allow $1 unconfined_r; +') + +######################################## +## +## Allow domain to attach to TUN devices created by unconfined_t users. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_attach_tun_iface',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## +## Allow domain to transition to unconfined_t user +## +## +## +## Domain allowed access. +## +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_transition',` + gen_require(` + type unconfined_t; + ') + + domtrans_pattern($1,$2,unconfined_t) + allow unconfined_t $2:file entrypoint; + allow $1 unconfined_t:process signal_perms; +') + +######################################## +## +## unconfined_t domain typebounds calling domain. +## +## +## +## Domain to be typebound. +## +## +# +interface(`unconfined_typebounds',` + gen_require(` + type unconfined_t; + ') + + typebounds unconfined_t $1; +') + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 index 000000000..d280802ba --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,361 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## +# +# Declarations +# +attribute unconfined_login_domain; + +## +##

      +## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +##

      +##
      +gen_tunable(unconfined_chrome_sandbox_transition, false) + +## +##

      +## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +##

      +##
      +gen_tunable(unconfined_mozilla_plugin_transition, false) + +## +##

      +## Allow a user to login as an unconfined domain +##

      +##
      +gen_tunable(unconfined_login, true) + +# usage in this module of types created by these +# calls is not correct, however we dont currently +# have another method to add access to these types +userdom_base_user_template(unconfined) +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_unpriv_type(unconfined_t) + +type unconfined_exec_t; +application_domain(unconfined_t, unconfined_exec_t) +role unconfined_r types unconfined_t; +role_transition system_r unconfined_exec_t unconfined_r; +allow system_r unconfined_r; + +domain_user_exemption_target(unconfined_t) +allow system_r unconfined_r; +allow unconfined_r system_r; +init_script_role_transition(unconfined_r) +role system_r types unconfined_t; +typealias unconfined_t alias unconfined_crontab_t; + +######################################## +# +# Local policy +# + +dontaudit unconfined_t self:dir write; +dontaudit unconfined_t self:file setattr; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + +allow unconfined_t file_type:system module_load; + +allow unconfined_t self:cap_userns all_cap_userns_perms; + +kernel_rw_unlabeled_socket(unconfined_t) +kernel_rw_unlabeled_rawip_socket(unconfined_t) + +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) + +logging_send_syslog_msg(unconfined_t) + +systemd_config_all_services(unconfined_t) + +unconfined_domain_noaudit(unconfined_t) +domain_named_filetrans(unconfined_t) +domain_transition_all(unconfined_t) + +usermanage_run_passwd(unconfined_t, unconfined_r) + +tunable_policy(`deny_execmem',`',` + allow unconfined_t self:process execmem; +') + +tunable_policy(`selinuxuser_execstack',` + allow unconfined_t self:process execstack; +') + +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(unconfined_t) +') + +tunable_policy(`unconfined_login',` + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + allow unconfined_t unconfined_login_domain:fd use; + allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; + allow unconfined_t unconfined_login_domain:process sigchld; +') + +optional_policy(` + gen_require(` + type unconfined_t; + ') + + optional_policy(` + abrt_dbus_chat(unconfined_t) + abrt_run_helper(unconfined_t, unconfined_r) + ') + + optional_policy(` + avahi_dbus_chat(unconfined_t) + ') + + optional_policy(` + blueman_dbus_chat(unconfined_t) + ') + + optional_policy(` + certmonger_dbus_chat(unconfined_t) + ') + + optional_policy(` + devicekit_dbus_chat(unconfined_t) + devicekit_dbus_chat_disk(unconfined_t) + devicekit_dbus_chat_power(unconfined_t) + ') + + optional_policy(` + hal_dbus_chat(unconfined_t) + ') + + optional_policy(` + networkmanager_dbus_chat(unconfined_t) + ') + + optional_policy(` + rtkit_scheduled(unconfined_t) + ') + + # Might remove later if this proves to be problematic, but would like to gather AVCs + optional_policy(` + thumb_role(unconfined_r, unconfined_t) + ') + + optional_policy(` + setroubleshoot_dbus_chat(unconfined_t) + setroubleshoot_dbus_chat_fixit(unconfined_t) + ') + + optional_policy(` + sandbox_transition(unconfined_t, unconfined_r) + ') + + optional_policy(` + sandbox_x_transition(unconfined_t, unconfined_r) + ') + + optional_policy(` + vmtools_run_helper(unconfined_t, unconfined_r) + ') + + optional_policy(` + gen_require(` + type user_tmpfs_t; + ') + + xserver_rw_session(unconfined_t, user_tmpfs_t) + xserver_dbus_chat_xdm(unconfined_t) + ') +') + +ifdef(`distro_gentoo',` + seutil_run_runinit(unconfined_t, unconfined_r) + seutil_init_script_run_runinit(unconfined_t, unconfined_r) +') + +optional_policy(` + accountsd_dbus_chat(unconfined_t) +') + +optional_policy(` + cron_unconfined_role(unconfined_r, unconfined_t) +') + +optional_policy(` + chrome_role_notrans(unconfined_r, unconfined_t) + + tunable_policy(`unconfined_chrome_sandbox_transition',` + chrome_domtrans_sandbox(unconfined_t) + ') +') + +optional_policy(` + container_entrypoint(unconfined_t) +') + +optional_policy(` + oddjob_mkhomedir_entrypoint(unconfined_t) +') + +optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) + role system_r types unconfined_dbusd_t; + + optional_policy(` + unconfined_domain_noaudit(unconfined_dbusd_t) + + optional_policy(` + xserver_rw_shm(unconfined_dbusd_t) + ') + ') + + init_dbus_chat(unconfined_t) + init_dbus_chat_script(unconfined_t) + + dbus_stub(unconfined_t) + + optional_policy(` + bluetooth_dbus_chat(unconfined_t) + ') + + optional_policy(` + consolekit_dbus_chat(unconfined_t) + ') + + optional_policy(` + cups_dbus_chat_config(unconfined_t) + ') + + optional_policy(` + fprintd_dbus_chat(unconfined_t) + ') + + optional_policy(` + systemd_dbus_chat_timedated(unconfined_t) + gnome_dbus_chat_gconfdefault(unconfined_t) + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + + optional_policy(` + ipsec_mgmt_dbus_chat(unconfined_t) + ') + + optional_policy(` + kerneloops_dbus_chat(unconfined_t) + ') + + optional_policy(` + telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) + ') + + optional_policy(` + oddjob_dbus_chat(unconfined_t) + ') + + optional_policy(` + vpn_dbus_chat(unconfined_t) + ') + + optional_policy(` + firewalld_dbus_chat(unconfined_t) + ') + + optional_policy(` + firewallgui_dbus_chat(unconfined_t) + ') +') + +optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + +optional_policy(` + fsadm_manage_pid(unconfined_t) +') + +optional_policy(` + gpsd_run(unconfined_t, unconfined_r) +') + +optional_policy(` + anaconda_run_install(unconfined_t, unconfined_r) +') + +optional_policy(` + java_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + +#optional_policy(` +# mock_role(unconfined_r, unconfined_t) +#') + +optional_policy(` + mozilla_role_plugin(unconfined_r) + + tunable_policy(`unconfined_mozilla_plugin_transition', ` + mozilla_domtrans_plugin(unconfined_t) + ') +') + +optional_policy(` + ipa_run_helper(unconfined_t, unconfined_r) +') + +optional_policy(` + chronyd_run_chronyc(unconfined_t, unconfined_r) +') + +optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) + oddjob_run(unconfined_t, unconfined_r) +') + +optional_policy(` + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t, unconfined_r) + rpm_dbus_chat(unconfined_t) +') + +optional_policy(` + optional_policy(` + samba_run_unconfined_net(unconfined_t, unconfined_r) + ') + + samba_role_notrans(unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') + +optional_policy(` + sysnet_run_dhcpc(unconfined_t, unconfined_r) + sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) +') + +optional_policy(` + openshift_run(unconfined_usertype, unconfined_r) +') + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) + virt_transition_svirt_sandbox(unconfined_t, unconfined_r) + virt_sandbox_entrypoint(unconfined_t) +') + +optional_policy(` + xserver_run(unconfined_t, unconfined_r) + xserver_manage_home_fonts(unconfined_t) + xserver_xsession_entry_type(unconfined_t) +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index 383559646..fbca2be81 100644 --- a/policy/modules/roles/unprivuser.if +++ b/policy/modules/roles/unprivuser.if @@ -1,4 +1,4 @@ -## Generic unprivileged user role +## Generic unprivileged user ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 6d77e81c5..5fc3b0b4e 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ policy_module(unprivuser, 2.4.0) +## +##

      +## Allow unprivileged user to create and transition to svirt domains. +##

      +##
      +gen_tunable(unprivuser_use_svirt, false) + # this module should be named user, but that is # a compile error since user is a keyword. @@ -12,12 +19,102 @@ role user_r; userdom_unpriv_user_template(user) +kernel_read_numa_state(user_t) +kernel_write_numa_state(user_t) + +fs_exec_noxattr(user_t) +fs_read_hugetlbfs_files(user_t) + +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + +seutil_read_module_store(user_t) + +init_dbus_chat(user_t) +init_status(user_t) + +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(user_t) +') + +optional_policy(` + abrt_read_cache(user_t) +') + optional_policy(` apache_role(user_r, user_t) ') optional_policy(` - git_role(user_r, user_t) + blueman_dbus_chat(user_t) +') + +optional_policy(` + bluetooth_role(user_r, user_t) +') + +optional_policy(` + colord_dbus_chat(user_t) +') + +optional_policy(` + chrome_role(user_r, user_t) +') + +optional_policy(` + dirsrv_stream_connect(user_t) +') + +optional_policy(` + journalctl_role(user_r, user_t) +') + +optional_policy(` + irc_role(user_r, user_t) +') + +optional_policy(` + oident_manage_user_content(user_t) + oident_relabel_user_content(user_t) +') + +optional_policy(` + mozilla_run_plugin(user_t, user_r) +') + +optional_policy(` + mta_role(user_r, user_t) +') + +optional_policy(` + netutils_run_ping_cond(user_t, user_r) + netutils_run_traceroute_cond(user_t, user_r) +') + +optional_policy(` + polipo_role(user_r, user_t) + polipo_named_filetrans_cache_home_dirs(user_t) + polipo_named_filetrans_config_home_files(user_t) +') + +optional_policy(` + rpm_dontaudit_dbus_chat(user_t) +') + +optional_policy(` + rtkit_scheduled(user_t) +') + +optional_policy(` + sandbox_transition(user_t, user_r) +') + +optional_policy(` + sandbox_x_transition(user_t, user_r) +') + +optional_policy(` + ssh_role_template(user, user_r, user_t) ') optional_policy(` @@ -25,11 +122,19 @@ optional_policy(` ') optional_policy(` - vlock_run(user_t, user_r) + setroubleshoot_dontaudit_stream_connect(user_t) ') +#optional_policy(` +# telepathy_dbus_session_role(user_r, user_t) +#') + optional_policy(` - xserver_role(user_r, user_t) + usbmuxd_stream_connect(user_t) +') + +optional_policy(` + vlock_run(user_t, user_r) ') ifndef(`distro_redhat',` @@ -101,10 +206,6 @@ ifndef(`distro_redhat',` mplayer_role(user_r, user_t) ') - optional_policy(` - mta_role(user_r, user_t) - ') - optional_policy(` postgresql_role(user_r, user_t) ') @@ -128,7 +229,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') - optional_policy(` su_role_template(user, user_r, user_t) ') @@ -160,4 +260,24 @@ ifndef(`distro_redhat',` optional_policy(` wireshark_role(user_r, user_t) ') + + optional_policy(` + xserver_run(user_t, user_r) + ') +') + +optional_policy(` + vmtools_run_helper(user_t, user_r) +') + + +optional_policy(` + virt_transition_svirt(user_t, user_r) + virt_filetrans_home_content(user_t) +') + +optional_policy(` + tunable_policy(`unprivuser_use_svirt',` + virt_manage_images(user_t) + ') ') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index a26f84f40..d52bc2e3c 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -10,6 +10,10 @@ # /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/bin/postgresql-check-db-dir -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) @@ -28,9 +32,10 @@ ifdef(`distro_redhat', ` # /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) +/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) @@ -45,4 +50,4 @@ ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 9d2f31168..df0970c02 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,90 +10,46 @@ ##
      ## ## -## +## ## The type of the user domain. ## ## # interface(`postgresql_role',` gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; - class db_sequence all_db_sequence_perms; - class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; - class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type, sepgsql_database_type; - attribute sepgsql_schema_type, sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; - type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; - type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; - type user_sepgsql_schema_t, user_sepgsql_seq_t; - type user_sepgsql_sysobj_t, user_sepgsql_table_t; - type user_sepgsql_view_t; - type sepgsql_temp_object_t; + attribute sepgsql_client_type; + type sepgsql_trusted_proc_t; + type sepgsql_ranged_proc_t; ') - ######################################## - # - # Declarations - # - typeattribute $2 sepgsql_client_type; role $1 types sepgsql_trusted_proc_t; role $1 types sepgsql_ranged_proc_t; +') - ############################## - # - # Client local policy - # - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; - allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +######################################## +## +## Execute the postgresql program in the postgresql domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The role to allow the postgresql domain. +## +## +## +# +interface(`postgresql_run',` + gen_require(` + type postgresql_t; ') - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; - type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - - allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; - type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; - - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - - allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; - type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; - - allow $2 user_sepgsql_view_t:db_view { getattr expand }; - type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; - - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; - - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; - - allow $2 sepgsql_ranged_proc_t:process transition; - type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; - allow sepgsql_ranged_proc_t $2:process dyntransition; - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + postgresql_domtrans($1) + role $2 types postgresql_t; ') ######################################## @@ -312,7 +268,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') - allow $1 postgresql_db_t:dir search; + allow $1 postgresql_db_t:dir search_dir_perms; ') ######################################## @@ -324,14 +280,16 @@ interface(`postgresql_search_db',` ## Domain allowed access. ## ## +# interface(`postgresql_manage_db',` gen_require(` type postgresql_db_t; ') - allow $1 postgresql_db_t:dir rw_dir_perms; - allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; + files_search_var_lib($1) + manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t) + manage_files_pattern($1, postgresql_db_t, postgresql_db_t) + manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t) ') ######################################## @@ -352,6 +310,24 @@ interface(`postgresql_domtrans',` domtrans_pattern($1, postgresql_exec_t, postgresql_t) ') +###################################### +## +## Execute Postgresql in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`postgresql_exec',` + gen_require(` + type postgresql_exec_t; + ') + + can_exec($1, postgresql_exec_t) +') + ###################################### ## ## Allow domain to signal postgresql @@ -369,6 +345,23 @@ interface(`postgresql_signal',` allow $1 postgresql_t:process signal; ') +###################################### +## +## Allow domain to signull postgresql +## +## +## +## Domain allowed access. +## +## +# +interface(`postgresql_signull',` + gen_require(` + type postgresql_t; + ') + allow $1 postgresql_t:process signull; +') + ######################################## ## ## Allow the specified domain to read postgresql's etc. @@ -421,7 +414,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## -## # interface(`postgresql_stream_connect',` gen_require(` @@ -432,6 +424,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) files_search_tmp($1) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## @@ -447,83 +440,10 @@ interface(`postgresql_stream_connect',` # interface(`postgresql_unpriv_client',` gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; - class db_sequence all_db_sequence_perms; - class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; - class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - attribute sepgsql_client_type; - attribute sepgsql_database_type, sepgsql_schema_type; - attribute sepgsql_sysobj_table_type; - - type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; - type sepgsql_temp_object_t; - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; - type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; - type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; - type unpriv_sepgsql_view_t; ') - ######################################## - # - # Declarations - # - typeattribute $1 sepgsql_client_type; - - ######################################## - # - # Client local policy - # - - type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; - allow $1 sepgsql_ranged_proc_t:process transition; - allow sepgsql_ranged_proc_t $1:process dyntransition; - - type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - allow $1 sepgsql_trusted_proc_t:process transition; - - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; - - allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; - type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; - type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - - allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; - type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; - - allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; - type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; - - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - - allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; - type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; - - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; - allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') ') ######################################## @@ -545,6 +465,29 @@ interface(`postgresql_unconfined',` typeattribute $1 sepgsql_unconfined_type; ') +######################################## +## +## Transition to postgresql named content +## +## +## +## Domain allowed access. +## +## +# +interface(`postgresql_filetrans_named_content',` + gen_require(` + type postgresql_db_t; + type postgresql_log_t; + ') + + files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") + files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") + files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") + filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") + filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") +') + ######################################## ## ## All of the rules required to administrate an postgresql environment @@ -563,35 +506,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` - attribute sepgsql_admin_type; - attribute sepgsql_client_type; - - type postgresql_t, postgresql_var_run_t; - type postgresql_tmp_t, postgresql_db_t; - type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t; + attribute sepgsql_admin_type, sepgsql_client_type; + type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; + type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; + type postgresql_etc_t; ') typeattribute $1 sepgsql_admin_type; - allow $1 postgresql_t:process { ptrace signal_perms }; + allow $1 postgresql_t:process signal_perms; ps_process_pattern($1, postgresql_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postgresql_t:process ptrace; + ') init_labeled_script_domtrans($1, postgresql_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; + files_list_pids($1) admin_pattern($1, postgresql_var_run_t) + files_list_var_lib($1) admin_pattern($1, postgresql_db_t) + files_list_etc($1) admin_pattern($1, postgresql_etc_t) + logging_list_logs($1) admin_pattern($1, postgresql_log_t) + files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) postgresql_stream_connect($1) + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 03061349c..9997e093c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` # ## -##

      -## Allow unprived users to execute DDL statement -##

      +##

      +## Allow postgresql to use ssh and rsync for point-in-time recovery +##

      +##
      +gen_tunable(postgresql_can_rsync, false) + +## +##

      +## Allow unprivileged users to execute DDL statement +##

      ##
      -gen_tunable(sepgsql_enable_users_ddl, false) +gen_tunable(postgresql_selinux_users_ddl, true) ## ##

      ## Allow transmit client label to foreign database ##

      ##
      -gen_tunable(sepgsql_transmit_client_label, false) +gen_tunable(postgresql_selinux_transmit_client_label, false) ## ##

      ## Allow database admins to execute DML statement ##

      ##
      -gen_tunable(sepgsql_unconfined_dbadm, false) +gen_tunable(postgresql_selinux_unconfined_dbadm, true) type postgresql_t; type postgresql_exec_t; @@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow postgresql_t self:netlink_selinux_socket create_socket_perms; -tunable_policy(`sepgsql_transmit_client_label',` + +tunable_policy(`postgresql_selinux_transmit_client_label',` allow postgresql_t self:process { setsockcreate }; ') @@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) +postgresql_filetrans_named_content(postgresql_t) allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; files_lock_filetrans(postgresql_t, postgresql_lock_t, file) +manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) @@ -291,6 +300,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) +allow postgresql_t postgresql_tmp_t:file map; fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) @@ -299,12 +309,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) kernel_read_kernel_sysctls(postgresql_t) +kernel_read_network_state(postgresql_t) kernel_read_system_state(postgresql_t) kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) -corenet_all_recvfrom_unlabeled(postgresql_t) corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) @@ -342,8 +352,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) -files_manage_etc_files(postgresql_t) -files_search_etc(postgresql_t) +files_read_etc_files(postgresql_t) files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) @@ -354,20 +363,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) -miscfiles_read_localization(postgresql_t) - seutil_libselinux_linked(postgresql_t) seutil_read_default_contexts(postgresql_t) +sysnet_use_ldap(postgresql_t) + userdom_dontaudit_use_unpriv_user_fds(postgresql_t) userdom_dontaudit_search_user_home_dirs(postgresql_t) userdom_dontaudit_use_user_terminals(postgresql_t) +optional_policy(` + ccs_read_config(postgresql_t) +') + optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +optional_policy(` + rhcs_manage_cluster_pid_files(postgresql_t) +') + +tunable_policy(`deny_execmem',`',` allow postgresql_t self:process execmem; ') @@ -485,10 +502,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; -# Note that permission of creation/deletion are eventually controlled by -# create or drop permission of individual objects within shared schemas. -# So, it just allows to create/drop user specific types. -tunable_policy(`sepgsql_enable_users_ddl',` +############################## +# +# Client local policy +# +allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; +type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t; +type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; + +allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert }; +allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete }; +type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t; + +allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select }; +type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; + +allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; +type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t; + +allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand }; +type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t; + +allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute }; +type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; + +allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; + +allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; +type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; + +allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; +type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + +tunable_policy(`postgresql_selinux_users_ddl',` + allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr }; + allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr }; + allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr }; + allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; + allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr }; + allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + # Note that permission of creation/deletion are eventually controlled by + # create or drop permission of individual objects within shared schemas. + # So, it just allows to create/drop user specific types. allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') @@ -536,7 +595,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) -tunable_policy(`sepgsql_unconfined_dbadm',` +tunable_policy(`postgresql_selinux_unconfined_dbadm',` allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; @@ -589,3 +648,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) + +optional_policy(` + tunable_policy(`postgresql_can_rsync',` + rsync_exec(postgresql_t) + ') +') + +optional_policy(` + tunable_policy(`postgresql_can_rsync',` + ssh_exec(postgresql_t) + ssh_read_user_home_files(postgresql_t) + corenet_tcp_connect_ssh_port(postgresql_t) + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 76d9f66ec..5c271ce01 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,16 +1,41 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) -/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) + +/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0) /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) +/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0) +/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) +/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index fe0c68272..68d48b722 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ ## # template(`ssh_basic_client_template',` - gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; + type ssh_keysign_exec_t, ssh_keysign_t; + type ssh_home_t; ') ############################## @@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; - type $1_ssh_home_t; - files_type($1_ssh_home_t) - typealias $1_ssh_home_t alias $1_home_ssh_t; - ############################## # # Client local policy @@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` # or "regular" (not special like sshd_extern_t) servers allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; + # derived domain can execute ssh-keysign + domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + role $3 types ssh_keysign_t; + # allow ps to show ssh ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config - manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($2, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) + read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config - allow ssh_server $1_ssh_home_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) + allow ssh_server ssh_home_t:dir list_dir_perms; + read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) + read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) - corenet_all_recvfrom_unlabeled($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) corenet_tcp_sendrecv_generic_if($1_ssh_t) corenet_tcp_sendrecv_generic_node($1_ssh_t) corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) + corenet_tcp_bind_generic_node($1_ssh_t) + corenet_tcp_bind_all_unreserved_ports($1_ssh_t) dev_read_urand($1_ssh_t) @@ -139,7 +141,6 @@ template(`ssh_basic_client_template',` logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) - miscfiles_read_localization($1_ssh_t) seutil_read_config($1_ssh_t) @@ -148,6 +149,29 @@ template(`ssh_basic_client_template',` ') ') +###################################### +## +## The template to define a domain to which sshd dyntransition. +## +## +## +## The prefix of the dyntransition domain +## +## +# +template(`ssh_dyntransition_domain_template',` + gen_require(` + attribute ssh_dyntransition_domain; + ') + + type $1, ssh_dyntransition_domain; + domain_type($1) + role system_r types $1; + + optional_policy(` + ssh_dyntransition_to($1) + ') +') ####################################### ## ## The template to define a ssh server. @@ -168,7 +192,7 @@ template(`ssh_basic_client_template',` ## ## # -template(`ssh_server_template', ` +template(`ssh_server_template',` type $1_t, ssh_server; auth_login_pgm_domain($1_t) @@ -181,20 +205,23 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; + allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; + allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:shm create_shm_perms; - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; term_create_pty($1_t, $1_devpts_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + userdom_manage_tmp_role(system_r, sshd_t) allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t, $1_var_run_t, file) @@ -206,6 +233,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) + kernel_request_load_module($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) @@ -220,10 +248,13 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) - fs_dontaudit_getattr_all_fs($1_t) + fs_getattr_all_fs($1_t) auth_rw_login_records($1_t) auth_rw_faillog($1_t) @@ -233,7 +264,10 @@ template(`ssh_server_template', ` # for sshd subsystems, such as sftp-server. corecmd_getattr_bin_files($1_t) + dev_rw_crypto($1_t) + domain_interactive_fd($1_t) + domain_dyntrans_type($1_t) files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -241,35 +275,33 @@ template(`ssh_server_template', ` logging_search_logs($1_t) - miscfiles_read_localization($1_t) - - userdom_create_all_users_keys($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) # Allow checking users mail at login optional_policy(` mta_getattr_spool($1_t) ') - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) - fs_read_nfs_symlinks($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files($1_t) - ') + userdom_home_manager($1_t) optional_policy(` kerberos_use($1_t) - kerberos_manage_host_rcache($1_t) + #kerberos_manage_host_rcache($1_t) ') optional_policy(` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') + + optional_policy(` + rlogin_read_home_content($1_t) + ') + + optional_policy(` + shutdown_getattr_exec_files($1_t) + ') ') ######################################## @@ -292,14 +324,15 @@ template(`ssh_server_template', ` ## User domain for the role ##
      ## +## # template(`ssh_role_template',` gen_require(` attribute ssh_server, ssh_agent_type; - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; + type cache_home_t; ') ############################## @@ -328,103 +361,56 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; + allow $3 ssh_t:process signal_perms; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; + allow $3 ssh_t:key { write search read view }; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) + userdom_manage_tmp_role($2, ssh_t) ############################## # # SSH agent local policy # - allow $1_ssh_agent_t self:process setrlimit; - allow $1_ssh_agent_t self:capability setgid; - allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) - # for ssh-add stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; + allow $3 $1_ssh_agent_t:process signal_perms; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) - kernel_read_kernel_sysctls($1_ssh_agent_t) - - dev_read_urand($1_ssh_agent_t) - dev_read_rand($1_ssh_agent_t) - - fs_search_auto_mountpoints($1_ssh_agent_t) + kernel_read_system_state($1_ssh_agent_t) # transition back to normal privs upon exec corecmd_shell_domtrans($1_ssh_agent_t, $3) corecmd_bin_domtrans($1_ssh_agent_t, $3) - domain_use_interactive_fds($1_ssh_agent_t) - - files_read_etc_files($1_ssh_agent_t) - files_read_etc_runtime_files($1_ssh_agent_t) - files_search_home($1_ssh_agent_t) - - libs_read_lib_files($1_ssh_agent_t) + auth_use_nsswitch($1_ssh_agent_t) logging_send_syslog_msg($1_ssh_agent_t) - miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_generic_certs($1_ssh_agent_t) - - seutil_dontaudit_read_config($1_ssh_agent_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1_ssh_agent_t) - - # for the transition back to normal privs upon exec - userdom_search_user_home_content($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_nfs_domtrans($1_ssh_agent_t, $3) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $3) - ') - - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') + userdom_home_manager($1_ssh_agent_t) - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) - ') + ssh_exec_keygen($3) ') ######################################## @@ -496,8 +482,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; +') + +###################################### +## +## Read and write ssh server unix dgram sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_rw_dgram_sockets',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; ') + ######################################## ## ## Read and write a ssh server unnamed pipe. @@ -513,7 +518,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { write read getattr ioctl }; + allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -603,6 +608,24 @@ interface(`ssh_domtrans',` domtrans_pattern($1, sshd_exec_t, sshd_t) ') +######################################## +## +## Execute sshd server in the sshd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_initrc_domtrans',` + gen_require(` + type sshd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, sshd_initrc_exec_t) +') + ######################################## ## ## Execute the ssh client in the caller domain. @@ -637,7 +660,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') - allow $1 sshd_key_t:file setattr; + allow $1 sshd_key_t:file setattr_file_perms; files_search_pids($1) ') @@ -660,6 +683,42 @@ interface(`ssh_agent_exec',` can_exec($1, ssh_agent_exec_t) ') +######################################## +## +## Getattr ssh home directory +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_getattr_user_home_dir',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir getattr; +') + +######################################## +## +## Dontaudit search ssh home directory +## +## +## +## Domain to not audit. +## +## +# +interface(`ssh_dontaudit_search_user_home_dir',` + gen_require(` + type ssh_home_t; + ') + + dontaudit $1 ssh_home_t:dir search_dir_perms; +') + ######################################## ## ## Read ssh home directory content @@ -697,6 +756,69 @@ interface(`ssh_domtrans_keygen',` ') domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) + allow $1 ssh_keygen_exec_t:file map; +') + +######################################## +## +## Execute the ssh key generator in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ssh_exec_keygen',` + gen_require(` + type ssh_keygen_exec_t; + ') + + can_exec($1, ssh_keygen_exec_t) +') + +####################################### +## +## Execute ssh-keygen in the iptables domain, and +## allow the specified role the ssh-keygen domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`ssh_run_keygen',` + gen_require(` + type ssh_keygen_t; + ') + + role $2 types ssh_keygen_t; + ssh_domtrans_keygen($1) +') + +######################################## +## +## Getattr ssh server keys +## +## +## +## Domain to not audit. +## +## +# +interface(`ssh_getattr_server_keys',` + gen_require(` + type sshd_key_t; + ') + + allow $1 sshd_key_t:file getattr_file_perms; ') ######################################## @@ -714,7 +836,26 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') - dontaudit $1 sshd_key_t:file { getattr read }; + dontaudit $1 sshd_key_t:file read_file_perms; +') + +###################################### +## +## Append ssh home directory content +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_append_home_files',` + gen_require(` + type ssh_home_t; + ') + + append_files_pattern($1, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1) ') ###################################### @@ -754,3 +895,151 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +##################################### +## +## Allow domain dyntransition to chroot_user_t domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_dyntransition_to',` + gen_require(` + type sshd_t; + ') + + allow sshd_t $1:process dyntransition; + allow $1 sshd_t:process sigchld; + allow sshd_t $1:process { getattr sigkill sigstop signull signal }; +') + +######################################## +## +## Create .ssh directory in the /root directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_filetrans_admin_home_content',` + gen_require(` + type ssh_home_t; + ') + + userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") + userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') + +######################################## +## +## Create .ssh directory in the user home directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_filetrans_home_content',` + + gen_require(` + type ssh_home_t; + ') + + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") + files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh") +') + +######################################## +## +## Create .ssh directory in the user home directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_filetrans_keys',` + + gen_require(` + type sshd_key_t; + ') + + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key") + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key") + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key") + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub") + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub") + files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub") +') + +######################################## +## +## Do not audit attempts to read and +## write the sshd pty type. +## +## +## +## Domain to not audit. +## +## +# +interface(`ssh_dontaudit_use_ptys',` + gen_require(` + type sshd_devpts_t; + ') + + dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl }; +') + +######################################## +## +## Read and write inherited sshd pty type. +## +## +## +## Domain to not audit. +## +## +# +interface(`ssh_use_ptys',` + gen_require(` + type sshd_devpts_t; + ') + + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## Execute sshd server in the sshd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ssh_systemctl',` + gen_require(` + type sshd_t; + type sshd_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 sshd_unit_file_t:file manage_file_perms; + allow $1 sshd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index cc877c7b0..f2da060bf 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) # ## -##

      -## allow host key based authentication -##

      +##

      +## allow host key based authentication +##

      +##
      +gen_tunable(ssh_keysign, false) + +## +##

      +## Allow ssh logins as sysadm_r:sysadm_t +##

      ##
      -gen_tunable(allow_ssh_keysign, false) +gen_tunable(ssh_sysadm_login, false) ## ##

      -## Allow ssh logins as sysadm_r:sysadm_t +## Allow ssh with chroot env to read and write files +## in the user home directories ##

      ##
      -gen_tunable(ssh_sysadm_login, false) +gen_tunable(ssh_chroot_rw_homedirs, false) +attribute ssh_dyntransition_domain; attribute ssh_server; attribute ssh_agent_type; +ssh_dyntransition_domain_template(chroot_user_t) +ssh_dyntransition_domain_template(sshd_sandbox_t) +ssh_dyntransition_domain_template(sshd_net_t) + type ssh_keygen_t; type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) -role system_r types ssh_keygen_t; + +type ssh_keygen_tmp_t; +files_tmp_file(ssh_keygen_tmp_t) + +type sshd_keygen_t; +type sshd_keygen_exec_t; +init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) + +type sshd_keygen_unit_file_t; +systemd_unit_file(sshd_keygen_unit_file_t) type sshd_exec_t; corecmd_executable_file(sshd_exec_t) ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +mls_trusted_object(sshd_t) +mls_process_write_all_levels(sshd_t) +mls_dbus_send_all_levels(sshd_t) + +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) + +type sshd_unit_file_t; +systemd_unit_file(sshd_unit_file_t) type sshd_key_t; files_type(sshd_key_t) -type sshd_tmp_t; -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) - -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -') +type sshd_keytab_t; +files_type(sshd_keytab_t) type ssh_t; type ssh_exec_t; @@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; -userdom_user_tmpfs_file(ssh_tmpfs_t) +userdom_user_tmp_file(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) +files_poly_parent(ssh_home_t) -type sshd_keytab_t; -files_type(sshd_keytab_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +') ############################## # @@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; +allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; @@ -93,50 +122,55 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; +can_exec(ssh_t, ssh_exec_t) # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; -# Access the ssh temporary files. -allow ssh_t sshd_tmp_t:dir manage_dir_perms; -allow ssh_t sshd_tmp_t:file manage_file_perms; -files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir }) - manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) +userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) +userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file) +userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) +userdom_search_admin_dir(sshd_t) # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) allow ssh_t sshd_t:unix_stream_socket connectto; +allow ssh_t sshd_t:peer recv; # ssh client can manage the keys and config manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config -allow ssh_server ssh_home_t:dir list_dir_perms; -read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) corenet_tcp_sendrecv_generic_if(ssh_t) corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) +corenet_tcp_connect_all_unreserved_ports(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) +corenet_tcp_bind_generic_node(ssh_t) +#corenet_tcp_bind_all_unreserved_ports(ssh_t) +corenet_rw_tun_tap_dev(ssh_t) +dev_read_rand(ssh_t) dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) @@ -157,40 +191,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) +term_use_ptmx(ssh_t) + auth_use_nsswitch(ssh_t) -miscfiles_read_localization(ssh_t) +miscfiles_read_generic_certs(ssh_t) seutil_read_config(ssh_t) userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) +userdom_search_admin_dir(ssh_t) # Write to the user domain tty. -userdom_use_user_terminals(ssh_t) -# needs to read krb tgt +userdom_use_inherited_user_terminals(ssh_t) +# needs to read krb/write tgt userdom_read_user_tmp_files(ssh_t) - -tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) - allow ssh_keysign_t ssh_t:fd use; - allow ssh_keysign_t ssh_t:process sigchld; - allow ssh_keysign_t ssh_t:fifo_file rw_file_perms; +userdom_write_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) +userdom_rw_inherited_user_home_content_files(ssh_t) +userdom_read_home_certs(ssh_t) +userdom_home_manager(ssh_t) + +tunable_policy(`ssh_keysign',` + domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ') -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(ssh_t) - fs_manage_nfs_files(ssh_t) +# for port forwarding +tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_ssh_port(ssh_t) + corenet_tcp_bind_generic_node(ssh_t) + corenet_tcp_bind_all_unreserved_ports(ssh_t) ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) +ifdef(`enable_mcs',` + optional_policy(` + condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh) + ') ') -# for port forwarding -tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port(ssh_t) - corenet_tcp_bind_generic_node(ssh_t) +optional_policy(` + gnome_stream_connect_gkeyringd(ssh_t) ') optional_policy(` @@ -198,6 +238,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') + ############################## # # ssh_keysign_t local policy @@ -205,10 +246,16 @@ optional_policy(` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +allow ssh_keysign_t self:udp_socket create_socket_perms; + +allow ssh_keysign_t sshd_key_t:file { getattr open read }; + +kernel_read_network_state(ssh_keysign_t) -allow ssh_keysign_t sshd_key_t:file { getattr read }; +auth_read_passwd(ssh_keysign_t) dev_read_urand(ssh_keysign_t) +dev_read_rand(ssh_keysign_t) files_read_etc_files(ssh_keysign_t) @@ -216,6 +263,14 @@ optional_policy(` nscd_use(ssh_keysign_t) ') +optional_policy(` + sssd_read_public_files(ssh_keysign_t) +') + +optional_policy(` + sge_rw_tcp_sockets(ssh_keysign_t) +') + ################################# # # sshd local policy @@ -226,45 +281,79 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; +allow sshd_t self:process setcurrent; allow sshd_t sshd_keytab_t:file read_file_perms; -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) - kernel_search_key(sshd_t) kernel_link_key(sshd_t) +kernel_read_net_sysctls(sshd_t) + +files_search_all(sshd_t) +files_create_home_dir(sshd_t) + +fs_search_cgroup_dirs(sshd_t) +fs_rw_cgroup_files(sshd_t) term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) +term_setattr_all_ttys(sshd_t) term_relabelto_all_ptys(sshd_t) +term_use_ptmx(sshd_t) # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) +corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -ifdef(`distro_debian',` - allow sshd_t self:process { getcap setcap }; -') +auth_exec_login_program(sshd_t) +auth_signal_chk_passwd(sshd_t) + +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +#userdom_manage_tmp_role(system_r, sshd_t) +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) +userdom_dyntransition_unpriv_users(sshd_t) +userdom_map_tmp_files(sshd_t) tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to # display the tty. # some versions of sshd on the new SE Linux require setattr - userdom_spec_domtrans_all_users(sshd_t) userdom_signal_all_users(sshd_t) -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) + userdom_spec_domtrans_all_users(sshd_t) + userdom_dyntransition_admin_users(sshd_t) +') + +optional_policy(` + amanda_search_var_lib(sshd_t) +') + +optional_policy(` + condor_rw_lib_files(sshd_t) + condor_rw_tcp_sockets_startd(sshd_t) + condor_rw_tcp_sockets_schedd(sshd_t) ') optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') +optional_policy(` + ftp_dyntrans_sftpd(sshd_t) + ftp_dyntrans_anon_sftpd(sshd_t) +') + +optional_policy(` + gitosis_manage_lib_files(sshd_t) +') + +optional_policy(` + gnome_exec_keyringd(sshd_t) +') + optional_policy(` inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') @@ -274,10 +363,26 @@ optional_policy(` kerberos_use(sshd_t) ') +optional_policy(` + lvm_domtrans(sshd_t) +') + +optional_policy(` + munin_read_var_lib_files(sshd_t) +') + +optional_policy(` + nx_read_home_files(sshd_t) +') + optional_policy(` oddjob_domtrans_mkhomedir(sshd_t) ') +optional_policy(` + rpc_rw_gssd_keys(sshd_t) +') + optional_policy(` rpm_use_script_fds(sshd_t) ') @@ -288,12 +393,101 @@ optional_policy(` rssh_read_ro_content(sshd_t) ') +optional_policy(` + rsync_read_data(sshd_t) +') + +optional_policy(` + systemd_exec_systemctl(sshd_t) +') + +optional_policy(` + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') + +optional_policy(` + openshift_dyntransition(sshd_t) + openshift_transition(sshd_t) + openshift_manage_tmp_files(sshd_t) + openshift_manage_tmp_sockets(sshd_t) + openshift_mounton_tmp(sshd_t) + openshift_read_lib_files(sshd_t) +') + +optional_policy(` + postgresql_search_db(sshd_t) +') + optional_policy(` unconfined_shell_domtrans(sshd_t) ') +optional_policy(` + sge_rw_tcp_sockets(sshd_t) +') + +optional_policy(` + kernel_write_proc_files(sshd_t) + virt_transition_svirt_sandbox(sshd_t, system_r) + virt_stream_connect_sandbox(sshd_t) + virt_stream_connect(sshd_t) +') + optional_policy(` xserver_domtrans_xauth(sshd_t) + xserver_xdm_signull(sshd_t) +') + +ifdef(`TODO',` + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t ptyfile:chr_file relabelto; + + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, userdomain) + ') + ',` + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + ') + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; + ') +') dnl endif TODO + +######################################## +# +# sshd-keygen local policy +# + +allow sshd_keygen_t self:capability { chown fsetid }; +allow sshd_keygen_t self:fifo_file rw_fifo_file_perms; +allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms; + +allow sshd_keygen_t sshd_key_t:file manage_file_perms; + +kernel_read_system_state(sshd_keygen_t) + +corecmd_exec_bin(sshd_keygen_t) + +auth_use_nsswitch(sshd_keygen_t) + +files_rw_etc_dirs(sshd_keygen_t) + +#run restorecon +seutil_domtrans_setfiles(sshd_keygen_t) + +ssh_domtrans_keygen(sshd_keygen_t) + +optional_policy(` + plymouthd_exec_plymouth(sshd_keygen_t) ') ######################################## @@ -304,19 +498,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t +allow ssh_keygen_t self:capability { dac_read_search dac_override }; dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + +manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) +manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) +files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir }) + +kernel_read_system_state(ssh_keygen_t) kernel_read_kernel_sysctls(ssh_keygen_t) +corecmd_exec_shell(ssh_keygen_t) +corecmd_exec_bin(ssh_keygen_t) + fs_search_auto_mountpoints(ssh_keygen_t) dev_read_sysfs(ssh_keygen_t) +dev_read_rand(ssh_keygen_t) dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) @@ -332,7 +540,13 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) +userdom_home_manager(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) + +optional_policy(` + glusterd_manage_lib_files(ssh_keygen_t) +') optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) @@ -341,3 +555,150 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') + +#################################### +# +# ssh_dyntransition domain local policy +# + +allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; +allow ssh_dyntransition_domain self:unix_dgram_socket create_socket_perms; + +allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; +allow ssh_dyntransition_domain sshd_t:fd use; + +optional_policy(` + ssh_rw_stream_sockets(ssh_dyntransition_domain) + ssh_rw_tcp_sockets(ssh_dyntransition_domain) +') + +##################################### +# +# ssh_sandbox local policy +# + +allow sshd_t sshd_sandbox_t:process signal; + +init_ioctl_stream_sockets(sshd_sandbox_t) + +logging_send_audit_msgs(sshd_sandbox_t) + +##################################### +# +# sshd [net] child local policy +# + +allow sshd_t sshd_net_t:process signal; + +allow sshd_net_t self:process setrlimit; + +dev_rw_crypto(sshd_net_t) + +init_ioctl_stream_sockets(sshd_net_t) +init_rw_tcp_sockets(sshd_net_t) + +logging_send_audit_msgs(sshd_net_t) + + +###################################### +# +# chroot_user_t local policy +# +allow chroot_user_t self:fifo_file rw_fifo_file_perms; +allow chroot_user_t self:unix_dgram_socket create_socket_perms; + +corecmd_exec_shell(chroot_user_t) + +domain_subj_id_change_exemption(chroot_user_t) +domain_role_change_exemption(chroot_user_t) + +term_search_ptys(chroot_user_t) +term_use_ptmx(chroot_user_t) + +fs_getattr_all_fs(chroot_user_t) + +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) +userdom_read_user_home_content_symlinks(chroot_user_t) +userdom_exec_user_home_content_files(chroot_user_t) +userdom_use_inherited_user_ptys(chroot_user_t) + +tunable_policy(`ssh_chroot_rw_homedirs',` + files_list_home(chroot_user_t) + userdom_manage_user_home_content_files(chroot_user_t) + userdom_manage_user_home_content_symlinks(chroot_user_t) + userdom_manage_user_home_content_pipes(chroot_user_t) + userdom_manage_user_home_content_sockets(chroot_user_t) + userdom_manage_user_home_content_dirs(chroot_user_t) +') + +tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` + fs_manage_nfs_dirs(chroot_user_t) + fs_manage_nfs_files(chroot_user_t) + fs_manage_nfs_symlinks(chroot_user_t) +') + +tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` + fs_manage_cifs_dirs(chroot_user_t) + fs_manage_cifs_files(chroot_user_t) + fs_manage_cifs_symlinks(chroot_user_t) +') + +tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(chroot_user_t) + fs_manage_fusefs_files(chroot_user_t) + fs_manage_fusefs_symlinks(chroot_user_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(chroot_user_t) + fs_read_cifs_symlinks(chroot_user_t) +') + +userdom_home_manager(chroot_user_t) + +optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) +') + +optional_policy(` + unconfined_shell_domtrans(chroot_user_t) +') + +###################################### +# +# ssh_agent_type common policy local policy +# +allow ssh_agent_type self:process setrlimit; +allow ssh_agent_type self:capability setgid; + +manage_dirs_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) +manage_sock_files_pattern(ssh_agent_type, ssh_agent_tmp_t, ssh_agent_tmp_t) +files_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, { dir sock_file }) + +kernel_read_kernel_sysctls(ssh_agent_type) + +dev_read_urand(ssh_agent_type) +dev_read_rand(ssh_agent_type) + +fs_search_auto_mountpoints(ssh_agent_type) + +domain_use_interactive_fds(ssh_agent_type) + +files_read_etc_files(ssh_agent_type) +files_read_etc_runtime_files(ssh_agent_type) + +libs_read_lib_files(ssh_agent_type) + +miscfiles_read_generic_certs(ssh_agent_type) + +# Write to the user domain tty. +userdom_use_inherited_user_terminals(ssh_agent_type) + +# for the transition back to normal privs upon exec +userdom_search_user_home_content(ssh_agent_type) + +optional_policy(` + xserver_use_xdm_fds(ssh_agent_type) + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 8274418c6..29bbc5976 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,36 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + +/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +/root/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) +/root/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +/root/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) +/root/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) +/root/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +/root/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +/root/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) # # /dev @@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0) +/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) +/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) +/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) +/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) +/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) + /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) -/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) +/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) +/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -46,26 +77,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # -/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix/.* -s <> -/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) # # /usr # +/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + +/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) + +/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -91,19 +131,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + +/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + +/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) /var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -111,7 +166,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') + +/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 6bf0ecc2d..28048bf64 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ # interface(`xserver_restricted_role',` gen_require(` - type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; + type xauth_t, iceauth_t; + attribute dridomain, x_userdomain; ') - role $1 types { xserver_t xauth_t iceauth_t }; - - # Xserver read/write client shm - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; - - allow xserver_t $2:process signal; - - allow xserver_t $2:shm rw_shm_perms; - - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; - - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - files_search_tmp($2) - - # Communicate via System V shared memory. - allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # allow ps to show iceauth - ps_process_pattern($2, iceauth_t) - - domtrans_pattern($2, iceauth_exec_t, iceauth_t) - - allow $2 iceauth_home_t:file read_file_perms; - - domtrans_pattern($2, xauth_exec_t, xauth_t) - - allow $2 xauth_t:process signal; - - # allow ps to show xauth - ps_process_pattern($2, xauth_t) - allow $2 xserver_t:process signal; - - allow $2 xauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; - - dev_rw_xserver_misc($2) - dev_rw_power_management($2) - dev_read_input($2) - dev_read_misc($2) - dev_write_misc($2) - # open office is looking for the following - dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) - # GNOME checks for usb and other devices: - dev_rw_usbfs($2) - - miscfiles_read_fonts($2) + role $1 types { xauth_t iceauth_t }; + typeattribute $2 x_userdomain, dridomain; - xserver_common_x_domain_template(user, $2) - xserver_domtrans($2) - xserver_unconfined($2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) + xserver_common_x_domain_template(user,$2) xserver_stream_connect_xdm($2) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) - # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($2) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) + xserver_xdm_append_log($2) - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; + xserver_dri_domain($2) +') + +######################################## +## +## Domain wants to use direct io devices +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dri_domain',` + gen_require(` + attribute dridomain; ') + + typeattribute $1 dridomain; ') ######################################## @@ -143,13 +79,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; + allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; + allow $2 xauth_home_t:file relabel_file_perms; + mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) + allow $2 user_fonts_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) @@ -162,7 +100,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -197,7 +134,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; + allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; @@ -227,7 +164,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') - xserver_ro_session($1,$2) + xserver_ro_session($1, $2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') @@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; - allow $1 xdm_var_run_t:dir search; + allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; @@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',` interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') @@ -291,14 +228,14 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file - allow $1 xauth_home_t:file { getattr read }; - allow $1 iceauth_home_t:file { getattr read }; + allow $1 xauth_home_t:file read_file_perms; + allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; - allow $1 xdm_tmp_t:dir search; - allow $1 xdm_tmp_t:sock_file { read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; + userdom_search_user_tmp_dirs($1) + userdom_rw_user_tmp_sock_files($1) dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -316,7 +253,7 @@ interface(`xserver_user_client',` xserver_read_xdm_tmp_files($1) # Client write xserver shm - tunable_policy(`allow_write_xshm',` + tunable_policy(`xserver_clients_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') @@ -342,19 +279,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` - type root_xdrawable_t; + type root_xdrawable_t, xdm_t, xserver_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; - attribute x_domain; + attribute x_domain, input_xevent_type; attribute xdrawable_type, xcolormap_type; - attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; + class x_client destroy; + class x_server manage; + class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; + class x_pointer { get_property set_property manage }; + class x_keyboard { read manage freeze }; ') ############################## @@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',` allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 xevent_t:{ x_event x_synthetic_event } receive; + allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; + + allow $2 xdm_t:x_drawable { hide read add_child manage }; + allow $2 xdm_t:x_client destroy; + + allow $2 root_xdrawable_t:x_drawable write; + allow $2 xserver_t:x_server manage; + allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; + allow $2 xserver_t:x_pointer { get_property set_property manage }; + allow $2 xserver_t:x_keyboard { read manage freeze }; ') ####################################### @@ -444,8 +394,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + type xdm_t, xserver_tmpfs_t; + type xdm_home_t; + type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; @@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; + xserver_filetrans_home_content($2) + # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + userdom_search_user_tmp_dirs($2) + userdom_rw_user_tmp_sock_files($2) dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) - xserver_ro_session($2,$3) + xserver_ro_session($2, $3) xserver_use_user_fonts($2) - xserver_read_xdm_tmp_files($2) + userdom_read_user_tmp_files($2) + xserver_read_xdm_pid($2) + xserver_xdm_append_log($2) # X object manager xserver_object_types_template($1) - xserver_common_x_domain_template($1,$2) + xserver_common_x_domain_template($1, $2) # Client write xserver shm - tunable_policy(`allow_write_xshm',` + tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') + + tunable_policy(`selinuxuser_direct_dri_enabled',` + dev_rw_dri($2) + ') ') ######################################## @@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; + allow $1 user_fonts_t:lnk_file read_lnk_file_perms; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) @@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') +###################################### +## +## Allow exec of Xauthority program.. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xserver_exec_xauth',` + gen_require(` + type xauth_t, xauth_exec_t; + ') + + can_exec($1, xauth_exec_t) +') + +######################################## +## +## Dontaudit exec of Xauthority program. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_exec_xauth',` + gen_require(` + type xauth_exec_t; + ') + + dontaudit $1 xauth_exec_t:file execute; +') + ######################################## ## ## Create a Xauthority file in the user home directory. @@ -565,6 +561,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') +######################################## +## +## Create a Xauthority file in the admin home directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_admin_home_dir_filetrans_xauth',` + gen_require(` + type xauth_home_t; + ') + + userdom_admin_home_dir_filetrans($1, xauth_home_t, file) +') + ######################################## ## ## Read all users fonts, user font configurations, @@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) + xserver_read_xdm_pid($1) +') + +######################################## +## +## Manage all users .Xauthority. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_user_xauth',` + gen_require(` + type xauth_home_t; + ') + + allow $1 xauth_home_t:file manage_file_perms; ') ######################################## @@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file setattr; + allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; ') ######################################## @@ -636,6 +669,25 @@ interface(`xserver_rw_console',` allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') +######################################## +## +## Read XDM state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_state_xdm',` + gen_require(` + type xdm_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, xdm_t) +') + ######################################## ## ## Use file descriptors for xdm. @@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') - allow $1 xdm_t:fd use; + allow $1 xdm_t:fd use; ') ######################################## @@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') - dontaudit $1 xdm_t:fd use; + dontaudit $1 xdm_t:fd use; ') ######################################## @@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') - allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` - gen_require(` type xdm_t; ') - dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -765,16 +816,19 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t, xdm_var_run_t; ') files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) + stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) + userdom_stream_connect($1) ') ######################################## ## -## Read xdm-writable configuration files. +## Allow domain to append XDM unix domain +## stream socket. ## ## ## @@ -782,18 +836,18 @@ interface(`xserver_stream_connect_xdm',` ## ## # -interface(`xserver_read_xdm_rw_config',` + +interface(`xserver_append_xdm_stream_socket',` gen_require(` - type xdm_rw_etc_t; + type xdm_t; ') - files_search_etc($1) - allow $1 xdm_rw_etc_t:file read_file_perms; + allow $1 xdm_t:unix_stream_socket append; ') ######################################## ## -## Set the attributes of XDM temporary directories. +## Read XDM files in user home directories. ## ## ## @@ -801,18 +855,18 @@ interface(`xserver_read_xdm_rw_config',` ## ## # -interface(`xserver_setattr_xdm_tmp_dirs',` +interface(`xserver_read_xdm_home_files',` gen_require(` - type xdm_tmp_t; + type xdm_home_t; ') - allow $1 xdm_tmp_t:dir setattr; + userdom_search_user_home_dirs($1) + allow $1 xdm_home_t:file read_file_perms; ') ######################################## ## -## Create a named socket in a XDM -## temporary directory. +## Read xserver configuration files. ## ## ## @@ -820,19 +874,19 @@ interface(`xserver_setattr_xdm_tmp_dirs',` ## ## # -interface(`xserver_create_xdm_tmp_sockets',` +interface(`xserver_read_config',` gen_require(` - type xdm_tmp_t; + type xserver_etc_t; ') - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + files_search_etc($1) + read_files_pattern($1, xserver_etc_t, xserver_etc_t) + read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## ## -## Read XDM pid files. +## Manage xserver configuration files. ## ## ## @@ -840,18 +894,19 @@ interface(`xserver_create_xdm_tmp_sockets',` ## ## # -interface(`xserver_read_xdm_pid',` +interface(`xserver_manage_config',` gen_require(` - type xdm_var_run_t; + type xserver_etc_t; ') - files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + files_search_etc($1) + manage_files_pattern($1, xserver_etc_t, xserver_etc_t) + manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## ## -## Read XDM var lib files. +## Read xdm-writable configuration files. ## ## ## @@ -859,110 +914,79 @@ interface(`xserver_read_xdm_pid',` ## ## # -interface(`xserver_read_xdm_lib_files',` +interface(`xserver_read_xdm_rw_config',` gen_require(` - type xdm_var_lib_t; + type xdm_rw_etc_t; ') - allow $1 xdm_var_lib_t:file read_file_perms; + files_search_etc($1) + allow $1 xdm_rw_etc_t:file read_file_perms; ') ######################################## ## -## Make an X session script an entrypoint for the specified domain. +## Search XDM temporary directories. ## ## ## -## The domain for which the shell is an entrypoint. +## Domain allowed access. ## ## # -interface(`xserver_xsession_entry_type',` - gen_require(` - type xsession_exec_t; - ') - - domain_entry_file($1, xsession_exec_t) +interface(`xserver_search_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') + userdom_search_user_tmp_dirs($1) ') ######################################## ## -## Execute an X session in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). +## Set the attributes of XDM temporary directories. ## -## -##

      -## Execute an Xsession in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -##

      -##

      -## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

      -##
      ## ## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. +## Domain allowed access. ## ## # -interface(`xserver_xsession_spec_domtrans',` - gen_require(` - type xsession_exec_t; - ') - - domain_trans($1, xsession_exec_t, $2) +interface(`xserver_setattr_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') ######################################## ## -## Get the attributes of X server logs. +## Dont audit attempts to set the attributes of XDM temporary directories. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`xserver_getattr_log',` - gen_require(` - type xserver_log_t; - ') - - logging_search_logs($1) - allow $1 xserver_log_t:file getattr; +interface(`xserver_dontaudit_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') ######################################## ## -## Do not audit attempts to write the X server -## log files. +## Create a named socket in a XDM +## temporary directory. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`xserver_dontaudit_write_log',` - gen_require(` - type xserver_log_t; - ') - - dontaudit $1 xserver_log_t:file { append write }; +interface(`xserver_create_xdm_tmp_sockets',` + refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') + userdom_create_user_tmp_sockets($1) ') ######################################## ## -## Delete X server log files. +## Read XDM pid files. ## ## ## @@ -970,20 +994,18 @@ interface(`xserver_dontaudit_write_log',` ## ## # -interface(`xserver_delete_log',` +interface(`xserver_read_xdm_pid',` gen_require(` - type xserver_log_t; + type xdm_var_run_t; ') - logging_search_logs($1) - allow $1 xserver_log_t:dir list_dir_perms; - delete_files_pattern($1, xserver_log_t, xserver_log_t) - delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) + files_search_pids($1) + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') ######################################## ## -## Read X keyboard extension libraries. +## Mmap XDM pid files. ## ## ## @@ -991,39 +1013,544 @@ interface(`xserver_delete_log',` ## ## # -interface(`xserver_read_xkb_libs',` +interface(`xserver_map_xdm_pid',` gen_require(` - type xkb_var_lib_t; + type xdm_var_run_t; ') - files_search_var_lib($1) - allow $1 xkb_var_lib_t:dir list_dir_perms; - read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + allow $1 xdm_var_run_t:file map; ') -######################################## +###################################### ## -## Read xdm temporary files. +## Dontaudit Read XDM pid files. ## ## -## -## Domain allowed access. -## +## +## Domain to not audit. +## ## # -interface(`xserver_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') +interface(`xserver_dontaudit_read_xdm_pid',` + gen_require(` + type xdm_var_run_t; + ') - files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + dontaudit $1 xdm_var_run_t:dir search_dir_perms; + dontaudit $1 xdm_var_run_t:file read_file_perms; ') ######################################## ## -## Do not audit attempts to read xdm temporary files. +## Read XDM var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_xdm_lib_files',` + gen_require(` + type xdm_var_lib_t; + ') + + read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) + read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) +') + +######################################## +## +## Read inherited XDM var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_inherited_xdm_lib_files',` + gen_require(` + type xdm_var_lib_t; + ') + + allow $1 xdm_var_lib_t:file { read_inherited_file_perms map }; +') + +######################################## +## +## Make an X session script an entrypoint for the specified domain. +## +## +## +## The domain for which the shell is an entrypoint. +## +## +# +interface(`xserver_xsession_entry_type',` + gen_require(` + type xsession_exec_t; + ') + + domain_entry_file($1, xsession_exec_t) +') + +######################################## +## +## Execute an X session in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## +## +##

      +## Execute an Xsession in the target domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +##

      +##

      +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

      +##
      +## +## +## Domain allowed to transition. +## +## +## +## +## The type of the shell process. +## +## +# +interface(`xserver_xsession_spec_domtrans',` + gen_require(` + type xsession_exec_t; + ') + + domain_trans($1, xsession_exec_t, $2) +') + +######################################## +## +## Get the attributes of X server logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_getattr_log',` + gen_require(` + type xserver_log_t; + ') + + logging_search_logs($1) + allow $1 xserver_log_t:file getattr_file_perms; +') + +####################################### +## +## Allow domain to read X server logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_log',` + gen_require(` + type xserver_log_t; + ') + + logging_search_logs($1) + allow $1 xserver_log_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to write the X server +## log files. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_write_log',` + gen_require(` + type xserver_log_t; + ') + + dontaudit $1 xserver_log_t:file rw_inherited_file_perms; +') + +######################################## +## +## Delete X server log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_delete_log',` + gen_require(` + type xserver_log_t; + ') + + logging_search_logs($1) + allow $1 xserver_log_t:dir list_dir_perms; + delete_files_pattern($1, xserver_log_t, xserver_log_t) + delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) +') + +######################################## +## +## Read X keyboard extension libraries. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_xkb_libs',` + gen_require(` + type xkb_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 xkb_var_lib_t:dir list_dir_perms; + read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) +') + +######################################## +## +## Manage X keyboard extension libraries. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xkb_libs',` + gen_require(` + type xkb_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 xkb_var_lib_t:dir list_dir_perms; + manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) +') + +######################################## +## +## dontaudit access checks X keyboard extension libraries. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dontaudit_xkb_libs_access',` + gen_require(` + type xkb_var_lib_t; + ') + + dontaudit $1 xkb_var_lib_t:dir audit_access; + dontaudit $1 xkb_var_lib_t:file audit_access; +') + +######################################## +## +## Read xdm config files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_read_xdm_etc_files',` + gen_require(` + type xdm_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, xdm_etc_t, xdm_etc_t) + read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## +## Manage xdm config files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_manage_xdm_etc_files',` + gen_require(` + type xdm_etc_t; + ') + + files_search_etc($1) + manage_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## +## Read xdm temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') + userdom_read_user_tmpfs_files($1) +') + +######################################## +## +## Do not audit attempts to read xdm temporary files. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_read_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') + userdom_dontaudit_read_user_tmp_files($1) +') + +######################################## +## +## Read write xdm temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') + userdom_rw_user_tmpfs_files($1) +') + +######################################## +## +## Create, read, write, and delete xdm temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') + userdom_manage_user_tmp_files($1) +') + +######################################## +## +## Create, read, write, and delete xdm temporary dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_relabel_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') + userdom_relabel_user_tmp_dirs($1) +') + +######################################## +## +## Create, read, write, and delete xdm temporary dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') + userdom_manage_user_tmp_dirs($1) +') + +######################################## +## +## Do not audit attempts to get the attributes of +## xdm temporary named sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.') + usedom_dontaudit_user_getattr_tmp_sockets($1) +') + +######################################## +## +## Execute the X server in the X server domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`xserver_domtrans',` + gen_require(` + type xserver_t, xserver_exec_t; + ') + + allow $1 xserver_t:process siginh; + domtrans_pattern($1, xserver_exec_t, xserver_t) + + allow xserver_t $1:process getpgid; +') + +######################################## +## +## Signal X servers +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_signal',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:process signal; +') + +######################################## +## +## Send a null signal to xdm processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_signull',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:process signull; +') + +######################################## +## +## Kill X servers +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_kill',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:process sigkill; +') + +######################################## +## +## Read and write X server Sys V Shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_shm',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:shm rw_shm_perms; +') + +######################################## +## +## Do not audit attempts to read and write to +## X server sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_rw_tcp_sockets',` + gen_require(` + type xserver_t; + ') + + dontaudit $1 xserver_t:tcp_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read and write X server +## unix domain stream sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_rw_stream_sockets',` + gen_require(` + type xserver_t; + ') + + dontaudit $1 xserver_t:unix_stream_socket { read write }; +') + +######################################## +## +## Do not audit attempts to read and write xdm +## unix domain stream sockets. ## ## ## @@ -1031,18 +1558,245 @@ interface(`xserver_read_xdm_tmp_files',` ## ## # -interface(`xserver_dontaudit_read_xdm_tmp_files',` +interface(`xserver_dontaudit_xdm_rw_stream_sockets',` + gen_require(` + type xdm_t; + ') + + dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; +') + +######################################## +## +## Connect to the X server over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_stream_connect',` + gen_require(` + type xserver_t, xserver_tmp_t; + ') + + files_search_tmp($1) + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow xserver_t $1:shm rw_shm_perms; +') + +###################################### +## +## Dontaudit attempts to connect to xserver +## over a unix stream socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_stream_connect',` + gen_require(` + type xserver_t, xserver_tmp_t; + ') + + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) +') + +######################################## +## +## Read X server temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_tmp_files',` + gen_require(` + type xserver_tmp_t; + ') + + allow $1 xserver_tmp_t:file read_file_perms; + files_search_tmp($1) +') + +######################################## +## +## Interface to provide X object permissions on a given X server to +## an X client domain. Gives the domain permission to read the +## virtual core keyboard and virtual core pointer devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_manage_core_devices',` + gen_require(` + type xserver_t, root_xdrawable_t, xevent_t; + class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; + class x_screen all_x_screen_perms; + class x_drawable { manage }; + attribute x_domain; + class x_drawable all_x_drawable_perms; + class x_resource all_x_resource_perms; + class x_synthetic_event all_x_synthetic_event_perms; + class x_cursor all_x_cursor_perms; + ') + + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_screen } setattr; + + allow $1 x_domain:x_cursor all_x_cursor_perms; + allow $1 x_domain:x_drawable all_x_drawable_perms; + allow $1 x_domain:x_resource all_x_resource_perms; + allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; + allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; +') + +######################################## +## +## Interface to provide X object permissions on a given X server to +## an X client domain. Gives the domain complete control over the +## display. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_unconfined',` + gen_require(` + attribute x_domain, xserver_unconfined_type; + ') + + typeattribute $1 x_domain; + typeattribute $1 xserver_unconfined_type; +') + +######################################## +## +## Dontaudit append to .xsession-errors file +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_dontaudit_append_xdm_home_files',` + gen_require(` + type xdm_home_t; + ') + + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files($1) + ') +') + +######################################## +## +## append to .xsession-errors file +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_append_xdm_home_files',` + gen_require(` + type xdm_home_t, xserver_tmp_t; + ') + + allow $1 xdm_home_t:file append_file_perms; + allow $1 xserver_tmp_t:file append_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files($1) + ') +') + +####################################### +## +## Allow search the xdm_spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_search_spool',` + gen_require(` + type xdm_spool_t; + ') + + files_search_spool($1) + search_dirs_pattern($1, xdm_spool_t, xdm_spool_t) +') + +###################################### +## +## Allow read the xdm_spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_read_spool',` + gen_require(` + type xdm_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, xdm_spool_t, xdm_spool_t) +') + +######################################## +## +## Manage the xdm_spool files +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_xdm_manage_spool',` gen_require(` - type xdm_tmp_t; + type xdm_spool_t; ') - dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file read_file_perms; + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## -## Read write xdm temporary files. +## Send and receive messages from +## xdm over dbus. ## ## ## @@ -1050,18 +1804,20 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` ## ## # -interface(`xserver_rw_xdm_tmp_files',` +interface(`xserver_dbus_chat_xdm',` gen_require(` - type xdm_tmp_t; + type xdm_t; + class dbus send_msg; ') - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file rw_file_perms; + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; ') ######################################## ## -## Create, read, write, and delete xdm temporary files. +## Send and receive messages from +## xdm over dbus. ## ## ## @@ -1069,55 +1825,57 @@ interface(`xserver_rw_xdm_tmp_files',` ## ## # -interface(`xserver_manage_xdm_tmp_files',` +interface(`xserver_dbus_chat',` gen_require(` - type xdm_tmp_t; + type xserver_t; + class dbus send_msg; ') - manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + allow $1 xserver_t:dbus send_msg; + allow xserver_t $1:dbus send_msg; ') ######################################## ## -## Do not audit attempts to get the attributes of -## xdm temporary named sockets. +## Read xserver files created in /var/run ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +interface(`xserver_read_pid',` gen_require(` - type xdm_tmp_t; + type xserver_var_run_t; ') - dontaudit $1 xdm_tmp_t:sock_file getattr; + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## -## Execute the X server in the X server domain. +## Execute xserver files created in /var/run ## ## ## -## Domain allowed to transition. +## Domain allowed access. ## ## # -interface(`xserver_domtrans',` +interface(`xserver_exec_pid',` gen_require(` - type xserver_t, xserver_exec_t; + type xserver_var_run_t; ') - allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## -## Signal X servers +## Write xserver files created in /var/run ## ## ## @@ -1125,17 +1883,73 @@ interface(`xserver_domtrans',` ## ## # -interface(`xserver_signal',` +interface(`xserver_write_pid',` gen_require(` - type xserver_t; + type xserver_var_run_t; ') - allow $1 xserver_t:process signal; + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## -## Kill X servers +## Allow append the xdm +## log files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_xdm_append_log',` + gen_require(` + type xdm_log_t; + attribute xdmhomewriter; + ') + + typeattribute $1 xdmhomewriter; + allow $1 xdm_log_t:file append_inherited_file_perms; +') + +######################################## +## +## Allow ioctl the xdm log files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_xdm_ioctl_log',` + gen_require(` + type xdm_log_t; + ') + + allow $1 xdm_log_t:file ioctl; +') + +######################################## +## +## Allow append the xdm +## tmp files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_append_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') + userdom_append_user_tmp_files($1) +') + +######################################## +## +## Read a user Iceauthority domain. ## ## ## @@ -1143,18 +1957,18 @@ interface(`xserver_signal',` ## ## # -interface(`xserver_kill',` +interface(`xserver_read_user_iceauth',` gen_require(` - type xserver_t; + type iceauth_home_t; ') - allow $1 xserver_t:process sigkill; + # Read .Iceauthority file + allow $1 iceauth_home_t:file read_file_perms; ') ######################################## ## -## Read and write X server Sys V Shared -## memory segments. +## Read/write inherited user homedir fonts. ## ## ## @@ -1162,132 +1976,360 @@ interface(`xserver_kill',` ## ## # -interface(`xserver_rw_shm',` +interface(`xserver_rw_inherited_user_fonts',` gen_require(` - type xserver_t; + type user_fonts_t, user_fonts_config_t; ') - allow $1 xserver_t:shm rw_shm_perms; + allow $1 user_fonts_t:file rw_inherited_file_perms; + allow $1 user_fonts_t:file read_lnk_file_perms; + + allow $1 user_fonts_config_t:file rw_inherited_file_perms; ') ######################################## ## -## Do not audit attempts to read and write to -## X server sockets. +## Search XDM var lib dirs. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`xserver_dontaudit_rw_tcp_sockets',` +interface(`xserver_search_xdm_lib',` gen_require(` - type xserver_t; + type xdm_var_lib_t; ') - dontaudit $1 xserver_t:tcp_socket { read write }; + allow $1 xdm_var_lib_t:dir search_dir_perms; ') ######################################## ## -## Do not audit attempts to read and write X server -## unix domain stream sockets. +## Make an X executable an entrypoint for the specified domain. ## ## ## -## Domain to not audit. +## The domain for which the shell is an entrypoint. ## ## # -interface(`xserver_dontaudit_rw_stream_sockets',` +interface(`xserver_entry_type',` + gen_require(` + type xserver_exec_t; + ') + + domain_entry_file($1, xserver_exec_t) +') + +######################################## +## +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the xserver domain. +## +## +## +# +interface(`xserver_run',` gen_require(` type xserver_t; ') - dontaudit $1 xserver_t:unix_stream_socket { read write }; + xserver_domtrans($1) + role $2 types xserver_t; ') ######################################## ## -## Connect to the X server over a unix domain -## stream socket. +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## +## +## +## The role to be allowed the xserver domain. +## +## +## # -interface(`xserver_stream_connect',` +interface(`xserver_run_xauth',` gen_require(` - type xserver_t, xserver_tmp_t; + type xauth_t; ') - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + xserver_domtrans_xauth($1) + role $2 types xauth_t; ') ######################################## ## -## Read X server temporary files. +## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## +## # -interface(`xserver_read_tmp_files',` +interface(`xserver_read_home_fonts',` gen_require(` - type xserver_tmp_t; + type user_fonts_t, user_fonts_config_t; ') - allow $1 xserver_tmp_t:file read_file_perms; - files_search_tmp($1) + list_dirs_pattern($1, user_fonts_t, user_fonts_t) + read_files_pattern($1, user_fonts_t, user_fonts_t) + read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ') ######################################## ## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain permission to read the -## virtual core keyboard and virtual core pointer devices. +## Manage user fonts dir. ## ## ## ## Domain allowed access. ## ## +## # -interface(`xserver_manage_core_devices',` +interface(`xserver_manage_user_fonts_dir',` gen_require(` - type xserver_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; + type user_fonts_t; ') - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ') ######################################## ## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain complete control over the -## display. +## Manage user homedir fonts. ## ## ## ## Domain allowed access. ## ## +## # -interface(`xserver_unconfined',` +interface(`xserver_manage_home_fonts',` gen_require(` - attribute x_domain; - attribute xserver_unconfined_type; + type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; ') - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_t, user_fonts_t) + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) + +# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d") +# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") +# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') + +####################################### +## +## Transition to xserver .fontconfig named content +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_filetrans_fonts_cache_home_content',` + gen_require(` + type user_fonts_cache_t; + ') + + userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') + +######################################## +## +## Transition to xserver named content +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_filetrans_home_content',` + gen_require(` + type xdm_home_t, xauth_home_t, iceauth_home_t; + type user_home_t, user_fonts_t, user_fonts_cache_t; + type user_fonts_config_t; + ') + + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") + optional_policy(` + gnome_data_filetrans($1, user_fonts_t, dir, "fonts") + ') + userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") + filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") +') + +######################################## +## +## Create xserver content in admin home +## directory with a named file transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_filetrans_admin_home_content',` + gen_require(` + type xdm_home_t, xauth_home_t, iceauth_home_t; + type user_home_t, user_fonts_t, user_fonts_cache_t; + type user_fonts_config_t; + ') + + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") + + optional_policy(` + gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") + ') +') + +######################################## +## +## Create objects in a xdm temporary directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`xserver_xdm_tmp_filetrans',` + refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') + userdom_user_tmp_filetrans($1,$2, $3, $4) +') + +######################################## +## +## Dontaudit search ssh home directory +## +## +## +## Domain to not audit. +## +## +# +interface(`xserver_dontaudit_search_log',` + gen_require(` + type xserver_log_t; + ') + + dontaudit $1 xserver_log_t:dir search_dir_perms; ') + +######################################## +## +## Manage keys for xdm. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xdm_keys',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:key { read write setattr }; +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 8b403774f..87dcb5ec7 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` # ## -##

      -## Allows clients to write to the X server shared -## memory segments. -##

      +##

      +## Allows clients to write to the X server shared +## memory segments. +##

      +##
      +gen_tunable(xserver_clients_write_xshm, false) + +## +##

      +## Allows XServer to execute writable memory +##

      ##
      -gen_tunable(allow_write_xshm, false) +gen_tunable(xserver_execmem, false) ## ##

      -## Allow xdm logins as sysadm +## Allow the graphical login program to execute bootloader ##

      ##
      +gen_tunable(xdm_exec_bootloader, false) + +## +##

      +## Allow the graphical login program to login directly as sysadm_r:sysadm_t +##

      +##
      gen_tunable(xdm_sysadm_login, false) ## -##

      -## Support X userspace object manager -##

      +##

      +## Allow the graphical login program to create files in HOME dirs as xdm_home_t. +##

      +##
      +gen_tunable(xdm_write_home, false) + +## +##

      +## Allows xdm_t to bind on vnc_port_t(5910) +##

      +##
      +gen_tunable(xdm_bind_vnc_tcp_port, false) + +## +##

      +## Support X userspace object manager +##

      ##
      gen_tunable(xserver_object_manager, false) +## +##

      +## Allow regular users direct dri device access +##

      +##
      +gen_tunable(selinuxuser_direct_dri_enabled, false) + +attribute xdmhomewriter; +attribute x_userdomain; attribute x_domain; +attribute dridomain; # X Events attribute xevent_type; @@ -107,44 +145,54 @@ xserver_object_types_template(remote) xserver_common_x_domain_template(remote, remote_t) type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; +typealias user_fonts_t alias xfs_tmp_t; userdom_user_home_content(user_fonts_t) +files_tmp_file(user_fonts_t) type user_fonts_cache_t; typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; userdom_user_home_content(user_fonts_cache_t) type user_fonts_config_t; typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; +typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) type iceauth_t; type iceauth_exec_t; typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { xguest_iceauth_t }; typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; userdom_user_application_domain(iceauth_t, iceauth_exec_t) type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +typealias iceauth_home_t alias { xguest_iceauth_home_t }; userdom_user_home_content(iceauth_home_t) type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; userdom_user_application_domain(xauth_t, xauth_exec_t) type xauth_home_t; typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; userdom_user_home_content(xauth_home_t) type xauth_tmp_t; typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) @@ -155,19 +203,28 @@ dev_associate(xconsole_device_t) fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) -type xdm_t; +type xdm_unconfined_exec_t; +application_executable_file(xdm_unconfined_exec_t) + +type xdm_t alias xdm_dbusd_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) -init_daemon_domain(xdm_t, xdm_exec_t) +init_system_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) +type xdm_etc_t; +files_config_file(xdm_etc_t) + type xdm_rw_etc_t; -files_type(xdm_rw_etc_t) +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; +files_spool_file(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -175,13 +232,21 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) -type xdm_tmp_t; -files_tmp_file(xdm_tmp_t) -typealias xdm_tmp_t alias ice_tmp_t; +type xserver_var_lib_t; +files_type(xserver_var_lib_t) + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) +type xdm_home_t; +userdom_user_home_content(xdm_home_t) + +type xdm_log_t; +logging_log_file(xdm_log_t) + # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) @@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) -type xserver_tmp_t; -typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -userdom_user_tmp_file(xserver_tmp_t) +type xserver_etc_t; +files_config_file(xserver_etc_t) type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; -userdom_user_tmpfs_file(xserver_tmpfs_t) +typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; +userdom_user_tmp_file(xserver_tmpfs_t) type xsession_exec_t; corecmd_executable_file(xsession_exec_t) @@ -226,21 +289,35 @@ optional_policy(` # allow iceauth_t iceauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; +dev_read_rand(iceauth_t) + fs_search_auto_mountpoints(iceauth_t) -userdom_use_user_terminals(iceauth_t) +userdom_use_inherited_user_terminals(iceauth_t) userdom_read_user_tmp_files(iceauth_t) +userdom_read_all_users_state(iceauth_t) +userdom_home_manager(iceauth_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(iceauth_t) -') +xserver_filetrans_home_content(iceauth_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(iceauth_t) +ifdef(`hide_broken_symptoms',` + dev_dontaudit_read_urand(iceauth_t) + dev_dontaudit_rw_dri(iceauth_t) + dev_dontaudit_rw_generic_dev_nodes(iceauth_t) + fs_dontaudit_list_inotifyfs(iceauth_t) + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) + + userdom_dontaudit_read_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_home_content_files(iceauth_t) + userdom_dontaudit_write_user_tmp_files(iceauth_t) + + optional_policy(` + mozilla_dontaudit_rw_user_home_files(iceauth_t) + ') ') ######################################## @@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # +allow xauth_t self:capability { dac_read_search dac_override }; allow xauth_t self:process signal; +allow xauth_t self:shm create_shm_perms; allow xauth_t self:unix_stream_socket create_stream_socket_perms; +allow xauth_t self:unix_dgram_socket create_socket_perms; + +allow xauth_t xdm_t:process sigchld; +allow xauth_t xserver_t:unix_stream_socket connectto; + +corenet_tcp_connect_xserver_port(xauth_t) allow xauth_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +kernel_read_network_state(xauth_t) +kernel_read_system_state(xauth_t) kernel_request_load_module(xauth_t) +dev_read_rand(xauth_t) +dev_read_urand(xauth_t) + domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) files_read_etc_files(xauth_t) +files_read_usr_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) +files_dontaudit_leaks(xauth_t) +files_var_lib_filetrans(xauth_t, xauth_home_t, file) -fs_getattr_xattr_fs(xauth_t) +fs_dontaudit_leaks(xauth_t) +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) -# cjp: why? -term_use_ptmx(xauth_t) +# Probably a leak +term_dontaudit_use_ptmx(xauth_t) +term_dontaudit_use_console(xauth_t) auth_use_nsswitch(xauth_t) -userdom_use_user_terminals(xauth_t) +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) +userdom_search_user_home_dirs(xauth_t) +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") xserver_rw_xdm_tmp_files(xauth_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(xauth_t) +ifdef(`hide_broken_symptoms',` + fs_dontaudit_rw_anon_inodefs_files(xauth_t) + fs_dontaudit_list_inotifyfs(xauth_t) + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) + miscfiles_read_fonts(xauth_t) ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(xauth_t) +userdom_home_manager(xauth_t) + +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) +') + +optional_policy(` + nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) @@ -300,64 +420,105 @@ optional_policy(` # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability2 { block_suspend }; +dontaudit xdm_t self:capability sys_admin; +tunable_policy(`deny_ptrace',`',` + allow xdm_t self:process ptrace; +') + +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate transition }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow xdm_t self:unix_dgram_socket create_socket_perms; +allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; +allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow xdm_t self:netlink_selinux_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; +allow xdm_t self:dbus { send_msg acquire_svc }; + +allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) +xserver_filetrans_admin_home_content(xdm_t) + +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) +userdom_dontaudit_read_admin_home_lnk_files(xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) +can_exec(xdm_t, xsession_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) +read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) +read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) -manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +userdom_manage_all_user_tmp_content(xdm_t) +userdom_exec_user_tmp_files(xdm_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) + +files_search_spool(xdm_t) +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) +exec_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +exec_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) + +ps_process_pattern(xserver_t, xdm_t) allow xserver_t xdm_t:process signal; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; +read_files_pattern(xdm_t, xserver_t, xserver_t) # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -366,20 +527,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) +manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) +files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm") kernel_read_system_state(xdm_t) +kernel_read_device_sysctls(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_request_load_module(xdm_t) +kernel_stream_connect(xdm_t) +kernel_view_key(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) +corecmd_dontaudit_access_all_executables(xdm_t) -corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) @@ -389,38 +561,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) +corenet_udp_bind_ipp_port(xdm_t) +corenet_udp_bind_xdmcp_port(xdm_t) corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t corenet_dontaudit_tcp_bind_all_ports(xdm_t) +dev_rwx_zero(xdm_t) dev_read_rand(xdm_t) -dev_read_sysfs(xdm_t) +dev_rw_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) dev_setattr_framebuffer_dev(xdm_t) dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) +dev_rw_input_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) +dev_rw_wireless(xdm_t) dev_getattr_xserver_misc_dev(xdm_t) dev_setattr_xserver_misc_dev(xdm_t) +dev_rw_xserver_misc(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) -dev_getattr_video_dev(xdm_t) +dev_read_video_dev(xdm_t) +dev_write_video_dev(xdm_t) dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -dev_getattr_sound_dev(xdm_t) -dev_setattr_sound_dev(xdm_t) +dev_read_sound(xdm_t) +dev_write_sound(xdm_t) dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) +dev_getattr_loop_control(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) +domain_dontaudit_getattr_all_entry_files(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) @@ -431,9 +615,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) +files_dontaudit_getattr_boot_dirs(xdm_t) +files_dontaudit_write_usr_files(xdm_t) +files_dontaudit_access_check_etc(xdm_t) +files_dontaudit_getattr_all_dirs(xdm_t) +files_dontaudit_getattr_all_symlinks(xdm_t) +files_dontaudit_getattr_all_tmp_sockets(xdm_t) +files_dontaudit_all_access_check(xdm_t) +files_dontaudit_list_non_security(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) +fs_search_all(xdm_t) +fs_rw_anon_inodefs_files(xdm_t) +fs_mount_tmpfs(xdm_t) +fs_mounton_fusefs(xdm_t) +fs_list_inotifyfs(xdm_t) +fs_dontaudit_list_noxattr_fs(xdm_t) +fs_dontaudit_read_noxattr_fs_files(xdm_t) +fs_manage_cgroup_dirs(xdm_t) +fs_manage_cgroup_files(xdm_t) +mount_read_pid_files(xdm_t) + +mls_socket_write_to_clearance(xdm_t) +mls_trusted_object(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) @@ -442,28 +647,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) -term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_use_all_terms(xdm_t) +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) +term_getattr_virtio_console(xdm_t) auth_domtrans_pam_console(xdm_t) -auth_manage_pam_pid(xdm_t) +#auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) +auth_signal_pam(xdm_t) auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) # Run telinit->init to shutdown. init_telinit(xdm_t) +init_dbus_chat(xdm_t) +init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x") +init_status(xdm_t) + +application_exec(xdm_t) libs_exec_lib_files(xdm_t) +libs_exec_ldconfig(xdm_t) logging_read_generic_logs(xdm_t) -miscfiles_read_localization(xdm_t) +miscfiles_search_man_pages(xdm_t) miscfiles_read_fonts(xdm_t) - -sysnet_read_config(xdm_t) +miscfiles_manage_fonts_cache(xdm_t) +miscfiles_manage_localization(xdm_t) +miscfiles_read_hwdata(xdm_t) +miscfiles_map_generic_certs(xdm_t) +miscfiles_read_certs(xdm_t) + +systemd_write_inhibit_pipes(xdm_t) +systemd_dbus_chat_localed(xdm_t) +systemd_dbus_chat_hostnamed(xdm_t) +systemd_start_power_services(xdm_t) +systemd_status_power_services(xdm_t) +systemd_hwdb_mmap_config(xdm_t) +systemd_hwdb_read_config(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -472,24 +699,167 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) +userdom_stream_connect(xdm_t) +userdom_manage_user_tmp_dirs(xdm_t) +userdom_manage_user_tmp_files(xdm_t) +userdom_manage_user_tmp_sockets(xdm_t) +userdom_manage_tmp_role(system_r, xdm_t) + +#userdom_home_manager(xdm_t) +tunable_policy(`xdm_write_home',` + userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) + userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) +',` + userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file }) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(xdm_t) + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) + fs_manage_nfs_symlinks(xdm_t) + fs_append_nfs_files(xdm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_t) + fs_manage_cifs_files(xdm_t) + fs_manage_cifs_symlinks(xdm_t) + fs_append_cifs_files(xdm_t) +') + +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(xdm_t) + fs_manage_fusefs_files(xdm_t) + fs_manage_fusefs_symlinks(xdm_t) +') + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_dirs(xdm_t) + fs_manage_ecryptfs_files(xdm_t) +') + +### filename transitions ### +userdom_filetrans_generic_home_content(xdm_t) + +optional_policy(` + dbus_stream_connect_session_bus(xdm_t) +') + +optional_policy(` + cups_stream_connect(xdm_t) +') + +optional_policy(` + colord_read_lib_files(xdm_t) +') + +optional_policy(` + gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") +') + +optional_policy(` + apache_filetrans_home_content(xdm_t) +') + +optional_policy(` + auth_filetrans_home_content(xdm_t) +') + +optional_policy(` + geoclue_dbus_chat(xdm_t) +') + +optional_policy(` + gnome_filetrans_home_content(xdm_t) +') + +optional_policy(` + gpg_filetrans_home_content(xdm_t) +') + +optional_policy(` + irc_filetrans_home_content(xdm_t) +') + +optional_policy(` + kerberos_filetrans_home_content(xdm_t) +') + +optional_policy(` + mozilla_filetrans_home_content(xdm_t) +') + +optional_policy(` + mta_filetrans_home_content(xdm_t) +') + +optional_policy(` + pulseaudio_filetrans_home_content(xdm_t) +') + +optional_policy(` + remotelogin_signull(xdm_t) +') + +optional_policy(` + spamassassin_filetrans_home_content(xdm_t) + spamassassin_filetrans_admin_home_content(xdm_t) +') + +optional_policy(` + ssh_filetrans_admin_home_content(xdm_t) + ssh_filetrans_home_content(xdm_t) +') + +optional_policy(` + telepathy_filetrans_home_content(xdm_t) +') + +optional_policy(` + thumb_filetrans_home_content(xdm_t) +') + +optional_policy(` + tvtime_filetrans_home_content(xdm_t) +') + +optional_policy(` + virt_filetrans_home_content(xdm_t) +') + +### end of filename transitions ### + +application_signal(xdm_t) xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) +xserver_domtrans_xauth(xdm_t) + +ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; +') + +ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; +') tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_t) - fs_manage_nfs_files(xdm_t) - fs_manage_nfs_symlinks(xdm_t) fs_exec_nfs_files(xdm_t) ') tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xdm_t) - fs_manage_cifs_files(xdm_t) - fs_manage_cifs_symlinks(xdm_t) fs_exec_cifs_files(xdm_t) ') +optional_policy(` + tunable_policy(`xdm_exec_bootloader',` + bootloader_exec(xdm_t) + files_read_boot_files(xdm_t) + files_read_boot_symlinks(xdm_t) + ') +') + tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: @@ -502,12 +872,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') +tunable_policy(`xdm_bind_vnc_tcp_port',` + corenet_tcp_bind_vnc_port(xdm_t) +') + +optional_policy(` + accountsd_read_lib_files(xdm_t) + accountsd_dbus_chat(xdm_t) +') + +optional_policy(` + acct_dontaudit_list_data(xdm_t) +') + +optional_policy(` + boinc_dontaudit_getattr_lib(xdm_t) +') + optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') optional_policy(` consolekit_dbus_chat(xdm_t) + consolekit_read_log(xdm_t) ') optional_policy(` @@ -517,9 +906,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) + + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') + + optional_policy(` + bluetooth_dbus_chat(xdm_t) + ') + + optional_policy(` + cpufreqselector_dbus_chat(xdm_t) + ') + + optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') optional_policy(` - accountsd_dbus_chat(xdm_t) + hal_dbus_chat(xdm_t) + ') + + optional_policy(` + gnomeclock_dbus_chat(xdm_t) + ') + + optional_policy(` + networkmanager_dbus_chat(xdm_t) ') ') @@ -529,6 +943,20 @@ optional_policy(` gpm_setattr_gpmctl(xdm_t) ') +optional_policy(` + gnome_stream_connect_gkeyringd(xdm_t) + gnome_exec_gstreamer_home_files(xdm_t) + gnome_exec_keyringd(xdm_t) + gnome_delete_gkeyringd_tmp_content(xdm_t) + gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) + gnome_read_usr_config(xdm_t) + gnome_read_gconf_config(xdm_t) + gnome_transition_gkeyringd(xdm_t) + gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") +') + optional_policy(` hostname_exec(xdm_t) ') @@ -546,29 +974,79 @@ optional_policy(` mta_dontaudit_getattr_spool_files(xdm_t) ') +optional_policy(` + policykit_dbus_chat(xdm_t) + policykit_domtrans_auth(xdm_t) + policykit_read_lib(xdm_t) + policykit_read_reload(xdm_t) + policykit_signal_auth(xdm_t) +') + +optional_policy(` + pcscd_stream_connect(xdm_t) +') + +optional_policy(` + plymouthd_search_spool(xdm_t) + plymouthd_exec_plymouth(xdm_t) + plymouthd_stream_connect(xdm_t) + plymouthd_read_log(xdm_t) +') + +optional_policy(` + pulseaudio_exec(xdm_t) + pulseaudio_dbus_chat(xdm_t) + pulseaudio_stream_connect(xdm_t) + pulseaudio_read_state(xserver_t) +') + optional_policy(` resmgr_stream_connect(xdm_t) ') +optional_policy(` + rhev_stream_connect_agentd(xdm_t) + rhev_read_pid_files_agentd(xdm_t) +') + +# On crash gdm execs gdb to dump stack +optional_policy(` + rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) + rpm_dontaudit_dbus_chat(xdm_t) +') + +optional_policy(` + rtkit_scheduled(xdm_t) +') + optional_policy(` seutil_sigchld_newrole(xdm_t) ') optional_policy(` - udev_read_db(xdm_t) + ssh_signull(xdm_t) ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) + shutdown_domtrans(xdm_t) +') - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') +optional_policy(` + telepathy_exec(xdm_t) +') - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') +optional_policy(` + udev_read_db(xdm_t) +') + +optional_policy(` + unconfined_signal(xdm_t) +') + +optional_policy(` + usbmuxd_stream_connect(xdm_t) ') optional_policy(` @@ -579,6 +1057,14 @@ optional_policy(` usermanage_read_crack_db(xdm_t) ') +optional_policy(` + vdagent_stream_connect(xdm_t) +') + +optional_policy(` + wm_exec(xdm_t) +') + optional_policy(` xfs_stream_connect(xdm_t) ') @@ -594,7 +1080,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; -allow xserver_t input_xevent_t:x_event send; +allow xserver_t xevent_type:x_event send; # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer @@ -604,8 +1090,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; +allow xserver_t self:capability2 compromise_kernel; + allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; @@ -618,8 +1107,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) + +allow xserver_t xauth_home_t:file read_file_perms; + manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) @@ -627,36 +1123,48 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) +allow xserver_t xserver_etc_t:dir list_dir_perms; +read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) +read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) + manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow xserver_t xserver_tmpfs_t:file map; manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) -allow xserver_t xauth_home_t:file read_file_perms; +manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) +files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir) + +manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -kernel_read_modprobe_sysctls(xserver_t) +kernel_read_usermodehelper_state(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) +kernel_request_load_module(xserver_t) # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) corecmd_exec_shell(xserver_t) -corenet_all_recvfrom_unlabeled(xserver_t) corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) @@ -677,23 +1185,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) -dev_filetrans_dri(xserver_t) +dev_map_dri(xserver_t) dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer dev_read_raw_memory(xserver_t) dev_wx_raw_memory(xserver_t) +dev_read_urand(xserver_t) # for other device nodes such as the NVidia binary-only driver -dev_rw_xserver_misc(xserver_t) +dev_manage_xserver_misc(xserver_t) +dev_filetrans_xserver_misc(xserver_t) + # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) +dev_write_raw_memory(xserver_t) dev_rwx_zero(xserver_t) -domain_dontaudit_search_all_domains_state(xserver_t) +domain_dontaudit_read_all_domains_state(xserver_t) +domain_signal_all_domains(xserver_t) files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) +files_rw_tmpfs_files(xserver_t) # brought on by rhgb files_search_mnt(xserver_t) @@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) +mls_file_upgrade(xserver_t) +mls_process_write_to_clearance(xserver_t) +mls_socket_read_to_clearance(xserver_t) +mls_sysvipc_read_to_clearance(xserver_t) +mls_sysvipc_write_to_clearance(xserver_t) +mls_trusted_object(xserver_t) mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) @@ -718,28 +1240,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) -getty_use_fds(xserver_t) - locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) logging_send_audit_msgs(xserver_t) -miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) - -modutils_domtrans_insmod(xserver_t) +miscfiles_read_hwdata(xserver_t) # read x_contexts seutil_read_default_contexts(xserver_t) +seutil_read_config(xserver_t) +seutil_read_file_contexts(xserver_t) userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) - -xserver_use_user_fonts(xserver_t) +userdom_map_tmp_files(xserver_t) ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; @@ -784,24 +1303,65 @@ optional_policy(` auth_search_pam_console_data(xserver_t) ') +optional_policy(` + consolekit_read_state(xserver_t) +') + +optional_policy(` + devicekit_signal_power(xserver_t) +') + +optional_policy(` + getty_use_fds(xserver_t) +') + +optional_policy(` + modutils_domtrans_insmod(xserver_t) +') + optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') +optional_policy(` + setrans_translate_context(xserver_t) +') + +optional_policy(` + sandbox_rw_xserver_tmpfs_files(xserver_t) +') + +optional_policy(` + tcpd_wrapped_domain(xserver_t, xserver_exec_t) +') + +optional_policy(` + mozilla_plugin_read_state(xserver_t) + mozilla_plugin_rw_tmp_files(xserver_t) + mozilla_plugin_rw_tmpfs_files(xserver_t) +') + +optional_policy(` + policykit_dbus_chat(xserver_t) +') + optional_policy(` udev_read_db(xserver_t) ') optional_policy(` - unconfined_domain_noaudit(xserver_t) - unconfined_domtrans(xserver_t) + unconfined_domain(xserver_t) ') optional_policy(` userhelper_search_config(xserver_t) ') +optional_policy(` + wine_rw_shm(xserver_t) +') + optional_policy(` xfs_stream_connect(xserver_t) ') @@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xserver_t xdm_var_lib_t:dir search; +allow xserver_t xdm_var_lib_t:file read_file_perms; +dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; -allow xserver_t xdm_var_run_t:file read_file_perms; +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. -manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +userdom_manage_user_tmp_files(xserver_t) +userdom_manage_user_tmp_sockets(xserver_t) # Run xkbcomp. -allow xserver_t xkb_var_lib_t:lnk_file read; +allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server @@ -842,26 +1401,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) +userdom_read_all_users_state(xserver_t) +userdom_home_manager(xserver_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xserver_t) - fs_manage_nfs_files(xserver_t) - fs_manage_nfs_symlinks(xserver_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xserver_t) - fs_manage_cifs_files(xserver_t) - fs_manage_cifs_symlinks(xserver_t) -') +xserver_use_user_fonts(xserver_t) optional_policy(` dbus_system_bus_client(xserver_t) - hal_dbus_chat(xserver_t) + + optional_policy(` + hal_dbus_chat(xserver_t) + ') ') optional_policy(` - resmgr_stream_connect(xdm_t) + mono_rw_shm(xserver_t) ') optional_policy(` @@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; -allow x_domain self:x_drawable { blend }; +allow x_domain self:x_drawable blend; # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; @@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; +# Device rules +allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +allow x_domain xserver_t:x_screen getattr; + ######################################## # # Rules for unconfined access to this module # +allow xserver_unconfined_type xserver_t:x_server *; +allow xserver_unconfined_type xdrawable_type:x_drawable *; +allow xserver_unconfined_type xserver_t:x_screen *; +allow xserver_unconfined_type x_domain:x_gc *; +allow xserver_unconfined_type xcolormap_type:x_colormap *; +allow xserver_unconfined_type xproperty_type:x_property *; +allow xserver_unconfined_type xselection_type:x_selection *; +allow xserver_unconfined_type x_domain:x_cursor *; +allow xserver_unconfined_type x_domain:x_client *; +allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +allow xserver_unconfined_type xextension_type:x_extension *; +allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; + tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals @@ -992,18 +1566,149 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') -allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type xdrawable_type:x_drawable *; -allow xserver_unconfined_type xserver_t:x_screen *; -allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type xcolormap_type:x_colormap *; -allow xserver_unconfined_type xproperty_type:x_property *; -allow xserver_unconfined_type xselection_type:x_selection *; -allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type x_domain:x_client *; -allow xserver_unconfined_type { x_domain xserver_t }:x_device *; -allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; -allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; +tunable_policy(`xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') + +# Hack to handle the problem of using the nvidia blobs +tunable_policy(`deny_execmem',`',` + allow xdm_t self:process execmem; +') + +tunable_policy(`selinuxuser_execstack',` + allow xdm_t self:process { execstack execmem }; +') + +tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files(xdmhomewriter) +') + +optional_policy(` + unconfined_rw_shm(xserver_t) + + # xserver signals unconfined user on startx + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) +') + +allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; +can_exec(xdm_t, xdm_unconfined_exec_t) + +optional_policy(` + type xdm_unconfined_t; + domain_type(xdm_unconfined_t) + domain_entry_file(xdm_unconfined_t, xdm_unconfined_exec_t) + role system_r types xdm_unconfined_t; + + domtrans_pattern(xdm_t, xdm_unconfined_exec_t, xdm_unconfined_t) + unconfined_domain(xdm_unconfined_t) +') + +# X Userdomain +# Xserver read/write client shm +allow xserver_t x_userdomain:fd use; +allow xserver_t x_userdomain:shm rw_shm_perms; + +allow xserver_t x_userdomain:process { getpgid signal }; + +allow xserver_t x_userdomain:shm rw_shm_perms; + +allow x_userdomain user_fonts_t:dir list_dir_perms; +allow x_userdomain user_fonts_t:file read_file_perms; +allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms; + +allow x_userdomain user_fonts_config_t:dir list_dir_perms; +allow x_userdomain user_fonts_config_t:file read_file_perms; + +manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) +manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) + +stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) +allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; +files_search_tmp(x_userdomain) + +# Communicate via System V shared memory. +allow x_userdomain xserver_t:shm r_shm_perms; +allow x_userdomain xserver_tmpfs_t:file read_file_perms; + +# allow ps to show iceauth +ps_process_pattern(x_userdomain, iceauth_t) + +domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t) + +allow x_userdomain iceauth_home_t:file read_file_perms; + +domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t) + +allow x_userdomain xauth_t:process signal; + +# allow ps to show xauth +ps_process_pattern(x_userdomain, xauth_t) +allow x_userdomain xserver_t:process signal; + +allow x_userdomain xauth_home_t:file read_file_perms; + +# for when /tmp/.X11-unix is created by the system +allow x_userdomain xdm_t:fd use; +allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; +userdom_search_user_tmp_dirs(x_userdomain) +userdom_rw_user_tmp_sock_files(x_userdomain) +dontaudit x_userdomain xdm_t:tcp_socket { read write }; + +allow x_userdomain xdm_t:dbus send_msg; +allow xdm_t x_userdomain:dbus send_msg; + +# Client read xserver shm +allow x_userdomain xserver_t:fd use; +allow x_userdomain xserver_tmpfs_t:file read_file_perms; + +# Read /tmp/.X0-lock +allow x_userdomain xserver_tmp_t:file read_inherited_file_perms; + +dev_rw_xserver_misc(x_userdomain) +dev_rw_power_management(x_userdomain) +dev_read_input(x_userdomain) +dev_read_misc(x_userdomain) +dev_write_misc(x_userdomain) +# open office is looking for the following +dev_getattr_agp_dev(x_userdomain) + +# GNOME checks for usb and other devices: +dev_rw_usbfs(x_userdomain) + +miscfiles_read_fonts(x_userdomain) +miscfiles_setattr_fonts_cache_dirs(x_userdomain) +miscfiles_read_hwdata(x_userdomain) + +#xserver_common_x_domain_template(user, x_userdomain) +#xserver_domtrans(x_userdomain) +#xserver_unconfined(x_userdomain) +#xserver_xsession_entry_type(x_userdomain) +xserver_dontaudit_write_log(x_userdomain) +#xserver_stream_connect_xdm(x_userdomain) +# certain apps want to read xdm.pid file +xserver_read_xdm_pid(x_userdomain) +# gnome-session creates socket under /tmp/.ICE-unix/ +xserver_create_xdm_tmp_sockets(x_userdomain) +# Needed for escd, remove if we get escd policy +xserver_manage_xdm_tmp_files(x_userdomain) +xserver_read_xdm_etc_files(x_userdomain) +#xserver_xdm_append_log(x_userdomain) + +term_use_virtio_console(x_userdomain) +# Client write xserver shm +tunable_policy(`xserver_clients_write_xshm',` + allow x_userdomain xserver_t:shm rw_shm_perms; + allow x_userdomain xserver_tmpfs_t:file rw_file_perms; +') + +optional_policy(` + gnome_read_gconf_config(x_userdomain) +') + +tunable_policy(`selinuxuser_direct_dri_enabled',` + dev_rw_dri(dridomain) +',` + dev_dontaudit_rw_dri(dridomain) +') + diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index 1b6619e64..be02b9618 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -43,6 +43,27 @@ interface(`application_executable_file',` corecmd_executable_file($1) ') +####################################### +## +## Make the specified type usable for files +## that are exectuables, such as binary programs. +## This does not include shared libraries. +## +## +## +## Type to be used for files. +## +## +# +interface(`application_executable_ioctl',` + gen_require(` + attribute application_exec_type; + ') + + allow $1 application_exec_type:file ioctl; + +') + ######################################## ## ## Execute application executables in the caller domain. @@ -76,11 +97,28 @@ interface(`application_exec_all',` corecmd_dontaudit_exec_all_executables($1) corecmd_exec_bin($1) corecmd_exec_shell($1) - corecmd_exec_chroot($1) application_exec($1) ') +######################################## +## +## Dontaudit execute all executable files. +## +## +## +## Domain to not audit. +## +## +# +interface(`application_dontaudit_exec',` + gen_require(` + attribute application_exec_type; + ') + + dontaudit $1 application_exec_type:file execute; +') + ######################################## ## ## Create a domain for applications. @@ -187,6 +225,24 @@ interface(`application_dontaudit_signal',` dontaudit $1 application_domain_type:process signal; ') +######################################## +## +## Send kill signals to all application domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`application_sigkill',` + gen_require(` + attribute application_domain_type; + ') + + allow $1 application_domain_type:process sigkill; +') + ######################################## ## ## Do not audit attempts to send kill signals @@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') + +####################################### +## +## Getattr all application sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`application_getattr_socket',` + gen_require(` + attribute application_domain_type; + ') + + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te index c6fdab72d..82aea98a1 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te @@ -6,15 +6,41 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; +domain_use_interactive_fds(application_domain_type) + +userdom_inherit_append_user_home_content_files(application_domain_type) +userdom_inherit_append_admin_home_files(application_domain_type) +userdom_inherit_append_user_tmp_files(application_domain_type) +userdom_rw_inherited_user_tmp_files(application_domain_type) +userdom_mmap_rw_inherited_user_tmp_files(application_domain_type) +userdom_rw_inherited_user_pipes(application_domain_type) +logging_inherit_append_all_logs(application_domain_type) + +files_dontaudit_search_non_security_dirs(application_domain_type) + +auth_login_pgm_sigchld(application_domain_type) + +optional_policy(` + afs_rw_udp_sockets(application_domain_type) +') + optional_policy(` + cfengine_append_inherited_log(application_domain_type) +') + +optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) cron_sigchld(application_domain_type) ') optional_policy(` - ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) ') +optional_policy(` + screen_sigchld(application_domain_type) +') + optional_policy(` sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 247958765..890e1e293 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ +HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) +/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) -/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) +/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) +/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) -/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -16,13 +30,25 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) + /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) -/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) +/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_gentoo', ` /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) +/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + +/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) @@ -30,21 +56,25 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) -/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) +/var/log/faillog.* -- gen_context(system_u:object_r:faillog_t,s0) +/var/log/lastlog.* -- gen_context(system_u:object_r:lastlog_t,s0) /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) +/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) +/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 3efd5b669..1bfc72041 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` role $1 types chkpwd_t; # Transition from the user domain to this domain. - domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) + auth_domtrans_chkpwd($2) ps_process_pattern($2, chkpwd_t) dontaudit $2 shadow_t:file read_file_perms; + + logging_send_syslog_msg($2) + logging_send_audit_msgs($2) + + usermanage_read_crack_db($2) + ') ######################################## @@ -53,13 +59,18 @@ interface(`auth_use_pam',` auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) - auth_rw_faillog($1) + auth_create_lastlog($1) + auth_manage_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) + init_rw_stream_sockets($1) + logging_send_audit_msgs($1) logging_send_syslog_msg($1) + userdom_search_user_tmp_dirs($1) + optional_policy(` dbus_system_bus_client($1) @@ -77,9 +88,20 @@ interface(`auth_use_pam',` kerberos_read_config($1) ') + optional_policy(` + locallogin_getattr_home_content($1) + ') + optional_policy(` nis_authenticate($1) ') + + optional_policy(` + systemd_dbus_chat_logind($1) + systemd_use_fds_logind($1) + systemd_write_inherited_logind_sessions_pipes($1) + systemd_read_logind_sessions_files($1) + ') ') ######################################## @@ -95,69 +117,67 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; + attribute polydomain; + attribute login_pgm; ') domain_type($1) + typeattribute $1 polydomain; + typeattribute $1 login_pgm; + domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) role system_r types $1; - # Needed for pam_selinux_permit to cleanup properly - domain_read_all_domains_state($1) - domain_kill_all_domains($1) - - # pam_keyring - allow $1 self:capability ipc_lock; - allow $1 self:process setkeycreate; - allow $1 self:key manage_key_perms; - - files_list_var_lib($1) - manage_files_pattern($1, var_auth_t, var_auth_t) - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) - manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1, auth_cache_t, dir) - - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_rw_afs_state($1) - - # for fingerprint readers - dev_rw_input_dev($1) - dev_rw_generic_usb_dev($1) - - files_read_etc_files($1) - - fs_list_auto_mountpoints($1) - selinux_get_fs_mount($1) - selinux_validate_context($1) - selinux_compute_access_vector($1) - selinux_compute_create_context($1) - selinux_compute_relabel_context($1) - selinux_compute_user_contexts($1) mls_file_read_all_levels($1) mls_file_write_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) mls_process_set_level($1) + mls_process_write_to_clearance($1) mls_fd_share_all_levels($1) auth_use_pam($1) +') - init_rw_utmp($1) - - logging_set_loginuid($1) - logging_set_tty_audit($1) +######################################## +## +## Read authlogin state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`authlogin_read_state',` + gen_require(` + attribute polydomain; + ') - seutil_read_config($1) - seutil_read_default_contexts($1) + kernel_search_proc($1) + ps_process_pattern($1, polydomain) +') - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) +######################################## +## +## Read and write a authlogin unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -227,6 +247,26 @@ interface(`auth_domtrans_login_program',` corecmd_search_bin($1) domtrans_pattern($1, login_exec_t, $2) + allow $1 login_exec_t:file map; +') + +######################################## +## +## Execute a login_program in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`auth_exec_login_program',` + gen_require(` + type login_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, login_exec_t) ') ######################################## @@ -320,6 +360,24 @@ interface(`auth_rw_cache',` rw_files_pattern($1, auth_cache_t, auth_cache_t) ') +######################################## +## +## Create authentication cache +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_create_cache',` + gen_require(` + type auth_cache_t; + ') + + create_files_pattern($1, auth_cache_t, auth_cache_t) +') + ######################################## ## ## Manage authentication cache @@ -337,6 +395,7 @@ interface(`auth_manage_cache',` manage_dirs_pattern($1, auth_cache_t, auth_cache_t) manage_files_pattern($1, auth_cache_t, auth_cache_t) + allow $1 auth_cache_t:file map; ') ####################################### @@ -377,6 +436,7 @@ interface(`auth_domtrans_chk_passwd',` corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + allow $1 chkpwd_exec_t:file map; dontaudit $1 shadow_t:file read_file_perms; @@ -402,6 +462,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') + + auth_domtrans_upd_passwd($1) ') ######################################## @@ -426,6 +488,24 @@ interface(`auth_domtrans_chkpwd',` auth_domtrans_upd_passwd($1) ') +######################################## +## +## Execute chkpwd in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`auth_exec_chkpwd',` + gen_require(` + type chkpwd_exec_t; + ') + + allow $1 chkpwd_exec_t:file execute; +') + ######################################## ## ## Execute chkpwd programs in the chkpwd domain. @@ -448,6 +528,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; + auth_run_upd_passwd($1, $2) +') + +######################################## +## +## Send generic signals to chkpwd processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_signal_chk_passwd',` + gen_require(` + type chkpwd_t; + ') + + allow $1 chkpwd_t:process signal; ') ######################################## @@ -467,7 +566,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) - ') ######################################## @@ -532,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',` dontaudit $1 shadow_t:file getattr; ') +######################################## +## +## Mmap the shadow passwords file. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_map_shadow',` + gen_require(` + type shadow_t; + ') + + allow $1 shadow_t:file map; +') + ######################################## ## ## Read the shadow passwords file (/etc/shadow) @@ -664,6 +780,11 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; + files_var_filetrans($1, shadow_t, file, "shadow") + files_var_filetrans($1, shadow_t, file, "shadow-") + files_etc_filetrans($1, shadow_t, file, "gshadow") + files_etc_filetrans($1, shadow_t, file, "nshadow") + files_etc_filetrans($1, shadow_t, file, "opasswd") ') ####################################### @@ -763,7 +884,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) - allow $1 faillog_t:file rw_file_perms; + rw_files_pattern($1, faillog_t, faillog_t) +') + +######################################## +## +## Relabel the login failure log. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_relabel_faillog',` + gen_require(` + type faillog_t; + ') + + allow $1 faillog_t:dir relabel_dir_perms; + allow $1 faillog_t:file relabel_file_perms; +') + +######################################## +## +## Manage the login failure log. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_faillog',` + gen_require(` + type faillog_t; + ') + + logging_search_logs($1) + files_search_pids($1) + allow $1 faillog_t:dir manage_dir_perms; + allow $1 faillog_t:file manage_file_perms; + logging_log_named_filetrans($1, faillog_t, file, "tallylog") + logging_log_named_filetrans($1, faillog_t, file, "faillog") + logging_log_named_filetrans($1, faillog_t, file, "btmp") ') ####################################### @@ -824,9 +988,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') +####################################### +## +## Manage create logins log. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_create_lastlog',` + gen_require(` + type lastlog_t; + ') + + logging_search_logs($1) + allow $1 lastlog_t:file create; + logging_log_named_filetrans($1, lastlog_t, file, "lastlog") +') + ######################################## ## -## Execute pam programs in the pam domain. +## Execute pam timestamp programs in the pam timestamp domain. ## ## ## @@ -834,12 +1018,27 @@ interface(`auth_rw_lastlog',` ## ## # -interface(`auth_domtrans_pam',` +interface(`auth_domtrans_pam_timestamp',` gen_require(` - type pam_t, pam_exec_t; + type pam_timestamp_t, pam_timestamp_exec_t; ') - domtrans_pattern($1, pam_exec_t, pam_t) + domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t) +') + +######################################## +## +## Execute pam timestamp programs in the pam timestamp domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`auth_domtrans_pam',` + auth_domtrans_pam_timestamp($1) + refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.') ') ######################################## @@ -854,15 +1053,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` - type pam_t; + type pam_timestamp_t; ') - allow $1 pam_t:process signal; + allow $1 pam_timestamp_t:process signal; ') ######################################## ## -## Execute pam programs in the PAM domain. +## Execute pam_timestamp programs in the PAM timestamp domain. ## ## ## @@ -875,13 +1074,33 @@ interface(`auth_signal_pam',` ## ## # -interface(`auth_run_pam',` +interface(`auth_run_pam_timestamp',` gen_require(` - type pam_t; + type pam_timestamp_t; ') - auth_domtrans_pam($1) - role $2 types pam_t; + auth_domtrans_pam_timestamp($1) + role $2 types pam_timestamp_t; +') + +######################################## +## +## Execute pam_timestamp programs in the PAM timestamp domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`auth_run_pam',` + auth_run_pam_timestamp($1, $2) + refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.') ') ######################################## @@ -959,9 +1178,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) - allow $1 var_auth_t:dir manage_dir_perms; - allow $1 var_auth_t:file rw_file_perms; - allow $1 var_auth_t:lnk_file rw_lnk_file_perms; + + manage_dirs_pattern($1, var_auth_t, var_auth_t) + manage_files_pattern($1, var_auth_t, var_auth_t) + manage_lnk_files_pattern($1, var_auth_t, var_auth_t) +') + +######################################## +## +## Relabel all var auth files. Used by various other applications +## and pam applets etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_relabel_var_auth_dirs',` + gen_require(` + type var_auth_t; + ') + + files_search_var($1) + relabel_dirs_pattern($1, var_auth_t, var_auth_t) ') ######################################## @@ -1040,6 +1280,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; + files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") + files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") + files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") + files_pid_filetrans($1, pam_var_run_t, dir, "sudo") ') ######################################## @@ -1176,6 +1420,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) + files_pid_filetrans($1, pam_var_console_t, dir, "console") ') ####################################### @@ -1574,6 +1819,25 @@ interface(`auth_setattr_login_records',` logging_search_logs($1) ') +######################################## +## +## Relabel login record files. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_relabel_login_records',` + gen_require(` + type wtmp_t; + ') + + allow $1 wtmp_t:file relabel_file_perms; +') + + ######################################## ## ## Read login records files (/var/log/wtmp). @@ -1726,24 +1990,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; -') - -######################################## -## -## Relabel login record files. -## -## -## -## Domain allowed access. -## -## -# -interface(`auth_relabel_login_records',` - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file relabel_file_perms; + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ') ######################################## @@ -1767,11 +2014,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` - gen_require(` - attribute nsswitch_domain; - ') + gen_require(` + attribute nsswitch_domain; + ') typeattribute $1 nsswitch_domain; + + corenet_all_recvfrom_netlabel($1) ') ######################################## @@ -1805,3 +2054,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') + +######################################## +## +## Transition to authlogin named content +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_named_content',` + gen_require(` + type shadow_t; + type passwd_file_t; + type faillog_t; + type lastlog_t; + type wtmp_t; + type pam_var_console_t; + type pam_var_run_t; + type auth_cache_t; + ') + + files_etc_filetrans($1, passwd_file_t, file, "group") + files_etc_filetrans($1, passwd_file_t, file, "group-") + #files_etc_filetrans($1, passwd_file_t, file, "group+") + files_etc_filetrans($1, passwd_file_t, file, "passwd") + files_etc_filetrans($1, passwd_file_t, file, "passwd-") + #files_etc_filetrans($1, passwd_file_t, file, "passwd+") + files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD") + files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") + files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") + files_etc_filetrans($1, passwd_file_t, file, "group.lock") + files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct") + files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") + files_etc_filetrans($1, shadow_t, file, "shadow") + files_etc_filetrans($1, shadow_t, file, "shadow-") + files_etc_filetrans($1, shadow_t, file, "gshadow") + files_etc_filetrans($1, shadow_t, file, "opasswd") + logging_log_named_filetrans($1, lastlog_t, file, "lastlog") + logging_log_named_filetrans($1, faillog_t, file, "tallylog") + logging_log_named_filetrans($1, faillog_t, file, "faillog") + logging_log_named_filetrans($1, faillog_t, file, "btmp") + files_pid_filetrans($1, faillog_t, file, "faillog") + files_pid_filetrans($1, faillog_t, dir, "faillock") + files_pid_filetrans($1, pam_var_console_t, dir, "console") + files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") + files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") + files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") + files_pid_filetrans($1, pam_var_run_t, dir, "sudo") + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") + files_var_filetrans($1, auth_cache_t, dir, "coolkey") +') + +######################################## +## +## Get the attributes of the passwd passwords file. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_getattr_passwd',` + gen_require(` + type passwd_file_t; + ') + + files_search_etc($1) + allow $1 passwd_file_t:file getattr; +') + +######################################## +## +## Do not audit attempts to get the attributes +## of the passwd passwords file. +## +## +## +## Domain to not audit. +## +## +# +interface(`auth_dontaudit_getattr_passwd',` + gen_require(` + type passwd_file_t; + ') + + dontaudit $1 passwd_file_t:file getattr; +') + +######################################## +## +## Read the passwd passwords file (/etc/passwd) +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_read_passwd',` + gen_require(` + type passwd_file_t; + ') + + allow $1 passwd_file_t:file read_file_perms; +') + +######################################## +## +## Mmap the passwd passwords file (/etc/passwd) +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_map_passwd',` + gen_require(` + type passwd_file_t; + ') + + allow $1 passwd_file_t:file map; +') + +######################################## +## +## Do not audit attempts to read the passwd +## password file (/etc/passwd). +## +## +## +## Domain to not audit. +## +## +# +interface(`auth_dontaudit_read_passwd',` + gen_require(` + type passwd_file_t; + ') + + dontaudit $1 passwd_file_t:file read_file_perms; +') + +######################################## +## +## Create, read, write, and delete the passwd +## password file. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_passwd',` + gen_require(` + type passwd_file_t; + ') + + files_rw_etc_dirs($1) + allow $1 passwd_file_t:file manage_file_perms; + files_etc_filetrans($1, passwd_file_t, file, "passwd") + files_etc_filetrans($1, passwd_file_t, file, "passwd-") + files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") + files_etc_filetrans($1, passwd_file_t, file, "group") + files_etc_filetrans($1, passwd_file_t, file, "group-") + files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") + files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") + files_etc_filetrans($1, passwd_file_t, file, "group.lock") +') + +######################################## +## +## Create auth directory in the /root directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_admin_home_content',` + gen_require(` + type auth_home_t; + ') + + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") +') + + +######################################## +## +## Read the authorization data in the user home directory +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_read_home_content',` + + gen_require(` + type auth_home_t; + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, auth_home_t, auth_home_t) +') + +######################################## +## +## Read the authorization data in the user home directory +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_manage_home_content',` + + gen_require(` + type auth_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, auth_home_t, auth_home_t) + manage_dirs_pattern($1, auth_home_t, auth_home_t) +') + +######################################## +## +## Create auth directory in the user home directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_home_content',` + + gen_require(` + type auth_home_t; + ') + + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") +') + +######################################## +## +## Send a SIGCHLD signal to login programs. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_login_pgm_sigchld',` + gen_require(` + attribute login_pgm; + ') + + allow $1 login_pgm:process sigchld; +') + +######################################## +## +## Manage the keyrings of all login programs +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_login_manage_key',` + gen_require(` + attribute login_pgm; + ') + + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 09b791dcc..073241e05 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) # Declarations # +## +##

      +## Allow users to login using a radius server +##

      +##
      +gen_tunable(authlogin_radius, false) + +## +##

      +## Allow users to login using a yubikey OTP server or challenge response mode +##

      +##
      +gen_tunable(authlogin_yubikey, false) ## ##

      @@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false) attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +attribute polydomain; attribute nsswitch_domain; +attribute login_pgm; type auth_cache_t; logging_log_file(auth_cache_t) +type auth_home_t; +userdom_user_home_content(auth_home_t) + type chkpwd_t, can_read_shadow_passwords; type chkpwd_exec_t; typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; -typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; +typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; application_domain(chkpwd_t, chkpwd_exec_t) role system_r types chkpwd_t; type faillog_t; logging_log_file(faillog_t) +mls_trusted_object(faillog_t) type lastlog_t; logging_log_file(lastlog_t) @@ -42,15 +61,15 @@ type pam_console_exec_t; init_system_domain(pam_console_t, pam_console_exec_t) role system_r types pam_console_t; -type pam_t; -domain_type(pam_t) -role system_r types pam_t; +type pam_timestamp_t alias pam_t; +domain_type(pam_timestamp_t) +role system_r types pam_timestamp_t; -type pam_exec_t; -domain_entry_file(pam_t, pam_exec_t) +type pam_timestamp_exec_t alias pam_exec_t; +domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t) -type pam_tmp_t; -files_tmp_file(pam_tmp_t) +type pam_timestamp_tmp_t; +files_tmp_file(pam_timestamp_tmp_t) type pam_var_console_t; files_pid_file(pam_var_console_t) @@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; +type passwd_file_t; +files_type(passwd_file_t) + type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) @@ -90,11 +112,11 @@ logging_log_file(wtmp_t) # Check password local policy # -allow chkpwd_t self:capability { dac_override setuid }; +allow chkpwd_t self:capability { dac_read_search dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; allow chkpwd_t self:process { getattr signal }; -allow chkpwd_t shadow_t:file read_file_perms; +allow chkpwd_t shadow_t:file { read_file_perms map }; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) @@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) +files_read_usr_symlinks(chkpwd_t) +files_list_tmp(chkpwd_t) +files_map_system_db_files(chkpwd_t) fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -122,12 +147,11 @@ auth_use_nsswitch(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) -miscfiles_read_localization(chkpwd_t) seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) -userdom_use_user_terminals(chkpwd_t) +userdom_dontaudit_use_user_ttys(chkpwd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -140,6 +164,10 @@ optional_policy(` apache_dontaudit_rw_tcp_sockets(chkpwd_t) ') +optional_policy(` + dbus_system_bus_client(chkpwd_t) +') + optional_policy(` kerberos_use(chkpwd_t) ') @@ -153,53 +181,52 @@ optional_policy(` # PAM local policy # -allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -dontaudit pam_t self:capability sys_tty_config; +allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +dontaudit pam_timestamp_t self:capability sys_tty_config; -allow pam_t self:fd use; -allow pam_t self:fifo_file rw_file_perms; -allow pam_t self:unix_dgram_socket create_socket_perms; -allow pam_t self:unix_stream_socket rw_stream_socket_perms; -allow pam_t self:unix_dgram_socket sendto; -allow pam_t self:unix_stream_socket connectto; -allow pam_t self:shm create_shm_perms; -allow pam_t self:sem create_sem_perms; -allow pam_t self:msgq create_msgq_perms; -allow pam_t self:msg { send receive }; +allow pam_timestamp_t self:fd use; +allow pam_timestamp_t self:fifo_file rw_file_perms; +allow pam_timestamp_t self:unix_dgram_socket create_socket_perms; +allow pam_timestamp_t self:unix_stream_socket rw_stream_socket_perms; +allow pam_timestamp_t self:unix_dgram_socket sendto; +allow pam_timestamp_t self:unix_stream_socket connectto; +allow pam_timestamp_t self:shm create_shm_perms; +allow pam_timestamp_t self:sem create_sem_perms; +allow pam_timestamp_t self:msgq create_msgq_perms; +allow pam_timestamp_t self:msg { send receive }; -delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -files_list_pids(pam_t) +delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) +read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) +files_list_pids(pam_timestamp_t) -allow pam_t pam_tmp_t:dir manage_dir_perms; -allow pam_t pam_tmp_t:file manage_file_perms; -files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) +allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms; +allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms; +files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir }) -auth_use_nsswitch(pam_t) +auth_use_nsswitch(pam_timestamp_t) -kernel_read_system_state(pam_t) +kernel_read_system_state(pam_timestamp_t) -files_read_etc_files(pam_t) +files_read_etc_files(pam_timestamp_t) -fs_search_auto_mountpoints(pam_t) +fs_search_auto_mountpoints(pam_timestamp_t) -miscfiles_read_localization(pam_t) -term_use_all_ttys(pam_t) -term_use_all_ptys(pam_t) +term_use_all_ttys(pam_timestamp_t) +term_use_all_ptys(pam_timestamp_t) -init_dontaudit_rw_utmp(pam_t) +init_dontaudit_rw_utmp(pam_timestamp_t) -logging_send_syslog_msg(pam_t) +logging_send_syslog_msg(pam_timestamp_t) ifdef(`distro_ubuntu',` optional_policy(` - unconfined_domain(pam_t) + unconfined_domain(pam_timestamp_t) ') ') optional_policy(` - locallogin_use_fds(pam_t) + locallogin_use_fds(pam_timestamp_t) ') ######################################## @@ -289,7 +316,6 @@ init_use_script_ptys(pam_console_t) logging_send_syslog_msg(pam_console_t) -miscfiles_read_localization(pam_console_t) miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) @@ -330,7 +356,7 @@ optional_policy(` # updpwd local policy # -allow updpwd_t self:capability { chown dac_override }; +allow updpwd_t self:capability { chown dac_read_search dac_override }; allow updpwd_t self:process setfscreate; allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; @@ -341,18 +367,22 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) +auth_manage_passwd(updpwd_t) + +mls_file_read_all_levels(updpwd_t) +mls_file_write_all_levels(updpwd_t) +mls_file_downgrade(updpwd_t) term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) auth_manage_shadow(updpwd_t) +auth_etc_filetrans_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) logging_send_syslog_msg(updpwd_t) -miscfiles_read_localization(updpwd_t) - -userdom_use_user_terminals(updpwd_t) +userdom_use_inherited_user_terminals(updpwd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -380,13 +410,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) +auth_use_nsswitch(utempter_t) + init_rw_utmp(utempter_t) domain_use_interactive_fds(utempter_t) logging_search_logs(utempter_t) -userdom_use_user_terminals(utempter_t) +userdom_use_inherited_user_terminals(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) @@ -397,19 +429,30 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - nscd_use(utempter_t) + xserver_use_xdm_fds(utempter_t) + xserver_rw_xdm_pipes(utempter_t) +') + +tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(polydomain) ') optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) + tunable_policy(`polyinstantiation_enabled',` + namespace_init_domtrans(polydomain) + ') ') -####################################### +###################################### # # nsswitch_domain local policy # +allow nsswitch_domain self:key manage_key_perms; + +auth_read_passwd(nsswitch_domain) +auth_map_passwd(nsswitch_domain) + files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf @@ -417,15 +460,42 @@ files_read_etc_files(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) +systemd_hostnamed_read_config(nsswitch_domain) + + +tunable_policy(`authlogin_nsswitch_use_ldap',` + allow nsswitch_domain self:tcp_socket create_socket_perms; +') + +tunable_policy(`authlogin_nsswitch_use_ldap',` + corenet_tcp_sendrecv_generic_if(nsswitch_domain) + corenet_tcp_sendrecv_generic_node(nsswitch_domain) + corenet_tcp_sendrecv_ldap_port(nsswitch_domain) + corenet_tcp_connect_ldap_port(nsswitch_domain) + corenet_sendrecv_ldap_client_packets(nsswitch_domain) +') + tunable_policy(`authlogin_nsswitch_use_ldap',` - files_list_var_lib(nsswitch_domain) + # Support for LDAPS + dev_read_rand(nsswitch_domain) + # LDAP Configuration using encrypted requires + dev_read_urand(nsswitch_domain) + sysnet_read_config(nsswitch_domain) +') +tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) - sysnet_use_ldap(nsswitch_domain) ') optional_policy(` tunable_policy(`authlogin_nsswitch_use_ldap',` + dirsrv_stream_connect(nsswitch_domain) + ') +') + +optional_policy(` + tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_read_certs(nsswitch_domain) ldap_stream_connect(nsswitch_domain) ') ') @@ -438,6 +508,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') +# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. optional_policy(` kerberos_use(nsswitch_domain) ') @@ -456,10 +527,161 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) + sssd_read_public_files(nsswitch_domain) + sssd_read_lib_files(nsswitch_domain) +') + +#1134389 +userdom_manage_all_users_keys(nsswitch_domain) +optional_policy(` + sssd_manage_keys(nsswitch_domain) +') + +optional_policy(` + rolekit_manage_keys(nsswitch_domain) ') optional_policy(` samba_stream_connect_winbind(nsswitch_domain) + samba_stream_connect_nmbd(nsswitch_domain) samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') + +optional_policy(` + virt_read_lib_files(nsswitch_domain) +') + +####################################### +# +# Login Program local policy +# + +domain_read_all_domains_state(login_pgm) +corecmd_getattr_all_executables(login_pgm) +domain_kill_all_domains(login_pgm) + +allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; +allow login_pgm self:capability ipc_lock; +dontaudit login_pgm self:capability net_admin; +allow login_pgm self:process setkeycreate; +allow login_pgm self:key manage_key_perms; +userdom_manage_all_users_keys(login_pgm) +allow login_pgm nsswitch_domain:key manage_key_perms; + +files_list_var_lib(login_pgm) +manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t) +manage_files_pattern(login_pgm, var_auth_t, var_auth_t) +manage_sock_files_pattern(login_pgm, var_auth_t, var_auth_t) + +manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey") +allow login_pgm auth_cache_t:file map; + +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) +manage_files_pattern(login_pgm, auth_home_t, auth_home_t) +auth_filetrans_admin_home_content(login_pgm) +auth_filetrans_home_content(login_pgm) + +# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 +kernel_search_network_sysctl(login_pgm) +kernel_rw_afs_state(login_pgm) + +tunable_policy(`authlogin_radius',` + corenet_udp_bind_all_unreserved_ports(login_pgm) +') + +tunable_policy(`authlogin_yubikey',` + corenet_tcp_connect_http_port(login_pgm) +') + +corenet_tcp_connect_pki_ca_port(login_pgm) + +# for fingerprint readers +dev_rw_input_dev(login_pgm) +dev_rw_generic_usb_dev(login_pgm) + +files_read_config_files(login_pgm) + +fs_list_auto_mountpoints(login_pgm) +fs_manage_cgroup_dirs(login_pgm) +fs_manage_cgroup_files(login_pgm) +fs_read_ecryptfs_symlinks(login_pgm) +fs_read_ecryptfs_files(login_pgm) + +selinux_validate_context(login_pgm) +selinux_compute_access_vector(login_pgm) +selinux_compute_create_context(login_pgm) +selinux_compute_relabel_context(login_pgm) +selinux_compute_user_contexts(login_pgm) + +auth_manage_faillog(login_pgm) +auth_manage_pam_pid(login_pgm) + +init_rw_utmp(login_pgm) + +logging_set_loginuid(login_pgm) +logging_set_tty_audit(login_pgm) + +miscfiles_dontaudit_write_generic_cert_files(login_pgm) +miscfiles_filetrans_named_content(login_pgm) + +seutil_read_config(login_pgm) +seutil_read_login_config(login_pgm) +seutil_read_default_contexts(login_pgm) +systemd_login_read_pid_files(login_pgm) + +userdom_set_rlimitnh(login_pgm) +userdom_read_user_home_content_symlinks(login_pgm) +userdom_delete_user_tmp_files(login_pgm) +userdom_search_admin_dir(login_pgm) +userdom_stream_connect(login_pgm) +userdom_manage_user_tmp_dirs(login_pgm) +userdom_manage_user_tmp_files(login_pgm) + +optional_policy(` + afs_read_config(login_pgm) + afs_rw_udp_sockets(login_pgm) +') + +optional_policy(` + kerberos_read_config(login_pgm) +') + +optional_policy(` + oddjob_dbus_chat(login_pgm) + oddjob_domtrans_mkhomedir(login_pgm) +') + +optional_policy(` + openct_stream_connect(login_pgm) + openct_signull(login_pgm) + openct_read_pid_files(login_pgm) +') + +optional_policy(` + corecmd_exec_bin(login_pgm) + storage_getattr_fixed_disk_dev(login_pgm) + mount_domtrans(login_pgm) + mount_domtrans_ecryptmount(login_pgm) +') + +optional_policy(` + fprintd_dbus_chat(login_pgm) +') + +optional_policy(` + realmd_dbus_chat(login_pgm) +') + +optional_policy(` + # allow execute tmux + screen_exec(login_pgm) +') + +optional_policy(` + ssh_agent_exec(login_pgm) + ssh_read_user_home_files(login_pgm) +') diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc index c5e05ca70..c9ddbeeca 100644 --- a/policy/modules/system/clock.fc +++ b/policy/modules/system/clock.fc @@ -3,3 +3,5 @@ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index d475c2deb..55305d5f3 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` allow $1 adjtime_t:file rw_file_perms; files_list_etc($1) ') + +######################################## +##

      +## Manage clock drift adjustments. +## +## +## +## Domain allowed access. +## +## +# +interface(`clock_manage_adjtime',` + gen_require(` + type adjtime_t; + ') + + allow $1 adjtime_t:file manage_file_perms; + files_list_etc($1) +') + +######################################## +## +## Transition to systemd clock content +## +## +## +## Domain allowed access. +## +## +# +interface(`clock_filetrans_named_content',` + gen_require(` + type adjtime_t; + ') + + files_etc_filetrans($1, adjtime_t, file, "adjtime" ) +') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index edece47dc..2e7b81176 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -20,7 +20,7 @@ role system_r types hwclock_t; # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; +allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config }; dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; allow hwclock_t self:fifo_file rw_fifo_file_perms; @@ -46,28 +46,25 @@ fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) term_use_unallocated_ttys(hwclock_t) -term_use_all_ttys(hwclock_t) -term_use_all_ptys(hwclock_t) +term_use_all_inherited_ttys(hwclock_t) +term_use_all_inherited_ptys(hwclock_t) domain_use_interactive_fds(hwclock_t) +auth_use_nsswitch(hwclock_t) + init_use_fds(hwclock_t) init_use_script_ptys(hwclock_t) logging_send_audit_msgs(hwclock_t) logging_send_syslog_msg(hwclock_t) -miscfiles_read_localization(hwclock_t) optional_policy(` apm_append_log(hwclock_t) apm_rw_stream_sockets(hwclock_t) ') -optional_policy(` - nscd_use(hwclock_t) -') - optional_policy(` seutil_sigchld_newrole(hwclock_t) ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index 948ce2a32..8cab8aef2 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -23,7 +22,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -36,14 +34,55 @@ /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + +/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) + +/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0) diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index 016a770b9..3fce820a5 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -154,3 +154,42 @@ interface(`fstools_getattr_swap_files',` allow $1 swapfile_t:file getattr; ') + +######################################## +## +## Create, read, write, and delete the FSADM pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fsadm_manage_pid',` + gen_require(` + type fsadm_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t) + manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t) + fstools_filetrans_named_content_fsadm($1) +') + +######################################## +## +## Transition to systemd content +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_filetrans_named_content_fsadm',` + gen_require(` + type fsadm_var_run_t; + ') + + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 3f48d300a..2169fc1e0 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,9 +13,15 @@ role system_r types fsadm_t; type fsadm_log_t; logging_log_file(fsadm_log_t) +type fsadm_var_run_t; +files_pid_file(fsadm_var_run_t) + type fsadm_tmp_t; files_tmp_file(fsadm_tmp_t) +type fsadm_tmpfs_t; +files_tmpfs_file(fsadm_tmpfs_t) + type swapfile_t; # customizable files_type(swapfile_t) @@ -26,6 +32,7 @@ files_type(swapfile_t) # ipc_lock is for losetup allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; +dontaudit fsadm_t self:capability net_admin; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; @@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive }; can_exec(fsadm_t, fsadm_exec_t) -allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; -allow fsadm_t fsadm_tmp_t:file manage_file_perms; +manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) +manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) +files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file }) + +manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) +manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) +manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) +manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) +fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir }) + +files_create_boot_flag(fsadm_t) +files_setattr_root_dirs(fsadm_t) + # log files allow fsadm_t fsadm_log_t:dir setattr; manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) @@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) # Enable swapping to files allow fsadm_t swapfile_t:file { rw_file_perms swapon }; +kernel_get_sysvipc_info(fsadm_t) kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) kernel_request_load_module(fsadm_t) @@ -101,6 +120,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) +# /etc/mtab is a link +files_read_etc_runtime_files(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) @@ -112,7 +133,6 @@ files_read_isid_type_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) fs_rw_ramfs_pipes(fsadm_t) -fs_rw_tmpfs_files(fsadm_t) # remount file system to apply changes fs_remount_xattr_fs(fsadm_t) # for /dev/shm @@ -120,6 +140,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +fs_manage_nfs_files(fsadm_t) +fs_manage_cifs_files(fsadm_t) +fs_rw_hugetlbfs_files(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs @@ -133,21 +156,28 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) +storage_rw_fuse(fsadm_t) storage_swapon_fixed_disk(fsadm_t) term_use_console(fsadm_t) +auth_read_passwd(fsadm_t) + +init_read_state(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +init_stream_connect(fsadm_t) logging_send_syslog_msg(fsadm_t) - -miscfiles_read_localization(fsadm_t) +logging_send_audit_msgs(fsadm_t) +logging_stream_connect_syslog(fsadm_t) seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) +term_use_all_inherited_terms(fsadm_t) + +userdom_rw_inherited_user_tmp_pipes(fsadm_t) ifdef(`distro_redhat',` optional_policy(` @@ -165,10 +195,19 @@ optional_policy(` cron_system_entry(fsadm_t, fsadm_exec_t) ') +optional_policy(` + devicekit_dontaudit_read_pid_files(fsadm_t) + devicekit_dontaudit_rw_log(fsadm_t) +') + optional_policy(` hal_dontaudit_write_log(fsadm_t) ') +optional_policy(` + kdump_rw_inherited_kdumpctl_tmp_pipes(fsadm_t) +') + optional_policy(` livecd_rw_tmp_files(fsadm_t) ') @@ -178,6 +217,10 @@ optional_policy(` modutils_read_module_deps(fsadm_t) ') +optional_policy(` + mount_read_pid_files(fsadm_t) +') + optional_policy(` nis_use_ypbind(fsadm_t) ') @@ -191,6 +234,10 @@ optional_policy(` udev_read_db(fsadm_t) ') +optional_policy(` + virt_read_blk_images(fsadm_t) +') + optional_policy(` xen_append_log(fsadm_t) xen_rw_image_files(fsadm_t) diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc index e1a1848a2..492763873 100644 --- a/policy/modules/system/getty.fc +++ b/policy/modules/system/getty.fc @@ -3,8 +3,12 @@ /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) -/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) +/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0) + +/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) +/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index e4376aa98..2c98c5647 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -96,3 +96,45 @@ interface(`getty_rw_config',` files_search_etc($1) allow $1 getty_etc_t:file rw_file_perms; ') + +######################################## +## +## Execute getty server in the getty domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`getty_systemctl',` + gen_require(` + type getty_unit_file_t; + type getty_t; + ') + + systemd_exec_systemctl($1) + allow $1 getty_unit_file_t:file read_file_perms; + allow $1 getty_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, getty_t) +') + +######################################## +## +## Start getty unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`getty_start_services',` + gen_require(` + type getty_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index f6743ea19..d99a10c07 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) type getty_var_run_t; files_pid_file(getty_var_run_t) +type getty_unit_file_t; +systemd_unit_file(getty_unit_file_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mls_systemhigh) +') + ######################################## # # Getty local policy # # Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; @@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t) term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) +term_use_console(getty_t) +term_use_usb_ttys(getty_t) auth_rw_login_records(getty_t) +auth_use_nsswitch(getty_t) init_rw_utmp(getty_t) init_use_script_ptys(getty_t) @@ -94,7 +108,6 @@ locallogin_domtrans(getty_t) logging_send_syslog_msg(getty_t) -miscfiles_read_localization(getty_t) ifdef(`distro_gentoo',` # Gentoo default /etc/issue makes agetty @@ -113,19 +126,27 @@ ifdef(`distro_ubuntu',` ') ') -tunable_policy(`console_login',` +tunable_policy(`login_console_enabled',` # Support logging in from /dev/console term_use_console(getty_t) ',` term_dontaudit_use_console(getty_t) ') +optional_policy(` + hostname_exec(getty_t) +') + +optional_policy(` + lockdev_manage_files(getty_t) +') + optional_policy(` mta_send_mail(getty_t) ') optional_policy(` - nscd_use(getty_t) + plymouthd_exec_plymouth(getty_t) ') optional_policy(` diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc index 9dfecf77c..6d00f5c13 100644 --- a/policy/modules/system/hostname.fc +++ b/policy/modules/system/hostname.fc @@ -1,2 +1,4 @@ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if index 187f04f83..cf0af0991 100644 --- a/policy/modules/system/hostname.if +++ b/policy/modules/system/hostname.if @@ -53,7 +53,6 @@ interface(`hostname_run',` ## Domain allowed access. ##
      ## -## # interface(`hostname_exec',` gen_require(` diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 24a78897a..a3d8f1af3 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -23,39 +23,50 @@ dontaudit hostname_t self:capability sys_tty_config; kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) +kernel_read_network_state(hostname_t) dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(hostname_t) +domain_dontaudit_leaks(hostname_t) domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) +files_dontaudit_leaks(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) +fs_dontaudit_leaks(hostname_t) fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -term_use_all_ttys(hostname_t) -term_use_all_ptys(hostname_t) +term_use_all_inherited_terms(hostname_t) init_use_fds(hostname_t) init_use_script_fds(hostname_t) init_use_script_ptys(hostname_t) +init_rw_inherited_script_tmp_files(hostname_t) logging_send_syslog_msg(hostname_t) -miscfiles_read_localization(hostname_t) sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) +optional_policy(` + kdump_dontaudit_inherited_kdumpctl_tmp_pipes(hostname_t) +') + +optional_policy(` + mock_dontaudit_write_lib_chr_files(hostname_t) +') + optional_policy(` nis_use_ypbind(hostname_t) ') diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc index caf736b3b..91c4c6f23 100644 --- a/policy/modules/system/hotplug.fc +++ b/policy/modules/system/hotplug.fc @@ -7,5 +7,8 @@ /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) +/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) +/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) + /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index 40eb10c60..2a0a32c2d 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` # interface(`hotplug_exec',` gen_require(` - type hotplug_t; + type hotplug_exec_t; ') corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2097e743..0a49e14ba 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) # allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; @@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) files_read_kernel_modules(hotplug_t) -corenet_all_recvfrom_unlabeled(hotplug_t) corenet_all_recvfrom_netlabel(hotplug_t) corenet_tcp_sendrecv_generic_if(hotplug_t) corenet_udp_sendrecv_generic_if(hotplug_t) @@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t) # kernel threads inherit from shared descriptor table used by init init_dontaudit_rw_initctl(hotplug_t) +auth_use_nsswitch(hotplug_t) + logging_send_syslog_msg(hotplug_t) logging_search_logs(hotplug_t) @@ -103,9 +104,6 @@ logging_search_logs(hotplug_t) libs_read_lib_files(hotplug_t) miscfiles_read_hwdata(hotplug_t) -miscfiles_read_localization(hotplug_t) - -seutil_dontaudit_search_config(hotplug_t) sysnet_read_config(hotplug_t) @@ -163,14 +161,6 @@ optional_policy(` mta_send_mail(hotplug_t) ') -optional_policy(` - nis_use_ypbind(hotplug_t) -') - -optional_policy(` - nscd_use(hotplug_t) -') - optional_policy(` seutil_sigchld_newrole(hotplug_t) ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index bc0ffc84e..605c85da2 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -1,6 +1,9 @@ # # /etc # +/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0) + /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -26,6 +29,11 @@ ifdef(`distro_gentoo', ` /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) ') +# +# /sbin +# +/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + # # /sbin # @@ -42,20 +50,36 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +# because nowadays, /sbin/init is often a symlink to /sbin/upstart +/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/lib/systemd/rhel[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) # # /var # +/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0) +/var/run/systemd/initctl/fifo -p gen_context(system_u:object_r:initctl_t,s0) /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0) +/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,s0) ifdef(`distro_debian',` /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) @@ -74,3 +98,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 79a45f62e..95bdd43e6 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ ## System initialization programs (init and init scripts). +###################################### +## +## initrc stub interface. No access allowed. +## +## +## +## Domain allowed access +## +## +# +interface(`init_stub_initrc',` + gen_require(` + type initrc_t; + ') +') + ######################################## ## ## Create a file type used for init scripts. @@ -106,7 +122,11 @@ interface(`init_domain',` role system_r types $1; domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:process2 { nnp_transition nosuid_transition }; + ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd @@ -115,6 +135,25 @@ interface(`init_domain',` ') ') ') +######################################## +## +## Allow SELinux Domain trasition from sytemd +## into confined domain with NoNewPrivileges +## Systemd Security feature. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_nnp_daemon_domain',` + gen_require(` + type init_t; + ') + + allow init_t $1:process2 { nnp_transition nosuid_transition }; +') ######################################## ## @@ -192,50 +231,43 @@ interface(`init_ranged_domain',` interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; - type initrc_t; + type init_t; role system_r; attribute daemon; + attribute initrc_transition_domain; + attribute initrc_domain; ') typeattribute $1 daemon; + typeattribute $2 direct_init_entry; domain_type($1) domain_entry_file($1, $2) - role system_r types $1; - - domtrans_pattern(initrc_t, $2, $1) - - # daemons started from init will - # inherit fds from init for the console - init_dontaudit_use_fds($1) - term_dontaudit_use_console($1) - - # init script ptys are the stdin/out/err - # when using run_init - init_use_script_ptys($1) + type_transition initrc_domain $2:process $1; ifdef(`direct_sysadm_daemon',` - domtrans_pattern(direct_run_init, $2, $1) - allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - + type_transition direct_run_init $2:process $1; typeattribute $1 direct_init; - typeattribute $2 direct_init_entry; - - userdom_dontaudit_use_user_terminals($1) ') +') - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') - ') +####################################### +## +## Create initrc domain. +## +## +## +## Type to be used as a initrc daemon domain. +## +## +# +interface(`init_initrc_domain',` + gen_require(` + attribute initrc_domain; + ') - optional_policy(` - nscd_use($1) - ') + typeattribute $1 initrc_domain; ') ######################################## @@ -283,17 +315,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; + type init_t; ') - init_daemon_domain($1, $2) +# init_daemon_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; mls_rangetrans_target($1) + range_transition init_t $2:process $3; ') ') @@ -336,23 +371,19 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` - type initrc_t; + type init_t; role system_r; + attribute initrc_transition_domain; + attribute systemprocess, systemprocess_entry; + attribute initrc_domain; ') + typeattribute $1 systemprocess; application_domain($1, $2) - role system_r types $1; + typeattribute $2 systemprocess_entry; - domtrans_pattern(initrc_t, $2, $1) - - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') - ') + type_transition initrc_domain $2:process $1; ') ######################################## @@ -401,20 +432,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; + type init_t; ') init_system_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; mls_rangetrans_target($1) ') ') +###################################### +## +## Allow domain dyntransition to init_t domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_dyntrans',` + gen_require(` + type init_t; + ') + + dyntrans_pattern($1, init_t) +') + ######################################## ## ## Mark the file type as a daemon run dir, allowing initrc_t @@ -458,6 +510,7 @@ interface(`init_domtrans',` ') domtrans_pattern($1, init_exec_t, init_t) + allow $1 init_exec_t:file map; ') ######################################## @@ -469,7 +522,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## -## # interface(`init_exec',` gen_require(` @@ -478,6 +530,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) + + optional_policy(` + systemd_exec_systemctl($1) + ') +') + +####################################### +## +## Check access to the init/systemd executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_access_check',` + gen_require(` + type init_exec_t; + ') + + corecmd_search_bin($1) + allow $1 init_exec_t:file { getattr_file_perms execute }; +') + +####################################### +## +## Dontaudit getattr on the init program. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_dontaudit_getattr_exec',` + gen_require(` + type init_exec_t; + ') + + dontaudit $1 init_exec_t:file getattr; ') ######################################## @@ -564,6 +658,58 @@ interface(`init_sigchld',` allow $1 init_t:process sigchld; ') +######################################## +## +## Send generic signals to init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signal',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process signal; +') + +######################################## +## +## Create objects in the init_var_lib_t directories +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_var_lib_filetrans',` + gen_require(` + type init_var_lib_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, init_var_lib_t, $2, $3, $4) +') + ######################################## ## ## Connect to init with a unix socket. @@ -576,10 +722,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` - type init_t; + type init_t, init_var_run_t; ') - allow $1 init_t:unix_stream_socket connectto; + files_search_pids($1) + stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) + allow $1 init_t:unix_stream_socket getattr; +') + +####################################### +## +## Dontaudit Connect to init with a unix socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_stream_connect',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:unix_stream_socket connectto; +') + +###################################### +## +## Dontaudit getattr to init with a unix socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_getattr_stream_socket',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:unix_stream_socket getattr; +') + +###################################### +## +## Dontaudit read and write to init with a unix socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_rw_stream_socket',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl }; ') ######################################## @@ -743,22 +945,24 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; + type init_t; ') + corecmd_exec_bin($1) + dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) - tunable_policy(`init_upstart',` - gen_require(` - type init_t; - ') - - # upstart uses a datagram socket instead of initctl pipe - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - ') + ps_process_pattern($1, init_t) + allow $1 init_t:process signal; + dontaudit $1 self:capability net_admin; + # upstart uses a datagram socket instead of initctl pipe + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + #576913 + allow $1 init_t:unix_stream_socket connectto; ') ######################################## @@ -787,7 +991,7 @@ interface(`init_rw_initctl',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -830,11 +1034,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; ') files_list_etc($1) - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) + spec_domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`distro_gentoo',` gen_require(` @@ -845,11 +1050,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') @@ -865,19 +1070,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) + domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') +') + +######################################## +## +## Execute a file in a bin directory +## in the initrc_t domain +## +## +## +## Domain allowed access. +## +## +# +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; ') + + corecmd_bin_domtrans($1, initrc_t) ') ######################################## @@ -933,9 +1160,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; + # service script searches all filesystems via mountpoint + fs_search_all($1) domtrans_pattern($1, $2, initrc_t) + allow $1 $2:file ioctl; files_search_etc($1) ') @@ -1010,6 +1242,62 @@ interface(`init_read_state',` allow $1 init_t:lnk_file read_lnk_file_perms; ') +######################################## +## +## Dontaudit read the process state (/proc/pid) of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dontaudit_read_state',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:dir search_dir_perms; + dontaudit $1 init_t:file read_file_perms; + dontaudit $1 init_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Read the process keyring of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_key',` + gen_require(` + type init_t; + ') + + allow $1 init_t:key read; +') + +######################################## +## +## Write the process keyring of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_key',` + gen_require(` + type init_t; + ') + + allow $1 init_t:key read; +') + ######################################## ## ## Ptrace init @@ -1026,7 +1314,9 @@ interface(`init_ptrace',` type init_t; ') - allow $1 init_t:process ptrace; + tunable_policy(`deny_ptrace',`',` + allow $1 init_t:process ptrace; + ') ') ######################################## @@ -1123,6 +1413,25 @@ interface(`init_getattr_all_script_files',` allow $1 init_script_file_type:file getattr; ') +######################################## +## +## Allow the specified domain to modify the systemd configuration of +## all init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_config_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + allow $1 init_script_file_type:service all_service_perms; +') + ######################################## ## ## Read all init script files. @@ -1144,7 +1453,7 @@ interface(`init_read_all_script_files',` ####################################### ## -## Dontaudit read all init script files. +## Dontaudit getattr all init script files. ## ## ## @@ -1152,7 +1461,25 @@ interface(`init_read_all_script_files',` ## ## # -interface(`init_dontaudit_read_all_script_files',` +interface(`init_dontaudit_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + dontaudit $1 init_script_file_type:file getattr; +') + +####################################### +## +## Dontaudit read all init script files. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_read_all_script_files',` gen_require(` attribute init_script_file_type; ') @@ -1195,12 +1522,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) - read_files_pattern($1, initrc_t, initrc_t) - read_lnk_files_pattern($1, initrc_t, initrc_t) - list_dirs_pattern($1, initrc_t, initrc_t) - - # should move this to separate interface - allow $1 initrc_t:process getattr; + ps_process_pattern($1, initrc_t) ') ######################################## @@ -1312,6 +1634,24 @@ interface(`init_signal_script',` allow $1 initrc_t:process signal; ') +######################################## +## +## Send kill signals to init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_sigkill_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process sigkill; +') + ######################################## ## ## Send null signals to init scripts. @@ -1437,6 +1777,27 @@ interface(`init_dbus_send_script',` allow $1 initrc_t:dbus send_msg; ') +######################################## +## +## Send and receive messages from +## init over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_chat',` + gen_require(` + type init_t; + class dbus send_msg; + ') + + allow $1 init_t:dbus send_msg; + allow init_t $1:dbus send_msg; +') + ######################################## ## ## Send and receive messages from @@ -1545,6 +1906,25 @@ interface(`init_getattr_script_status_files',` getattr_files_pattern($1, initrc_state_t, initrc_state_t) ') +######################################## +## +## Manage init script +## status files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_script_status_files',` + gen_require(` + type initrc_state_t; + ') + + manage_files_pattern($1, initrc_state_t, initrc_state_t) +') + ######################################## ## ## Do not audit attempts to read init script @@ -1603,6 +1983,24 @@ interface(`init_rw_script_tmp_files',` rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') +######################################## +## +## Read and write init script inherited temporary data. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_inherited_script_tmp_files',` + gen_require(` + type initrc_tmp_t; + ') + + allow $1 initrc_tmp_t:file rw_inherited_file_perms; +') + ######################################## ## ## Create files in a init script @@ -1675,6 +2073,43 @@ interface(`init_read_utmp',` allow $1 initrc_var_run_t:file read_file_perms; ') +######################################## +## +## Read utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_machineid',` + gen_require(` + type machineid_t; + ') + + files_search_etc($1) + allow $1 machineid_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to read utmp. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_read_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + dontaudit $1 initrc_var_run_t:file read_file_perms; +') + ######################################## ## ## Do not audit attempts to write utmp. @@ -1765,7 +2200,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') - dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; + dontaudit $1 initrc_var_run_t:file rw_file_perms; ') ######################################## @@ -1806,6 +2241,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') +###################################### +## +## Allow search directory in the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir search_dir_perms; +') + +###################################### +## +## Allow listing of the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_list_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir list_dir_perms; +') + +####################################### +## +## Create a directory in the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_create_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir list_dir_perms; + create_dirs_pattern($1, init_var_run_t, init_var_run_t) +') + +####################################### +## +## Create objects in /run/systemd directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_pid_filetrans',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + +####################################### +## +## Create objects in /run/systemd directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_named_pid_filetrans',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket @@ -1840,3 +2402,548 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') + +######################################## +## +## Transition to system_r when execute an init script +## +## +##

      +## Execute a init script in a specified role +##

      +##

      +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

      +##
      +## +## +## Role to transition from. +## +## +# +interface(`init_script_role_transition',` + gen_require(` + attribute init_script_file_type; + ') + + role_transition $1 init_script_file_type system_r; +') + +######################################## +## +## dontaudit read and write an leaked init scrip file descriptors +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_script_leaks',` + gen_require(` + type initrc_t; + ') + + dontaudit $1 initrc_t:socket_class_set { read write }; + dontaudit $1 initrc_t:shm rw_shm_perms; + init_dontaudit_use_script_ptys($1) + init_dontaudit_use_script_fds($1) +') + +####################################### +## +## Allow the specified domain to ioctl an +## init with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_ioctl_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket ioctl; +') + +######################################## +## +## Allow the specified domain to read/write to +## init with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') + +####################################### +## +## Allow the specified domain to write to +## init sock file. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_pid_socket',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:sock_file write; +') + +######################################## +## +## Send a message to init over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dgram_send',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_dgram_socket sendto; +') + +######################################## +## +## Send a message to init over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stream_send',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + +######################################## +## +## Create a file type used for init socket files. +## +## +##

      +## This defines a type that init can create sock_file within for +## impersonation purposes +##

      +##
      +## +## +## Type to be used for a sock file. +## +## +## +# +interface(`init_sock_file',` + gen_require(` + attribute init_sock_file_type; + ') + + typeattribute $1 init_sock_file_type; + +') + +######################################## +## +## Read init unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_pipes',` + gen_require(` + type init_var_run_t; + ') + + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') + +######################################## +## +## Read/Write init unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_pipes',` + gen_require(` + type init_var_run_t; + ') + + rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') + +####################################### +## +## Read and write init TCP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_tcp_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:tcp_socket { read write getattr getopt setopt }; +') + +######################################## +## +## Get the system status information from init +## +## +## +## Domain allowed access. +## +## +# +interface(`init_status',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system status; + allow $1 init_t:service status; +') + +######################################## +## +## Tell init to reboot the system. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reboot',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system reboot; + systemd_config_power_services($1) +') + +######################################## +## +## Tell init to enable the services. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_enable_services',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system enable; +') + +######################################## +## +## Tell init to disable the services. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_disable_services',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system disable; +') + +######################################## +## +## Tell init to reload the services. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reload_services',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system reload; +') + +######################################## +## +## Tell init to halt the system. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_halt',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system halt; + systemd_config_power_services($1) +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_undefined',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system undefined; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_start_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service start; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_enable_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service enable; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_disable_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service disable; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stop_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service stop; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reload_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service reload; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_status_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service status; +') + +######################################## +## +## Tell init to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_transient_unit',` + gen_require(` + type init_t; + ') + + allow $1 init_t:service manage_service_perms; +') + +######################################## +## +## Transition to init named content +## +## +## +## Domain allowed access. +## +## +# +interface(`init_filetrans_named_content',` + gen_require(` + type init_var_run_t; + type initrc_var_run_t; + type machineid_t; + type initctl_t; + type systemd_unit_file_t; + ') + + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") + files_pid_filetrans($1, init_var_run_t, file, "random-seed") + files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) + init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") + init_pid_filetrans($1, systemd_unit_file_t, dir, "system") +') + +######################################## +## +## Read systemd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_var_lib_files',` + gen_require(` + type init_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, init_var_lib_t, init_var_lib_t) +') + +######################################## +## +## Connect to init with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stream_connectto',` + gen_require(` + type init_t; + ') + + files_search_pids($1) + allow $1 init_t:unix_stream_socket connectto; +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 17eda2480..2514c372a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` ## ##

      -## Enable support for upstart as the init program. +## Allow all daemons to use tcp wrappers. ##

      ##
      -gen_tunable(init_upstart, false) +gen_tunable(daemons_use_tcp_wrapper, false) + +## +##

      +## Allow all daemons the ability to read/write terminals +##

      +##
      +gen_tunable(daemons_use_tty, false) + +## +##

      +## Allow all daemons to write corefiles to / +##

      +##
      +gen_tunable(daemons_dump_core, false) + +## +##

      +## Enable cluster mode for daemons. +##

      +##
      +gen_tunable(daemons_enable_cluster_mode, false) # used for direct running of init scripts # by admin domains @@ -25,9 +46,17 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; +attribute initrc_transition_domain; +# Attribute used for systemd so domains can allow systemd to create sock_files +attribute init_sock_file_type; # Mark process types as daemons attribute daemon; +attribute systemprocess; +attribute systemprocess_entry; + +# Mark process types as initrc domain +attribute initrc_domain; # Mark file type as a daemon run directory attribute daemonrundir; @@ -35,12 +64,20 @@ attribute daemonrundir; # # init_t is the domain of the init process. # -type init_t; +type init_t, initrc_transition_domain; type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) +domain_role_change_exemption(init_t) kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; +init_initrc_domain(init_t) + +# +# init_tmp_t is the type for content in /tmp directory +# +type init_tmp_t; +files_tmp_file(init_tmp_t) # # init_var_run_t is the type for /var/run/shutdown.pid. @@ -48,6 +85,15 @@ role system_r types init_t; type init_var_run_t; files_pid_file(init_var_run_t) +# +# init_var_lib_t is the type for /var/lib/systemd +# +type init_var_lib_t; +files_type(init_var_lib_t) + +type machineid_t; +files_config_file(machineid_t) + # # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used @@ -57,7 +103,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) -type initrc_t, init_script_domain_type, init_run_all_scripts_domain; +type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) @@ -66,6 +112,7 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) +corecmd_bin_entry_type(initrc_t) type initrc_devpts_t; term_pty(initrc_devpts_t) @@ -98,7 +145,11 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; +allow init_t self:capability2 ~{ mac_admin mac_override }; +allow init_t self:tcp_socket { listen accept }; +allow init_t self:packet_socket create_socket_perms; +allow init_t self:key manage_key_perms; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; +allow init_t self:service manage_service_perms; + # Re-exec itself can_exec(init_t, init_exec_t) - -allow init_t initrc_t:unix_stream_socket connectto; - -# For /var/run/shutdown.pid. -allow init_t init_var_run_t:file manage_file_perms; -files_pid_filetrans(init_t, init_var_run_t, file) +# executing content in /run/initramfs +manage_files_pattern(init_t, initrc_state_t, initrc_state_t) +can_exec(init_t, initrc_state_t) + +allow daemon initrc_t:unix_dgram_socket sendto; +allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto }; +allow initrc_t init_t:fifo_file rw_fifo_file_perms; + +manage_files_pattern(init_t, init_tmp_t, init_tmp_t) +manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t) +manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t) +files_tmp_filetrans(init_t, init_tmp_t, { file }) + +manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +files_var_lib_filetrans(init_t, init_var_lib_t, { dir file }) + +manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) +manage_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t) +files_pid_filetrans(init_t, init_var_run_t, { dir file }) +allow init_t init_var_run_t:dir mounton; +allow init_t init_var_run_t:sock_file relabelto; + +allow init_t machineid_t:file manage_file_perms; +files_pid_filetrans(init_t, machineid_t, file, "machine-id") +files_etc_filetrans(init_t, machineid_t, file, "machine-id") +allow init_t machineid_t:file mounton; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) @@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_stream_connect(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) -dev_read_sysfs(init_t) +corenet_all_recvfrom_netlabel(init_t) +corenet_tcp_bind_all_ports(init_t) +corenet_udp_bind_all_ports(init_t) + +dev_create_all_chr_files(init_t) +dev_rw_sysfs(init_t) +dev_read_urand(init_t) +dev_read_raw_memory(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) +dev_filetrans_all_named_dev(init_t) +dev_write_watchdog(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -139,14 +229,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) -files_read_etc_files(init_t) +files_read_config_files(init_t) +files_read_all_pids(init_t) +files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) +files_read_isid_type_files(init_t) +files_read_etc_runtime_files(init_t) +files_manage_all_locks(init_t) files_manage_etc_runtime_files(init_t) +files_manage_etc_symlinks(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) +files_read_usr_files(init_t) +files_write_root_dirs(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) @@ -156,28 +256,54 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) -mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) -mls_process_write_down(init_t) +mls_file_downgrade(init_t) +mls_file_upgrade(init_t) mls_fd_use_all_levels(init_t) +mls_fd_share_all_levels(init_t) +mls_process_set_level(init_t) +mls_process_write_down(init_t) +mls_socket_read_all_levels(init_t) +mls_socket_write_all_levels(init_t) +mls_rangetrans_source(init_t) selinux_set_all_booleans(init_t) +selinux_load_policy(init_t) +selinux_mounton_fs(init_t) +allow init_t security_t:security load_policy; -term_use_all_terms(init_t) +term_create_pty_dir(init_t) +term_use_unallocated_ttys(init_t) +term_use_console(init_t) +term_use_all_inherited_terms(init_t) +term_use_generic_ptys(init_t) +term_use_virtio_console(init_t) # Run init scripts. init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) +logging_create_devlog_dev(init_t) logging_send_syslog_msg(init_t) +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) +logging_manage_audit_config(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) + +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) -miscfiles_read_localization(init_t) +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; @@ -186,37 +312,301 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` + fs_manage_tmpfs_files(init_t) + fs_manage_tmpfs_symlinks(init_t) + fs_manage_tmpfs_sockets(init_t) + fs_manage_tmpfs_chr_files(init_t) + fs_exec_tmpfs_files(init_t) fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) + fs_tmpfs_filetrans_named_content(init_t) + + logging_stream_connect_syslog(init_t) + logging_relabel_syslog_pid_socket(init_t) ') -tunable_policy(`init_upstart',` - corecmd_shell_domtrans(init_t, initrc_t) -',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - sysadm_shell_domtrans(init_t) +corecmd_shell_domtrans(init_t, initrc_t) + +storage_raw_rw_fixed_disk(init_t) + +sysnet_read_dhcpc_state(init_t) + +optional_policy(` + chronyd_read_keys(init_t) +') + +optional_policy(` + journalctl_exec(init_t) +') + +optional_policy(` + kdump_read_crash(init_t) + kdump_read_config(init_t) +') + +optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) + gnome_manage_config(init_t) +') + +optional_policy(` + gssproxy_noatsecure(init_t) +') + +optional_policy(` + rpc_gssd_noatsecure(init_t) +') + +optional_policy(` + anaconda_domtrans_install(init_t) +') + +optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') + +optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) +') + +optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) +') + +allow init_t self:system all_system_perms; +allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +allow init_t self:process { setsockcreate setfscreate setrlimit setexec }; +allow init_t self:process { getcap setcap }; +allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +allow init_t self:netlink_selinux_socket create_socket_perms; +allow init_t self:unix_dgram_socket lock; +# Until systemd is fixed +allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; +allow init_t self:udp_socket create_socket_perms; +allow init_t self:netlink_route_socket create_netlink_socket_perms; + +allow init_t initrc_t:unix_dgram_socket create_socket_perms; + +kernel_list_unlabeled(init_t) +kernel_read_network_state(init_t) +kernel_rw_all_sysctls(init_t) +kernel_rw_security_state(init_t) +kernel_rw_usermodehelper_state(init_t) +kernel_read_software_raid_state(init_t) +kernel_unmount_debugfs(init_t) +kernel_setsched(init_t) + +dev_write_kmsg(init_t) +dev_write_urand(init_t) +dev_rw_lvm_control(init_t) +dev_rw_autofs(init_t) +dev_manage_generic_symlinks(init_t) +dev_manage_generic_dirs(init_t) +dev_manage_generic_files(init_t) +dev_read_generic_chr_files(init_t) +dev_relabel_generic_dev_dirs(init_t) +dev_relabel_all_dev_nodes(init_t) +dev_relabel_all_dev_files(init_t) +dev_manage_sysfs_dirs(init_t) +dev_relabel_sysfs_dirs(init_t) + +files_search_all(init_t) +files_mounton_all_mountpoints(init_t) +files_mounton_etc(init_t) +files_unmount_all_file_type_fs(init_t) +files_manage_all_pid_dirs(init_t) +files_manage_etc_dirs(init_t) +files_manage_generic_tmp_dirs(init_t) +files_relabel_all_pid_dirs(init_t) +files_relabel_all_pid_files(init_t) +files_create_all_pid_sockets(init_t) +files_delete_all_pids(init_t) +files_exec_generic_pid_files(init_t) +files_create_all_pid_pipes(init_t) +files_create_all_spool_sockets(init_t) +files_delete_all_spool_sockets(init_t) +files_manage_urandom_seed(init_t) +files_list_locks(init_t) +files_list_spool(init_t) +files_list_var(init_t) +files_list_boot(init_t) +files_list_home(init_t) +files_create_lock_dirs(init_t) +files_relabel_all_lock_dirs(init_t) +files_relabel_var_dirs(init_t) +files_relabel_var_lib_dirs(init_t) +files_read_kernel_modules(init_t) +files_map_kernel_modules(init_t) +fs_getattr_all_fs(init_t) +fs_manage_cgroup_dirs(init_t) +fs_manage_cgroup_files(init_t) +fs_manage_hugetlbfs_dirs(init_t) +fs_manage_tmpfs_dirs(init_t) +fs_relabel_tmpfs_dirs(init_t) +fs_relabel_tmpfs_files(init_t) +fs_relabel_tmpfs_fifo_files(init_t) +fs_mount_all_fs(init_t) +fs_unmount_all_fs(init_t) +fs_remount_all_fs(init_t) +fs_list_all(init_t) +fs_list_auto_mountpoints(init_t) +fs_register_binary_executable_type(init_t) +fs_relabel_tmpfs_sock_file(init_t) +fs_rw_tmpfs_files(init_t) +fs_relabel_cgroup_dirs(init_t) +fs_search_cgroup_dirs(init_t) +# for network namespaces +fs_read_nsfs_files(init_t) + +selinux_compute_access_vector(init_t) +selinux_compute_create_context(init_t) +selinux_validate_context(init_t) +selinux_unmount_fs(init_t) + +storage_getattr_removable_dev(init_t) + +term_relabel_ptys_dirs(init_t) + +auth_relabel_login_records(init_t) +auth_relabel_pam_console_data_dirs(init_t) + +clock_read_adjtime(init_t) + +init_read_script_state(init_t) + +modutils_read_module_config(init_t) + +seutil_read_file_contexts(init_t) + +systemd_exec_systemctl(init_t) +systemd_manage_home_content(init_t) +systemd_manage_unit_dirs(init_t) +systemd_manage_random_seed(init_t) +systemd_manage_all_unit_files(init_t) +systemd_logger_stream_connect(init_t) +systemd_config_all_services(init_t) +systemd_relabelto_fifo_file_passwd_run(init_t) +systemd_relabel_unit_dirs(init_t) +systemd_relabel_unit_files(init_t) +systemd_manage_unit_dirs(initrc_t) +systemd_manage_unit_symlinks(initrc_t) +systemd_config_all_services(initrc_t) +systemd_read_unit_files(initrc_t) +systemd_login_status(init_t) +systemd_map_networkd_exec_files(init_t) + +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) +auth_domtrans_chk_passwd(init_t) + +ifdef(`distro_redhat',` + # it comes from setupr scripts used in systemd unit files + # has been covered by initrc_t + optional_policy(` + bind_manage_config_dirs(init_t) + bind_manage_config(init_t) + bind_write_config(init_t) + bind_setattr_zone_dirs(init_t) + ') + + optional_policy(` + ipsec_read_config(init_t) + ipsec_manage_pid(init_t) + ipsec_stream_connect(init_t) + ') + + optional_policy(` + rpc_manage_nfs_state_data(init_t) + ') + + optional_policy(` + sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_setattr_dhcp_state(init_t) + ') +') + +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) + lvm_map_config(init_t) ') optional_policy(` - auth_rw_login_records(init_t) + consolekit_manage_log(init_t) ') optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) + + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') ') optional_policy(` - nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) +') + +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') + +optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) +') + +optional_policy(` + ssh_getattr_server_keys(init_t) ') optional_policy(` sssd_stream_connect(init_t) ') +optional_policy(` + rpcbind_filetrans_named_content(init_t) + rpcbind_relabel_sock_file(init_t) +') + +optional_policy(` + systemd_filetrans_named_content(init_t) +') + +optional_policy(` + udev_read_db(init_t) + udev_relabelto_db(init_t) + udev_create_kobject_uevent_socket(init_t) + udev_relabel_pid_sockfile(init_t) +') + +optional_policy(` + xserver_relabel_xdm_tmp_dirs(init_t) + xserver_manage_xdm_tmp_dirs(init_t) + xserver_read_xdm_lib_files(init_t) +') + optional_policy(` unconfined_domain(init_t) + domain_named_filetrans(init_t) + unconfined_server_domtrans(init_t) ') ######################################## @@ -225,9 +615,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; allow initrc_t self:capability2 block_suspend; -dontaudit initrc_t self:capability sys_module; # sysctl is triggering this +dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; @@ -258,12 +648,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_manage_generic_pids_symlinks(initrc_t) +files_create_var_run_dirs(initrc_t) +files_relabelfrom_isid_type(initrc_t) can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) +allow initrc_t initrc_tmp_t:dir relabelfrom; manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) @@ -279,23 +673,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) +kernel_request_load_module(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +kernel_stream_connect(initrc_t) +files_read_kernel_modules(initrc_t) +files_read_config_files(initrc_t) +files_read_var_lib_symlinks(initrc_t) +files_setattr_pid_dirs(initrc_t) files_create_lock_dirs(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) -files_setattr_lock_dirs(initrc_t) +files_exec_etc_files(initrc_t) +files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) + +fs_manage_tmpfs_dirs(initrc_t) +fs_manage_tmpfs_symlinks(initrc_t) +fs_delete_tmpfs_files(initrc_t) +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) +fs_read_nfsd_files(initrc_t) corecmd_exec_all_executables(initrc_t) -corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -corenet_tcp_sendrecv_all_if(initrc_t) -corenet_udp_sendrecv_all_if(initrc_t) -corenet_tcp_sendrecv_all_nodes(initrc_t) -corenet_udp_sendrecv_all_nodes(initrc_t) +corenet_tcp_sendrecv_generic_if(initrc_t) +corenet_udp_sendrecv_generic_if(initrc_t) +corenet_tcp_sendrecv_generic_node(initrc_t) +corenet_udp_sendrecv_generic_node(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) @@ -303,9 +710,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) +dev_dontaudit_read_kmsg(initrc_t) dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) +dev_write_watchdog(initrc_t) dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -313,8 +722,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) +dev_setattr_generic_dirs(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) +dev_rw_generic_chr_files(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) @@ -322,8 +733,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -332,7 +742,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -domain_dontaudit_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: @@ -340,6 +749,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) +domain_obj_id_change_exemption(initrc_t) files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) @@ -347,14 +757,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) -files_delete_all_locks(initrc_t) +files_manage_all_locks(initrc_t) +files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) +files_delete_root_files(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) files_manage_etc_runtime_files(initrc_t) files_etc_filetrans_etc_runtime(initrc_t, file) -files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) @@ -364,8 +775,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) -fs_write_cgroup_files(initrc_t) +fs_delete_cgroup_dirs(initrc_t) +fs_list_cgroup_dirs(initrc_t) +fs_rw_cgroup_files(initrc_t) fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs @@ -375,10 +790,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) +fs_dontaudit_create_tmpfs_chr_dev(initrc_t) # initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) @@ -387,8 +803,11 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) +mls_socket_write_to_clearance(initrc_t) selinux_get_enforce_mode(initrc_t) +selinux_set_enforce_mode(initrc_t) +selinux_setcheckreqprot(initrc_t) storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) @@ -398,6 +817,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) +auth_manage_faillog(initrc_t) auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) @@ -416,20 +836,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) -miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_generic_cert_files(initrc_t) -modutils_read_module_config(initrc_t) -modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) +userdom_read_admin_home_files(initrc_t) userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. -userdom_use_user_terminals(initrc_t) +userdom_use_inherited_user_terminals(initrc_t) ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) @@ -451,7 +869,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) - dev_create_generic_dirs(initrc_t) term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks @@ -485,6 +902,10 @@ ifdef(`distro_gentoo',` sysnet_write_config(initrc_t) sysnet_setattr_config(initrc_t) + optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + optional_policy(` alsa_read_lib(initrc_t) ') @@ -506,7 +927,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd - kernel_dontaudit_use_fds(initrc_t) + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd @@ -521,6 +942,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) + # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) @@ -541,6 +963,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) + miscfiles_filetrans_named_content(initrc_t) miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) @@ -549,9 +972,45 @@ ifdef(`distro_redhat',` alsa_manage_rw_config(initrc_t) ') + optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + optional_policy(` bind_manage_config_dirs(initrc_t) + bind_manage_config(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) + ') + + optional_policy(` + cyrus_write_data(initrc_t) + ') + + optional_policy(` + devicekit_append_inherited_log_files(initrc_t) + devicekit_dbus_chat_power(initrc_t) + ') + + optional_policy(` + dirsrvadmin_read_config(initrc_t) + dirsrv_manage_var_run(initrc_t) + ') + + optional_policy(` + gnome_manage_gconf_config(initrc_t) + ') + + optional_policy(` + ldap_read_db_files(initrc_t) + ') + + optional_policy(` + ntp_filetrans_named_content(initrc_t) + ') + + optional_policy(` + pulseaudio_stream_connect(initrc_t) ') optional_policy(` @@ -559,14 +1018,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') + optional_policy(` + rpcbind_stream_connect(initrc_t) + ') optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) + sysnet_manage_dhcpc_state(initrc_t) + sysnet_relabelfrom_dhcpc_state(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) + sysnet_relabelto_net_conf(initrc_t) + #sysnet_filetrans_named_content(initrc_t) + ') + + optional_policy(` + tgtd_stream_connect(initrc_t) + ') + + optional_policy(` + wdmd_manage_pid_files(initrc_t) ') optional_policy(` xserver_delete_log(initrc_t) + xserver_manage_user_fonts_dir(initrc_t) ') ') @@ -577,6 +1053,39 @@ ifdef(`distro_suse',` ') ') +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_list_admin_dir(daemon) +userdom_dontaudit_search_user_tmp(daemon) + +tunable_policy(`daemons_use_tcp_wrapper',` + corenet_tcp_connect_auth_port(daemon) +') + +tunable_policy(`daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_ttys(daemon) + term_use_all_ptys(daemon) +',` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_ttys(daemon) + term_dontaudit_use_all_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`daemons_dump_core',` + files_manage_root_files(daemon) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + unconfined_dontaudit_rw_stream(daemon) + userdom_dontaudit_read_user_tmp_files(daemon) + userdom_dontaudit_write_user_tmp_files(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -589,6 +1098,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) + # webmin seems to cause this. + apache_search_sys_content(daemon) ') optional_policy(` @@ -610,6 +1121,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) + domain_setpriority_all_domains(initrc_t) ') optional_policy(` @@ -625,6 +1137,17 @@ optional_policy(` dev_getattr_cpu_dev(initrc_t) ') +optional_policy(` + chronyd_append_keys(initrc_t) + chronyd_read_keys(initrc_t) +') + +optional_policy(` + cron_read_pipes(initrc_t) + # managing /etc/cron.d/mailman content + cron_manage_system_spool(initrc_t) +') + optional_policy(` dev_getattr_printer_dev(initrc_t) @@ -642,9 +1165,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) + dbus_manage_lib_files(initrc_t) + + init_dbus_chat(initrc_t) optional_policy(` consolekit_dbus_chat(initrc_t) + consolekit_manage_log(initrc_t) ') optional_policy(` @@ -657,15 +1184,11 @@ optional_policy(` ') optional_policy(` - # /var/run/dovecot/login/ssl-parameters.dat is a hard link to - # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up - # the directory. But we do not want to allow this. - # The master process of dovecot will manage this file. - dovecot_dontaudit_unlink_lib_files(initrc_t) + ftp_read_config(initrc_t) ') optional_policy(` - ftp_read_config(initrc_t) + glance_manage_pid_files(initrc_t) ') optional_policy(` @@ -685,6 +1208,15 @@ optional_policy(` modutils_read_module_deps(initrc_t) ') +optional_policy(` + firewalld_dbus_chat(initrc_t) +') + +optional_policy(` + modutils_read_module_config(initrc_t) + modutils_domtrans_insmod(initrc_t) +') + optional_policy(` inn_exec_config(initrc_t) ') @@ -726,6 +1258,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) + lpd_manage_spool(init_t) ') optional_policy(` @@ -743,7 +1276,13 @@ optional_policy(` ') optional_policy(` - mta_read_config(initrc_t) + milter_delete_dkim_pid_files(initrc_t) + milter_setattr_all_dirs(initrc_t) +') + +optional_policy(` + mta_manage_aliases(initrc_t) + mta_manage_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -765,6 +1304,10 @@ optional_policy(` openvpn_read_config(initrc_t) ') +optional_policy(` + plymouthd_stream_connect(initrc_t) +') + optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) @@ -774,10 +1317,20 @@ optional_policy(` postfix_list_spool(initrc_t) ') +optional_policy(` + psad_setattr_fifo_file(initrc_t) + psad_setattr_log(initrc_t) + psad_write_log(initrc_t) +') + optional_policy(` puppet_rw_tmp(initrc_t) ') +optional_policy(` + qpidd_manage_var_run(initrc_t) +') + optional_policy(` quota_manage_flags(initrc_t) ') @@ -786,6 +1339,10 @@ optional_policy(` raid_manage_mdadm_pid(initrc_t) ') +optional_policy(` + ricci_manage_lib_files(initrc_t) +') + optional_policy(` fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) @@ -808,8 +1365,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) - # why is this needed: - rpm_manage_db(initrc_t) ') optional_policy(` @@ -817,6 +1372,10 @@ optional_policy(` samba_read_winbind_pid(initrc_t) ') +optional_policy(` + sendmail_setattr_pid_files(initrc_t) +') + optional_policy(` # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) @@ -827,10 +1386,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') +ifdef(`enabled_mls',` optional_policy(` # allow init scripts to su su_restricted_domain_template(initrc, initrc_t, system_r) ') +') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) @@ -857,21 +1418,60 @@ optional_policy(` ') optional_policy(` + virt_read_config(init_t) + virt_stream_connect(init_t) + virt_noatsecure(init_t) + virt_rlimitinh(init_t) +') + +optional_policy(` + virt_manage_pid_dirs(initrc_t) + virt_manage_cache(initrc_t) + virt_manage_lib_files(initrc_t) virt_stream_connect(initrc_t) - virt_manage_virt_cache(initrc_t) +') + +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) + cron_rw_inherited_user_spool_files(daemon) +') + +optional_policy(` + cfengine_append_inherited_log(daemon) ') optional_policy(` unconfined_domain(initrc_t) + domain_named_filetrans(initrc_t) + domain_role_change_exemption(initrc_t) + + files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited unconfined_dontaudit_rw_pipes(daemon) ') + optional_policy(` + authconfig_domtrans(initrc_t) + ') + optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t, system_r) + + optional_policy(` + rtkit_scheduled(initrc_t) + ') +') + +optional_policy(` + rpm_read_db(initrc_t) + rpm_delete_db(initrc_t) ') optional_policy(` @@ -886,6 +1486,10 @@ optional_policy(` xfs_read_sockets(initrc_t) ') +optional_policy(` + sanlock_manage_pid_files(initrc_t) +') + optional_policy(` # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) @@ -897,3 +1501,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') + +userdom_inherit_append_user_home_content_files(daemon) +userdom_inherit_append_user_tmp_files(daemon) +userdom_dontaudit_rw_stream(daemon) + +logging_inherit_append_all_logs(daemon) + +optional_policy(` + # sudo service restart causes this + unconfined_signull(daemon) +') + + +optional_policy(` + xserver_dontaudit_append_xdm_home_files(daemon) + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) + ') + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(daemon) + ') +') + +init_rw_script_stream_sockets(daemon) + +optional_policy(` + abrt_stream_connect(daemon) +') + +optional_policy(` + fail2ban_read_lib_files(daemon) +') + +optional_policy(` + firstboot_dontaudit_leaks(daemon) +') + +init_rw_stream_sockets(daemon) +init_dontaudit_script_leaks(daemon) + +allow init_t var_run_t:dir relabelto; + +init_stream_connect(initrc_t) + +allow initrc_t daemon:process siginh; +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_transition_domain:fd use; +allow daemon init_var_run_t:dir search_dir_perms; +allow systemprocess init_var_run_t:dir search_dir_perms; + +allow init_t daemon:unix_stream_socket create_stream_socket_perms; +allow init_t daemon:unix_dgram_socket create_socket_perms; +allow init_t daemon:tcp_socket create_stream_socket_perms; +allow init_t daemon:udp_socket create_socket_perms; +allow daemon init_t:unix_dgram_socket sendto; +# need write to /var/run/systemd/notify +init_write_pid_socket(daemon) +allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; + +# daemons started from init will +# inherit fds from init for the console +init_dontaudit_use_fds(daemon) +term_dontaudit_use_console(daemon) +# init script ptys are the stdin/out/err +# when using run_init +init_use_script_ptys(daemon) + +allow init_t daemon:process siginh; + +ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fds(daemon) + ') + + dontaudit daemon init_t:dir search_dir_perms; +') + +optional_policy(` + nscd_socket_use(daemon) +') + +optional_policy(` + puppet_rw_tmp(daemon) +') + +allow direct_run_init daemon:process { noatsecure siginh rlimitinh }; + +allow initrc_t systemprocess:process siginh; +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow systemprocess initrc_transition_domain:fd use; + +dontaudit systemprocess init_t:unix_stream_socket getattr; + +allow init_t daemon:unix_stream_socket create_stream_socket_perms; +allow init_t daemon:unix_dgram_socket create_socket_perms; +allow daemon init_t:unix_stream_socket ioctl; +allow daemon init_t:unix_dgram_socket sendto; +# need write to /var/run/systemd/notify +init_write_pid_socket(daemon) +init_rw_inherited_script_tmp_files(daemon) + +# Handle upstart/systemd direct transition to a executable +allow init_t systemprocess:process { dyntransition siginh }; +allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; +allow init_t systemprocess:unix_dgram_socket create_socket_perms; +allow systemprocess init_t:unix_dgram_socket sendto; +allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; + +files_dontaudit_rw_inherited_locks(systemprocess) +files_dontaudit_tmp_file_leaks(systemprocess) +init_rw_inherited_script_tmp_files(systemprocess) + +logging_dontaudit_rw_inherited_generic_logs(systemprocess) + +userdom_dontaudit_search_user_home_dirs(systemprocess) +userdom_dontaudit_rw_stream(systemprocess) +userdom_dontaudit_write_user_tmp_files(systemprocess) + +tunable_policy(`daemons_use_tty',` + term_use_all_ttys(systemprocess) + term_use_all_ptys(systemprocess) +',` + term_dontaudit_use_all_ttys(systemprocess) + term_dontaudit_use_all_ptys(systemprocess) +') + +# these apps are often redirect output to random log files +logging_inherit_append_all_logs(systemprocess) + +optional_policy(` + abrt_stream_connect(systemprocess) +') + +optional_policy(` + cfengine_append_inherited_log(systemprocess) +') + +optional_policy(` + cron_rw_pipes(systemprocess) +') + +optional_policy(` + puppet_rw_tmp(systemprocess) +') + +optional_policy(` + xserver_dontaudit_append_xdm_home_files(systemprocess) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(systemprocess) + unconfined_dontaudit_rw_stream(systemprocess) + userdom_dontaudit_read_user_tmp_files(systemprocess) +') + +init_rw_script_stream_sockets(systemprocess) + +role system_r types systemprocess; +role system_r types daemon; + +#ifdef(`enable_mls',` +# mls_rangetrans_target(systemprocess) +#') + +allow initrc_domain daemon:process transition; +allow daemon initrc_domain:fd use; +allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_domain:process sigchld; +allow initrc_domain direct_init_entry:file { getattr open read map execute }; + +allow systemprocess initrc_domain:fd use; +allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms; +allow systemprocess initrc_domain:process sigchld; +allow initrc_domain systemprocess_entry:file { getattr open read execute map }; +allow initrc_domain systemprocess:process transition; + +optional_policy(` + systemd_getattr_unit_dirs(daemon) + systemd_getattr_unit_dirs(systemprocess) +') + +optional_policy(` + rgmanager_search_lib(initrc_domain) +') + +ifdef(`direct_sysadm_daemon',` + allow daemon direct_run_init:fd use; + allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; + allow daemon direct_run_init:process sigchld; + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') + +optional_policy(` + tunable_policy(`daemons_enable_cluster_mode',` + rhcs_manage_cluster_pid_files(daemon) + rhcs_manage_cluster_lib_files(daemon) + rhcs_rw_inherited_cluster_tmp_files(daemon) + rhcs_stream_connect_cluster_to(daemon,daemon) +',` + rhcs_read_cluster_lib_files(daemon) + rhcs_read_cluster_pid_files(daemon) + ') + + ') + +optional_policy(` + tunable_policy(`daemons_enable_cluster_mode',` + #resource agents placed config files in /etc/cluster + ccs_manage_config(daemon) +',` + ccs_read_config(daemon) + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 662e79be8..c34c4aebc 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,14 +1,26 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan-swanctl.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + +/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) @@ -25,17 +37,30 @@ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/ipsec/addconn -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) +/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) -/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) +/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0) /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 0d4c8d35e..0cd667eb3 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -18,6 +18,24 @@ interface(`ipsec_domtrans',` domtrans_pattern($1, ipsec_exec_t, ipsec_t) ') +####################################### +## +## Allow read/write ipsec pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_rw_inherited_pipes',` + gen_require(` + type ipsec_t; + ') + + allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms; +') + ######################################## ## ## Connect to IPSEC using a unix domain stream socket. @@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',` domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ') +####################################### +## +## Allow to create OBJECT in /etc with ipsec_key_file_t. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_filetrans_key_file',` + gen_require(` + type ipsec_key_file_t; + ') + + files_etc_filetrans($1, ipsec_key_file_t, file) +') + +####################################### +## +## Allow to manage ipsec key files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_manage_key_file',` + gen_require(` + type ipsec_key_file_t; + ') + + manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) + files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets") +') + +######################################## +## +## Read the ipsec_mgmt_var_run_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_mgmt_read_pid',` + gen_require(` + type ipsec_var_run_t; + type ipsec_mgmt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t) +') + + ######################################## ## ## Connect to racoon using a unix domain stream socket. @@ -120,7 +196,6 @@ interface(`ipsec_exec_mgmt',` ## ## # -# interface(`ipsec_signal_mgmt',` gen_require(` type ipsec_mgmt_t; @@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',` ## ## # -# interface(`ipsec_signull_mgmt',` gen_require(` type ipsec_mgmt_t; @@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',` ##
      ## # -# interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; @@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',` allow $1 ipsec_mgmt_t:process sigkill; ') +######################################## +## +## Send ipsec a general signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_signal',` + gen_require(` + type ipsec_t; + ') + + allow $1 ipsec_t:process signal; +') + +######################################## +## +## Send ipsec a null signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_signull',` + gen_require(` + type ipsec_t; + ') + + allow $1 ipsec_t:process signull; +') + +######################################## +## +## Send ipsec a kill signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_kill',` + gen_require(` + type ipsec_t; + ') + + allow $1 ipsec_t:process sigkill; +') + ###################################### ## ## Send and receive messages from @@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; + allow $1 self:peer recv; ') ######################################## @@ -245,6 +373,25 @@ interface(`ipsec_setcontext_default_spd',` allow $1 ipsec_spd_t:association setcontext; ') +######################################## +## +## Read the ipsec_var_run_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipsec_read_pid',` + gen_require(` + type ipsec_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) +') ######################################## ## @@ -282,6 +429,7 @@ interface(`ipsec_manage_pid',` files_search_pids($1) manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) ') ######################################## @@ -369,3 +517,46 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') + +####################################### +## +## Execute strongswan in the ipsec_mgmt domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ipsec_mgmt_systemctl',` + gen_require(` + type ipsec_mgmt_unit_file_t; + type ipsec_mgmt_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; + allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, ipsec_mgmt_t) +') + +######################################## +## +## Do not audit attempts to write the ipsec +## log files. +## +## +## +## Domain to not audit. +## +## +# +interface(`ipsec_dontaudit_write_log',` + gen_require(` + type ipsec_log_t; + ') + + dontaudit $1 ipsec_log_t:file rw_inherited_file_perms; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 312cd0417..a3336c6a4 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) corecmd_shell_entry_type(ipsec_mgmt_t) role system_r types ipsec_mgmt_t; +type ipsec_mgmt_unit_file_t; +systemd_unit_file(ipsec_mgmt_unit_file_t) + type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) @@ -67,29 +70,43 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; +# The NetworkManager helper communicates the password via PTY +type ipsec_mgmt_devpts_t; +term_pty(ipsec_mgmt_devpts_t) +files_type(ipsec_mgmt_devpts_t) + ######################################## # # ipsec Local policy # -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; +allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; +dontaudit ipsec_t self:capability sys_tty_config; +allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; +allow ipsec_t self:packet_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets") allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +allow ipsec_t ipsec_key_file_t:file map; + +manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) @@ -101,19 +118,22 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) +can_exec(ipsec_t, ipsec_exec_t) # pluto runs an updown script (by calling popen()!) as this is by default # a shell script, we need to find a way to make things work without # letting all sorts of stuff possibly be run... # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +allow ipsec_t ipsec_mgmt_t:process2 nnp_transition; + allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; -allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; +allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull }; kernel_read_kernel_sysctls(ipsec_t) -kernel_read_net_sysctls(ipsec_t) +kernel_rw_net_sysctls(ipsec_t) kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -128,20 +148,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access -corenet_all_recvfrom_unlabeled(ipsec_t) -corenet_tcp_sendrecv_all_if(ipsec_t) -corenet_raw_sendrecv_all_if(ipsec_t) -corenet_tcp_sendrecv_all_nodes(ipsec_t) -corenet_raw_sendrecv_all_nodes(ipsec_t) +corenet_tcp_sendrecv_generic_if(ipsec_t) +corenet_raw_sendrecv_generic_if(ipsec_t) +corenet_tcp_sendrecv_generic_node(ipsec_t) +corenet_raw_sendrecv_generic_node(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) -corenet_tcp_bind_all_nodes(ipsec_t) -corenet_udp_bind_all_nodes(ipsec_t) +corenet_tcp_bind_generic_node(ipsec_t) +corenet_udp_bind_generic_node(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) +corenet_udp_bind_dhcpc_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) +corenet_tcp_connect_http_port(ipsec_t) +corenet_tcp_connect_ldap_port(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) @@ -157,23 +179,40 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) +selinux_compute_access_vector(ipsec_t) + term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) +auth_use_pam(ipsec_t) auth_use_nsswitch(ipsec_t) +auth_read_home_content(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) +logging_send_audit_msgs(ipsec_t) logging_send_syslog_msg(ipsec_t) -miscfiles_read_localization(ipsec_t) +miscfiles_map_generic_certs(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) +sysnet_exec_ifconfig(ipsec_t) +sysnet_nnp_domtrans_ifconfig(ipsec_t) +sysnet_manage_config(ipsec_t) +sysnet_etc_filetrans_config(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) +optional_policy(` + iptables_domtrans(ipsec_t) +') + +optional_policy(` + l2tpd_read_pid_files(ipsec_t) +') + optional_policy(` seutil_sigchld_newrole(ipsec_t) ') @@ -187,14 +226,15 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; +allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) +files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file @@ -236,6 +278,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +allow ipsec_mgmt_t ipsec_exec_t:file map; kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) +domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) +domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) + +dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) +dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) + +dev_read_sysfs(ipsec_mgmt_t) + +files_dontaudit_getattr_all_files(ipsec_mgmt_t) +files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) @@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) +corenet_tcp_connect_rndc_port(ipsec_mgmt_t) + dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) @@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) +files_list_kernel_modules(ipsec_mgmt_t) files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) @@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_inherited_terms(ipsec_mgmt_t) auth_dontaudit_read_login_records(ipsec_mgmt_t) +auth_use_nsswitch(ipsec_mgmt_t) init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) @@ -288,17 +345,30 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) -logging_send_syslog_msg(ipsec_mgmt_t) - -miscfiles_read_localization(ipsec_mgmt_t) +ipsec_mgmt_systemctl(ipsec_mgmt_t) -seutil_dontaudit_search_config(ipsec_mgmt_t) +logging_read_all_logs(ipsec_mgmt_t) +logging_send_syslog_msg(ipsec_mgmt_t) sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) +sysnet_exec_ifconfig(ipsec_mgmt_t) +sysnet_nnp_domtrans_ifconfig(ipsec_mgmt_t) -userdom_use_user_terminals(ipsec_mgmt_t) +systemd_exec_systemctl(ipsec_mgmt_t) + +userdom_use_inherited_user_terminals(ipsec_mgmt_t) + +allow ipsec_mgmt_t ipsec_mgmt_devpts_t:chr_file rw_term_perms; +term_create_pty(ipsec_mgmt_t,ipsec_mgmt_devpts_t) + +optional_policy(` + bind_domtrans(ipsec_mgmt_t) + bind_read_dnssec_keys(ipsec_mgmt_t) + bind_read_config(ipsec_mgmt_t) + bind_read_state(ipsec_mgmt_t) +') optional_policy(` consoletype_exec(ipsec_mgmt_t) @@ -321,6 +391,10 @@ optional_policy(` iptables_domtrans(ipsec_mgmt_t) ') +optional_policy(` + l2tpd_read_pid_files(ipsec_mgmt_t) +') + optional_policy(` modutils_domtrans_insmod(ipsec_mgmt_t) ') @@ -335,7 +409,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; -allow racoon_t self:netlink_route_socket create_netlink_socket_perms; +allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; @@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) -corenet_all_recvfrom_unlabeled(racoon_t) -corenet_tcp_sendrecv_all_if(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) -corenet_tcp_sendrecv_all_nodes(racoon_t) -corenet_udp_sendrecv_all_nodes(racoon_t) -corenet_tcp_bind_all_nodes(racoon_t) -corenet_udp_bind_all_nodes(racoon_t) +corenet_tcp_sendrecv_generic_if(racoon_t) +corenet_udp_sendrecv_generic_if(racoon_t) +corenet_tcp_sendrecv_generic_node(racoon_t) +corenet_udp_sendrecv_generic_node(racoon_t) +corenet_tcp_bind_generic_node(racoon_t) +corenet_udp_bind_generic_node(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) @@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) -miscfiles_read_localization(racoon_t) - sysnet_exec_ifconfig(racoon_t) +auth_use_pam(racoon_t) + auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) @@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) -miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) -userdom_use_user_terminals(setkey_t) - +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index 73a1c4e1e..193006ef6 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,22 +1,50 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + +/usr/libexec/iptables/iptables.init -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/libexec/iptables/ip6tables.init -- gen_context(system_u:object_r:iptables_exec_t,s0) + + +/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0) + +/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0) +/var/lock/subsys/ip6tables -- gen_context(system_u:object_r:iptables_lock_t,s0) + +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) +/var/run/ebtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index c42fbc329..5e1a4a51c 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,7 @@ interface(`iptables_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit iptables_t $1:socket_class_set { read write }; - ') + allow $1 iptables_exec_t:file map; ') ######################################## @@ -86,6 +83,30 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') +######################################## +## +## Execute iptables server in the iptables domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`iptables_systemctl',` + gen_require(` + type iptables_unit_file_t; + type iptables_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 iptables_unit_file_t:file read_file_perms; + allow $1 iptables_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, iptables_t) +') + ##################################### ## ## Set the attributes of iptables config files. @@ -163,3 +184,40 @@ interface(`iptables_manage_config',` files_search_etc($1) manage_files_pattern($1, iptables_conf_t, iptables_conf_t) ') + +######################################## +## +## Transition to iptables named content +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_filetrans_named_content',` + gen_require(` + type iptables_var_run_t; + ') + + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') + +##################################### +## +## Read iptables run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_read_var_run',` + gen_require(` + type iptables_var_run_t; + ') + + allow $1 iptables_var_run_t:dir list_dir_perms; + read_files_pattern($1, iptables_var_run_t, iptables_var_run_t) +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index be8ed1e6c..a9e54e32e 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) -type iptables_conf_t; -files_config_file(iptables_conf_t) - type iptables_tmp_t; files_tmp_file(iptables_tmp_t) type iptables_var_run_t; files_pid_file(iptables_var_run_t) +type iptables_var_lib_t; +files_pid_file(iptables_var_lib_t) + +type iptables_lock_t; +files_lock_file(iptables_lock_t) + +type iptables_unit_file_t; +systemd_unit_file(iptables_unit_file_t) + ######################################## # # Iptables local policy @@ -32,29 +38,45 @@ files_pid_file(iptables_var_run_t) allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; +dontaudit iptables_t self:capability2 block_suspend; allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; +allow iptables_t self:netlink_generic_socket create_socket_perms; +allow iptables_t self:netlink_netfilter_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) -files_etc_filetrans(iptables_t, iptables_conf_t, file) +files_manage_system_conf_files(iptables_t) +files_etc_filetrans_system_conf(iptables_t) +files_etc_filetrans(iptables_t, system_conf_t, dir) manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) +manage_dirs_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +manage_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +manage_lnk_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +files_var_lib_filetrans(iptables_t, iptables_var_lib_t, { file dir lnk_file }) + can_exec(iptables_t, iptables_exec_t) +manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t) +files_lock_filetrans(iptables_t, iptables_lock_t, file) + allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) +kernel_getattr_proc(iptables_t) kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) -kernel_read_modprobe_sysctls(iptables_t) +kernel_read_usermodehelper_state(iptables_t) kernel_use_fds(iptables_t) +kernel_rw_net_sysctls(iptables_t) +kernel_search_network_sysctl(iptables_t) + # needed by ipvsadm corecmd_exec_bin(iptables_t) @@ -64,19 +86,24 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +dev_read_urand(iptables_t) +dev_read_rand(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) fs_list_inotifyfs(iptables_t) +fs_read_nsfs_files(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) +term_use_all_inherited_terms(iptables_t) domain_use_interactive_fds(iptables_t) -files_read_etc_files(iptables_t) -files_read_etc_runtime_files(iptables_t) +files_rw_etc_runtime_files(iptables_t) +files_rw_inherited_tmp_file(iptables_t) +files_read_kernel_modules(iptables_t) auth_use_nsswitch(iptables_t) @@ -85,15 +112,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) +init_dontaudit_script_leaks(iptables_t) logging_send_syslog_msg(iptables_t) -miscfiles_read_localization(iptables_t) - sysnet_run_ifconfig(iptables_t, iptables_roles) sysnet_dns_name_resolve(iptables_t) -userdom_use_user_terminals(iptables_t) +userdom_use_inherited_user_terminals(iptables_t) userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` @@ -102,6 +128,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) + fail2ban_read_log(iptables_t) + fail2ban_dontaudit_leaks(iptables_t) + fail2ban_rw_inherited_tmp_files(iptables_t) ') optional_policy(` @@ -109,8 +138,16 @@ optional_policy(` firstboot_rw_pipes(iptables_t) ') +optional_policy(` + firewalld_read_config(iptables_t) + firewalld_read_pid_files(iptables_t) + firewalld_dontaudit_write_tmp_files(iptables_t) +') + optional_policy(` modutils_run_insmod(iptables_t, iptables_roles) + modutils_list_module_config(iptables_t) + modutils_read_module_config(iptables_t) ') optional_policy(` @@ -118,12 +155,26 @@ optional_policy(` nis_use_ypbind(iptables_t) ') +optional_policy(` + plymouthd_exec_plymouth(iptables_t) +') + optional_policy(` ppp_dontaudit_use_fds(iptables_t) ') optional_policy(` psad_rw_tmp_files(iptables_t) + psad_write_log(iptables_t) +') + +optional_policy(` + ctdbd_read_lib_files(iptables_t) +') + +optional_policy(` + neutron_rw_inherited_pipes(iptables_t) + neutron_sigchld(iptables_t) ') optional_policy(` @@ -132,12 +183,13 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(iptables_t) + seutil_run_setfiles(iptables_t, iptables_roles) ') optional_policy(` + shorewall_read_config(iptables_t) shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) - shorewall_read_config(iptables_t) ') optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 73bb3c00c..10006d658 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ + # # /emul # @@ -28,14 +29,17 @@ ifdef(`distro_redhat',` # /etc # /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) +/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) +/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) # # /lib(64)? # -/lib -d gen_context(system_u:object_r:lib_t,s0) +/lib gen_context(system_u:object_r:lib_t,s0) +/lib64 gen_context(system_u:object_r:lib_t,s0) /lib/.* gen_context(system_u:object_r:lib_t,s0) /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -52,9 +56,8 @@ ifdef(`distro_gentoo',` # # /opt # -/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) +/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -103,6 +106,12 @@ ifdef(`distro_redhat',` # # /usr # +/usr/lib -d gen_context(system_u:object_r:lib_t,s0) +/usr/lib/.* gen_context(system_u:object_r:lib_t,s0) +/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +/usr/lib/gvfs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -111,12 +120,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) +/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) @@ -125,10 +134,12 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -141,19 +152,21 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -182,11 +195,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -299,17 +311,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) -/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - -/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) +/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +ifdef(`fixed',` +/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +# Flash plugin, Macromedia +/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 808ba93eb..cc985cfbe 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -64,6 +64,25 @@ interface(`libs_exec_ldconfig',` can_exec($1, ldconfig_exec_t) ') +######################################## +## +## Make ldconfig_exec_t entrypoint for +## the specified domain. +## +## +## +## The domain for which bin_t is an entrypoint. +## +## +# +interface(`libs_ldconfig_exec_entry_type',` + gen_require(` + type ldconfig_exec_t; + ') + + domain_entry_file($1, ldconfig_exec_t) +') + ######################################## ## ## Use the dynamic link/loader for automatic loading @@ -84,9 +103,9 @@ interface(`libs_use_ld_so',` allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) + mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t }) - allow $1 ld_so_cache_t:file read_file_perms; + allow $1 ld_so_cache_t:file { map read_file_perms }; ') ######################################## @@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',` type lib_t, ld_so_t; ') + read_lnk_files_pattern($1, lib_t, lib_t) manage_files_pattern($1, lib_t, ld_so_t) ') @@ -205,8 +225,26 @@ interface(`libs_search_lib',` type lib_t; ') + read_lnk_files_pattern($1, lib_t, lib_t) allow $1 lib_t:dir search_dir_perms; ') +######################################## +## +## dontaudit attempts to setattr on library files +## +## +## +## Domain to not audit. +## +## +# +interface(`libs_dontaudit_setattr_lib_files',` + gen_require(` + type lib_t; + ') + + dontaudit $1 lib_t:file setattr; +') ######################################## ## @@ -248,27 +286,10 @@ interface(`libs_manage_lib_dirs',` type lib_t; ') + read_lnk_files_pattern($1, lib_t, lib_t) allow $1 lib_t:dir manage_dir_perms; ') -######################################## -## -## dontaudit attempts to setattr on library files -## -## -## -## Domain to not audit. -## -## -# -interface(`libs_dontaudit_setattr_lib_files',` - gen_require(` - type lib_t; - ') - - dontaudit $1 lib_t:file setattr; -') - ######################################## ## ## Read files in the library directories, such @@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',` type lib_t; ') + read_lnk_files_pattern($1, lib_t, lib_t) manage_files_pattern($1, lib_t, lib_t) ') @@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',` type lib_t, textrel_shlib_t; ') - manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + read_lnk_files_pattern($1, lib_t, lib_t) + manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ') ######################################## @@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',` ') files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) +# allow $1 lib_t:file execmod; allow $1 textrel_shlib_t:file execmod; ') @@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',` type lib_t, textrel_shlib_t; ') - relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ') ######################################## @@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## +## +## Transition to lib named content +## +## +## +## Domain allowed access. +## +## +# +interface(`libs_filetrans_named_content',` + gen_require(` + type lib_t; + type ld_so_cache_t; + type ldconfig_cache_t; + ') + + files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug") + files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 54f8fa5c8..e14ec857c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) # lib_t is the type of files in the system lib directories. # type lib_t alias shlib_t; -files_type(lib_t) +files_ro_base_file(lib_t) # # textrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # type textrel_shlib_t alias texrel_shlib_t; -files_type(textrel_shlib_t) +files_ro_base_file(textrel_shlib_t) ifdef(`distro_gentoo',` # openrc unfortunately mounts a tmpfs @@ -57,11 +57,14 @@ optional_policy(` # ldconfig local policy # -allow ldconfig_t self:capability { dac_override sys_chroot }; +allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot }; +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) +files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") +allow ldconfig_t ldconfig_cache_t:file map; -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) @@ -72,14 +75,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) kernel_read_system_state(ldconfig_t) +kernel_read_network_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) +files_list_var_lib(ldconfig_t) +files_dontaudit_leaks(ldconfig_t) +files_manage_var_lib_symlinks(ldconfig_t) + corecmd_search_bin(ldconfig_t) domain_use_interactive_fds(ldconfig_t) -files_search_var_lib(ldconfig_t) +files_search_home(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) files_search_tmp(ldconfig_t) @@ -90,11 +98,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) -miscfiles_read_localization(ldconfig_t) logging_send_syslog_msg(ldconfig_t) -userdom_use_user_terminals(ldconfig_t) +term_use_console(ldconfig_t) +userdom_use_inherited_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` @@ -103,6 +111,13 @@ ifdef(`distro_ubuntu',` ') ') +userdom_dontaudit_list_admin_dir(ldconfig_t) +userdom_list_user_home_dirs(ldconfig_t) +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) +userdom_rw_inherited_user_tmp_pipes(ldconfig_t) + ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage @@ -114,6 +129,11 @@ ifdef(`hide_broken_symptoms',` ') ') + dev_dontaudit_rw_lvm_control(ldconfig_t) + dev_dontaudit_read_all_chr_files(ldconfig_t) + dev_dontaudit_read_all_blk_files(ldconfig_t) + term_dontaudit_use_unallocated_ttys(ldconfig_t) + optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') @@ -130,6 +150,18 @@ optional_policy(` apt_use_ptys(ldconfig_t) ') +optional_policy(` + glusterd_dontaudit_read_lib_dirs(ldconfig_t) +') + +optional_policy(` + gnome_append_generic_cache_files(ldconfig_t) +') + +optional_policy(` + kdump_manage_kdumpctl_tmp_files(ldconfig_t) +') + optional_policy(` puppet_rw_tmp(ldconfig_t) ') @@ -141,6 +173,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') -optional_policy(` - unconfined_domain(ldconfig_t) -') diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc index be6a81b80..a5303e920 100644 --- a/policy/modules/system/locallogin.fc +++ b/policy/modules/system/locallogin.fc @@ -1,3 +1,8 @@ +HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) +/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) + +/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) +/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 0e3c2a977..ea9bd57dc 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` domtrans_pattern($1, sulogin_exec_t, sulogin_t) ') + +####################################### +## +## Allow domain to gettatr local login home content +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_getattr_home_content',` + gen_require(` + type local_login_home_t; + ') + + getattr_files_pattern($1, local_login_home_t, local_login_home_t) +') + +######################################## +## +## create local login content in the in the /root directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_filetrans_admin_home_content',` + gen_require(` + type local_login_home_t; + ') + + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') + +######################################## +## +## Transition to local login named content +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_filetrans_home_content',` + gen_require(` + type local_login_home_t; + ') + + userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 446fa9908..6e1a05a68 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) type local_login_lock_t; files_lock_file(local_login_lock_t) -type local_login_tmp_t; -files_tmp_file(local_login_tmp_t) -files_poly_parent(local_login_tmp_t) +type local_login_home_t; +userdom_user_home_content(local_login_home_t) type sulogin_t; type sulogin_exec_t; @@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t) init_system_domain(sulogin_t, sulogin_exec_t) role system_r types sulogin_t; +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh) +') + ######################################## # # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -51,9 +57,7 @@ allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t, local_login_lock_t, file) -allow local_login_t local_login_tmp_t:dir manage_dir_perms; -allow local_login_t local_login_tmp_t:file manage_file_perms; -files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +allow local_login_t local_login_home_t:file read_file_perms; kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) @@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) +dev_rw_generic_usb_dev(local_login_t) +dev_read_video_dev(local_login_t) dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) @@ -103,6 +109,7 @@ files_read_world_readable_pipes(local_login_t) files_read_world_readable_sockets(local_login_t) # for when /var/mail is a symlink files_read_var_symlinks(local_login_t) +files_create_home_dir(local_login_t) fs_search_auto_mountpoints(local_login_t) @@ -117,16 +124,18 @@ term_relabel_unallocated_ttys(local_login_t) term_relabel_all_ttys(local_login_t) term_setattr_all_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) +term_relabel_all_ptys(local_login_t) +term_setattr_generic_ptys(local_login_t) auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) -auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) +auth_use_nsswitch(local_login_t) init_dontaudit_use_fds(local_login_t) +init_stream_connect(local_login_t) -miscfiles_read_localization(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) @@ -141,19 +150,15 @@ ifdef(`distro_ubuntu',` ') ') -tunable_policy(`console_login',` - # Able to relabel /dev/console to user tty types. - term_relabel_console(local_login_t) -') +userdom_home_reader(local_login_t) +userdom_manage_tmp_files(local_login_t) +userdom_tmp_filetrans_user_tmp(local_login_t, file) -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(local_login_t) - fs_read_nfs_symlinks(local_login_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(local_login_t) - fs_read_cifs_symlinks(local_login_t) +tunable_policy(`login_console_enabled',` + term_use_console(local_login_t) + # Able to relabel /dev/console to user tty types. + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) ') optional_policy(` @@ -176,14 +181,6 @@ optional_policy(` mta_getattr_spool(local_login_t) ') -optional_policy(` - nis_use_ypbind(local_login_t) -') - -optional_policy(` - nscd_use(local_login_t) -') - optional_policy(` unconfined_shell_domtrans(local_login_t) ') @@ -195,6 +192,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) + xserver_rw_xdm_keys(local_login_t) ') ################################# @@ -202,7 +200,7 @@ optional_policy(` # Sulogin local policy # -allow sulogin_t self:capability dac_override; +allow sulogin_t self:capability { dac_read_search dac_override sys_admin }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; @@ -215,18 +213,30 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; +kernel_getattr_core_if(sulogin_t) +kernel_read_crypto_sysctls(sulogin_t) kernel_read_system_state(sulogin_t) +dev_getattr_all_chr_files(sulogin_t) +dev_getattr_all_blk_files(sulogin_t) + +dev_read_urand(sulogin_t) +dev_read_rand(sulogin_t) + fs_search_auto_mountpoints(sulogin_t) fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) +files_search_pids(sulogin_t) auth_read_shadow(sulogin_t) +auth_use_nsswitch(sulogin_t) init_getpgid_script(sulogin_t) +init_getpgid(sulogin_t) +init_getattr_initctl(sulogin_t) logging_send_syslog_msg(sulogin_t) @@ -235,17 +245,28 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) +userdom_search_admin_dir(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) -sysadm_shell_domtrans(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) +term_use_generic_ptys(sulogin_t) + +ifdef(`enable_mls',` + sysadm_shell_domtrans(sulogin_t) +',` + optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') +allow sulogin_t self:capability sys_tty_config; ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; @@ -258,9 +279,5 @@ ifdef(`sulogin_no_pam', ` ') optional_policy(` - nis_use_ypbind(sulogin_t) -') - -optional_policy(` - nscd_use(sulogin_t) + plymouthd_exec_plymouth(sulogin_t) ') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index b50c5fe81..e55a55641 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -2,10 +2,13 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) @@ -17,12 +20,25 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) +/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) +/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) +/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -38,21 +54,22 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) -/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ifndef(`distro_gentoo',` -/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) ') ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) @@ -65,11 +82,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4e9488463..09c79d688 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -144,6 +144,24 @@ interface(`logging_read_audit_log',` allow $1 auditd_log_t:dir list_dir_perms; ') +######################################## +## +## Map the audit log. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_map_audit_log',` + gen_require(` + type auditd_log_t; + ') + + allow $1 auditd_log_t:file map; +') ######################################## ## ## Execute auditctl in the auditctl domain. @@ -233,7 +251,7 @@ interface(`logging_run_auditd',` ######################################## ## -## Connect to auditdstored over an unix stream socket. +## Connect to auditdstored over a unix stream socket. ## ## ## @@ -262,6 +280,7 @@ interface(`logging_domtrans_dispatcher',` ') domtrans_pattern($1, audisp_exec_t, audisp_t) + allow $1 audisp_exec_t:file map; ') ######################################## @@ -318,7 +337,7 @@ interface(`logging_dispatcher_domain',` ######################################## ## -## Connect to the audit dispatcher over an unix stream socket. +## Connect to the audit dispatcher over a unix stream socket. ## ## ## @@ -496,6 +515,68 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3, $4) ') +####################################### +## +## Create an object in the log directory, with a private type. +## +## +##

      +## Allow the specified domain to create an object +## in the general system log directories (e.g., /var/log) +## with a private type. Typically this is used for creating +## private log files in /var/log with the private type instead +## of the general system log type. To accomplish this goal, +## either the program must be SELinux-aware, or use this interface. +##

      +##

      +## Related interfaces: +##

      +##
        +##
      • logging_log_file()
      • +##
      +##

      +## Example usage with a domain that can create +## and append to a private log file stored in the +## general directories (e.g., /var/log): +##

      +##

      +## type mylogfile_t; +## logging_log_file(mylogfile_t) +## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; +## logging_log_filetrans(mydomain_t, mylogfile_t, file) +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +## +# +interface(`logging_log_named_filetrans',` + gen_require(` + type var_log_t; + ') + + files_search_var($1) + filetrans_pattern($1, var_log_t, $2, $3, $4) +') + ######################################## ## ## Send system log messages. @@ -530,22 +611,105 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; + ') + + typeattribute $1 syslog_client_type; +') + +######################################## +## +## Connect to the syslog control unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_create_devlog_dev',` + gen_require(` + type devlog_t; + ') + + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) + init_pid_filetrans($1, devlog_t, sock_file, "syslog") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") +') + +######################################## +## +## Relabel the devlog sock_file. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; + ') + + allow $1 devlog_t:sock_file relabel_sock_file_perms; +') + +######################################## +## +## Allow domain to read the syslog pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_read_syslog_pid',` + gen_require(` + type syslogd_var_run_t; + ') + + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') + +######################################## +## +## Relabel the syslog pid sock_file. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; ') - allow $1 devlog_t:lnk_file read_lnk_file_perms; - allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') - # the type of socket depends on the syslog daemon - allow $1 syslogd_t:unix_dgram_socket sendto; - allow $1 syslogd_t:unix_stream_socket connectto; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_syslog',` + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') - # If syslog is down, the glibc syslog() function - # will write to the console. - term_write_console($1) - term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## @@ -569,6 +733,44 @@ interface(`logging_read_audit_config',` allow $1 auditd_etc_t:dir list_dir_perms; ') +######################################## +## +## Map the auditd configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_map_audit_config',` + gen_require(` + type auditd_etc_t; + ') + + allow $1 auditd_etc_t:file map; +') + +######################################## +## +## dontaudit search of auditd log files. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`logging_dontaudit_search_audit_logs',` + gen_require(` + type auditd_log_t; + ') + + dontaudit $1 auditd_log_t:dir search_dir_perms; +') + ######################################## ## ## dontaudit search of auditd configuration files. @@ -607,6 +809,25 @@ interface(`logging_read_syslog_config',` allow $1 syslog_conf_t:file read_file_perms; ') +######################################## +## +## Manage syslog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_manage_syslog_config',` + gen_require(` + type syslog_conf_t; + ') + + manage_files_pattern($1, syslog_conf_t, syslog_conf_t) +') + ######################################## ## ## Allows the domain to open a file in the @@ -722,6 +943,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') +####################################### +## +## Relabel on all log dirs. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_relabel_all_log_dirs',` + gen_require(` + attribute logfile; + ') + + relabel_dirs_pattern($1, logfile, logfile) +') + ######################################## ## ## Do not audit attempts to get the attributes @@ -776,7 +1016,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) - append_files_pattern($1, var_log_t, logfile) + append_files_pattern($1, logfile, logfile) +') + +######################################## +## +## Append to all log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_inherit_append_all_logs',` + gen_require(` + attribute logfile; + ') + + allow $1 logfile:file { getattr append ioctl lock }; ') ######################################## @@ -797,6 +1055,7 @@ interface(`logging_read_all_logs',` files_search_var($1) allow $1 logfile:dir list_dir_perms; + allow $1 logfile:file map; read_files_pattern($1, logfile, logfile) ') @@ -858,8 +1117,10 @@ interface(`logging_manage_all_logs',` ') files_search_var($1) + manage_dirs_pattern($1, logfile, logfile) manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) + manage_lnk_files_pattern($1, logfile, logfile) + allow $1 logfile:file map; ') ######################################## @@ -880,9 +1141,67 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; + allow $1 var_log_t:file map; read_files_pattern($1, var_log_t, var_log_t) ') +######################################## +## +## Link generic log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_link_generic_logs',` + gen_require(` + type var_log_t; + ') + + allow $1 var_log_t:file link; +') + +######################################## +## +## Delete generic log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_delete_generic_logs',` + gen_require(` + type var_log_t; + ') + + allow $1 var_log_t:file unlink; +') + +######################################## +## +## Map generic log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_mmap_generic_logs',` + gen_require(` + type var_log_t; + ') + + allow $1 var_log_t:file map; +') + ######################################## ## ## Write generic log files. @@ -903,6 +1222,24 @@ interface(`logging_write_generic_logs',` write_files_pattern($1, var_log_t, var_log_t) ') +######################################## +## +## Dontaudit read/Write inherited generic log files. +## +## +## +## Domain to not audit. +## +## +# +interface(`logging_dontaudit_rw_inherited_generic_logs',` + gen_require(` + type var_log_t; + ') + + dontaudit $1 var_log_t:file rw_inherited_file_perms; +') + ######################################## ## ## Dontaudit Write generic log files. @@ -984,11 +1321,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; + type auditd_unit_file_t; ') - allow $1 auditd_t:process { ptrace signal_perms }; + allow $1 auditd_t:process signal_perms; ps_process_pattern($1, auditd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 auditd_t:process ptrace; + ') + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) @@ -1004,6 +1346,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; + + logging_systemctl_audit($1) + admin_pattern($1, auditd_unit_file_t) + allow $1 auditd_unit_file_t:service all_service_perms; +') + +######################################## +## +## Execute auditd server in the auditd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`logging_systemctl_audit',` + gen_require(` + type auditd_t; + type auditd_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 auditd_unit_file_t:file read_file_perms; + allow $1 auditd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, auditd_t) ') ######################################## @@ -1032,10 +1401,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; + allow $1 self:capability2 syslog; + allow $1 syslogd_t:process signal_perms; + allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 syslogd_t:process ptrace; + allow $1 klogd_t:process ptrace; + ') manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) @@ -1057,6 +1431,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) + allow $1 logfile:dir relabel_dir_perms; + allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) @@ -1085,3 +1461,108 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') + +######################################## +## +## Transition to syslog.conf +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_filetrans_named_conf',` + gen_require(` + type syslog_conf_t; + ') + + files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") +') + +######################################## +## +## Transition to logging named content +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_filetrans_named_content',` + gen_require(` + type var_log_t; + type audit_spool_t; + type syslogd_var_run_t; + type syslog_conf_t; + ') + + files_pid_filetrans($1, syslogd_var_run_t, dir, "log") + files_spool_filetrans($1, var_log_t, dir, "rsyslog") + files_spool_filetrans($1, var_log_t, dir, "log") + files_spool_filetrans($1, audit_spool_t, dir, "audit") + files_var_filetrans($1, var_log_t, dir, "webmin") + + files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") + + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") + + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') + +####################################### +## +## Create objects in /run/systemd/journal/ directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`logging_syslogd_pid_filetrans',` + gen_require(` + type syslogd_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') + +####################################### +## +## Map files in /run/log/journal/ directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_mmap_journal',` + gen_require(` + type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:file map; +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 59b04c1a2..2b875dbbc 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) # # Declarations # +attribute syslog_client_type; + +## +##

      +## Allow syslogd daemon to send mail +##

      +##
      +gen_tunable(logging_syslogd_can_sendmail, false) + +## +##

      +## Allow syslogd the ability to read/write terminals +##

      +##
      +gen_tunable(logging_syslogd_use_tty, true) + +## +##

      +## Allow syslogd the ability to call nagios plugins. It is +## turned on by omprog rsyslog plugin. +##

      +##
      +gen_tunable(logging_syslogd_run_nagios_plugins, false) attribute logfile; @@ -20,6 +43,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; +files_spool_file(audit_spool_t) files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) @@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) +type auditd_unit_file_t; +systemd_unit_file(auditd_unit_file_t) + type audisp_t; type audisp_exec_t; init_system_domain(audisp_t, audisp_exec_t) @@ -64,6 +91,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) +mls_trusted_object(syslogd_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) @@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) +type syslogd_tmpfs_t; +files_tmpfs_file(syslogd_tmpfs_t) + type syslogd_var_lib_t; files_type(syslogd_var_lib_t) type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) +mls_trusted_object(syslogd_var_run_t) type var_log_t; logging_log_file(var_log_t) @@ -94,8 +126,11 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; +allow auditctl_t self:process getcap; + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; +allow auditctl_t auditd_etc_t:file map; # Needed for adding watches files_getattr_all_dirs(auditctl_t) @@ -111,7 +146,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) -term_use_all_terms(auditctl_t) +storage_getattr_removable_dev(auditctl_t) + +term_use_all_inherited_terms(auditctl_t) init_dontaudit_use_fds(auditctl_t) @@ -134,11 +171,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -allow auditd_t auditd_etc_t:file read_file_perms; +allow auditd_t auditd_etc_t:file { read_file_perms map }; +manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) -allow auditd_t var_log_t:dir search_dir_perms; +logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit") manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) @@ -148,6 +186,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) +kernel_read_network_state(auditd_t) dev_read_sysfs(auditd_t) @@ -155,9 +194,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) -selinux_search_fs(auditctl_t) - -corenet_all_recvfrom_unlabeled(auditd_t) corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) @@ -183,16 +219,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) -miscfiles_read_localization(auditd_t) +auth_use_nsswitch(auditd_t) mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory - -seutil_dontaudit_read_config(auditd_t) +mls_socket_write_all_levels(auditd_t) sysnet_dns_name_resolve(auditd_t) -userdom_use_user_terminals(auditd_t) +systemd_start_systemd_services(auditd_t) + +userdom_use_inherited_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) @@ -219,7 +256,7 @@ optional_policy(` # audit dispatcher local policy # -allow audisp_t self:capability { dac_override setpcap sys_nice }; +allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice }; allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; @@ -227,6 +264,8 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; +allow audisp_t audisp_exec_t:file map; + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) @@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) +fs_getattr_all_fs(audisp_t) + files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) +mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) +mls_socket_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) -logging_send_syslog_msg(audisp_t) +auth_use_nsswitch(audisp_t) -miscfiles_read_localization(audisp_t) +logging_send_syslog_msg(audisp_t) sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) + dbus_connect_system_bus(audisp_t) + + optional_policy(` + setroubleshoot_dbus_chat(audisp_t) + ') ') ######################################## @@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +kernel_read_system_state(audisp_remote_t) + corecmd_exec_bin(audisp_remote_t) -corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) @@ -280,13 +330,28 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) +mls_socket_write_all_levels(audisp_remote_t) + logging_send_syslog_msg(audisp_remote_t) logging_send_audit_msgs(audisp_remote_t) -miscfiles_read_localization(audisp_remote_t) +auth_use_nsswitch(audisp_remote_t) +auth_append_login_records(audisp_remote_t) + +mls_file_write_all_levels(audisp_remote_t) + +init_telinit(audisp_remote_t) +init_read_utmp(audisp_remote_t) +init_dontaudit_write_utmp(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) +systemd_start_power_services(audisp_remote_t) + +term_search_ptys(audisp_remote_t) + +userdom_use_user_ptys(audisp_remote_t) + ######################################## # # klogd local policy @@ -326,7 +391,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) -miscfiles_read_localization(klogd_t) mls_file_read_all_levels(klogd_t) @@ -355,13 +419,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; +allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog # setrlimit for syslog-ng -# getsched for syslog-ng -# setsched for rsyslog -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched }; +allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -369,15 +432,20 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; - +allow syslogd_t self:rawip_socket create_socket_perms; +allow syslogd_t self:netlink_audit_socket { r_netlink_socket_perms nlmsg_write }; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; +# now is /dev/log lnk_file +allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) +allow syslogd_t var_log_t:file map; rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) @@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) +manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) +manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) +fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file }) + +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) +allow syslogd_t syslogd_var_lib_t:file map; files_search_var_lib(syslogd_t) -# manage pid file +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) +kernel_rw_stream_socket_perms(syslogd_t) kernel_read_system_state(syslogd_t) kernel_read_network_state(syslogd_t) kernel_read_kernel_sysctls(syslogd_t) +kernel_read_netlink_audit_socket(syslogd_t) kernel_read_proc_symlinks(syslogd_t) # Allow access to /proc/kmsg for syslog-ng kernel_read_messages(syslogd_t) +kernel_request_load_module(syslogd_t) kernel_read_vm_sysctls(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +kernel_read_ring_buffer(syslogd_t) + +ifdef(`hide_broken_symptoms',` + kernel_rw_unix_dgram_sockets(syslogd_t) +') + +corecmd_exec_bin(syslogd_t) +corecmd_exec_shell(syslogd_t) -corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) corenet_udp_sendrecv_all_ports(syslogd_t) corenet_udp_bind_generic_node(syslogd_t) corenet_udp_bind_syslogd_port(syslogd_t) +corenet_udp_bind_syslog_tls_port(syslogd_t) # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) @@ -422,9 +509,13 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) +corenet_tcp_bind_syslog_tls_port(syslogd_t) +corenet_tcp_connect_syslog_tls_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) +corenet_tcp_connect_http_port(syslogd_t) +corenet_tcp_connect_wap_wsp_port(syslogd_t) # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) @@ -432,9 +523,33 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) +tunable_policy(`logging_syslogd_use_tty',` + term_use_all_ttys(syslogd_t) + term_use_all_ptys(syslogd_t) +') + +tunable_policy(`logging_syslogd_can_sendmail',` + # support for ommail module to send logs via mail + corenet_tcp_connect_smtp_port(syslogd_t) +') + +optional_policy(` + tunable_policy(`logging_syslogd_run_nagios_plugins',` + nagios_domtrans_unconfined_plugins(syslogd_t) + nagios_unconfined_signull(syslogd_t) + ') +') + dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) - +dev_read_rand(syslogd_t) +dev_read_urand(syslogd_t) +# relating to systemd-kmsg-syslogd +dev_write_kmsg(syslogd_t) +dev_read_kmsg(syslogd_t) + +domain_read_all_domains_state(syslogd_t) +domain_getattr_all_domains(syslogd_t) domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -443,18 +558,25 @@ files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) +files_dontaudit_list_var(syslogd_t) files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) +fs_search_cgroup_dirs(syslogd_t) + +miscfiles_manage_generic_cert_files(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories +mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) +term_use_generic_ptys(syslogd_t) +init_stream_connect(syslogd_t) # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) @@ -466,11 +588,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) - -miscfiles_read_localization(syslogd_t) +logging_manage_all_logs(syslogd_t) +logging_set_loginuid(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -userdom_dontaudit_search_user_home_dirs(syslogd_t) +userdom_search_user_home_dirs(syslogd_t) +userdom_rw_inherited_user_tmp_files(syslogd_t) ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel @@ -494,9 +617,14 @@ optional_policy(` bind_search_cache(syslogd_t) ') +optional_policy(` + container_read_lib_files(syslogd_t) +') + optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") + cron_generic_log_filetrans_log(syslogd_t, file, "cron") ') optional_policy(` @@ -507,15 +635,40 @@ optional_policy(` ') optional_policy(` + kerberos_keytab_template(syslogd, syslogd_t) + kerberos_manage_host_rcache(syslogd_t) + kerberos_read_config(syslogd_t) +') + +optional_policy(` + mysql_read_config(syslogd_t) mysql_stream_connect(syslogd_t) ') +optional_policy(` + plymouthd_manage_log(syslogd_t) +') + +optional_policy(` + postfix_search_spool(syslogd_t) +') + optional_policy(` postgresql_stream_connect(syslogd_t) ') +optional_policy(` + psad_search_lib_files(syslogd_t) +') + optional_policy(` seutil_sigchld_newrole(syslogd_t) + snmp_read_snmp_var_lib_files(syslogd_t) + snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) +') + +optional_policy(` + daemontools_search_svc_dir(syslogd_t) ') optional_policy(` @@ -526,3 +679,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') + +##################################################### +# +# syslog client rules +# +allow syslog_client_type devlog_t:lnk_file read_lnk_file_perms; +allow syslog_client_type devlog_t:sock_file write_sock_file_perms; + +# the type of socket depends on the syslog daemon +allow syslog_client_type syslogd_t:unix_dgram_socket sendto; +allow syslog_client_type syslogd_t:unix_stream_socket connectto; +allow syslog_client_type self:unix_dgram_socket create_socket_perms; +allow syslog_client_type self:unix_stream_socket create_socket_perms; + +# If syslog is down, the glibc syslog() function +# will write to the console. +term_write_console(syslog_client_type) +term_dontaudit_read_console(syslog_client_type) +ifdef(`hide_broken_symptoms',` + kernel_dgram_send(syslog_client_type) +') + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 6b917403e..772411608 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) +/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + # # /lib # @@ -33,22 +35,27 @@ ifdef(`distro_gentoo',` # # /sbin # +/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) -/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) +/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -89,8 +96,77 @@ ifdef(`distro_gentoo',` # # /usr # -/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) -/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0) +/usr/lib/systemd/system/lvm2.*\.service gen_context(system_u:object_r:lvm_unit_file_t,s0) + +/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) +/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmlockd -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) + +/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/libexec/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) # # /var @@ -98,5 +174,11 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) +/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) + +/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 58bc27f22..d12c44ecd 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,24 @@ ## Policy for logical volume management programs. +######################################## +## +## Get the attribute of lvm entrypoint files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_getattr_exec_files',` + gen_require(` + type lvm_exec_t; + ') + + files_list_etc($1) + allow $1 lvm_exec_t:file getattr; +') + ######################################## ## ## Execute lvm programs in the lvm domain. @@ -84,6 +103,90 @@ interface(`lvm_read_config',` read_files_pattern($1, lvm_etc_t, lvm_etc_t) ') +######################################## +## +## Mmap LVM configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`lvm_map_config',` + gen_require(` + type lvm_etc_t; + ') + + allow $1 lvm_etc_t:file map; +') + +######################################## +## +## Read LVM configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`lvm_read_metadata',` + gen_require(` + type lvm_etc_t; + type lvm_metadata_t; + ') + + files_search_etc($1) + allow $1 lvm_etc_t:dir list_dir_perms; + read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) +') + +######################################## +## +## Read LVM configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`lvm_write_metadata',` + gen_require(` + type lvm_etc_t; + type lvm_metadata_t; + ') + + files_search_etc($1) + allow $1 lvm_etc_t:dir list_dir_perms; + write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) +') + +######################################## +## +## Manage LVM metadata files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`lvm_manage_metadata',` + gen_require(` + type lvm_metadata_t; + ') + + allow $1 lvm_metadata_t:dir list_dir_perms; + manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t) + manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t) +') + ######################################## ## ## Manage LVM configuration files. @@ -105,6 +208,25 @@ interface(`lvm_manage_config',` manage_files_pattern($1, lvm_etc_t, lvm_etc_t) ') +######################################## +## +## Connect to lvm using a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_stream_connect',` + gen_require(` + type lvm_t, lvm_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t) +') + ###################################### ## ## Execute a domain transition to run clvmd. @@ -123,3 +245,154 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') + +######################################## +## +## Read and write to lvm temporary file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_rw_clvmd_tmpfs_files',` + gen_require(` + type clvmd_tmpfs_t; + ') + + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') + +######################################## +## +## Delete lvm temporary file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_delete_clvmd_tmpfs_files',` + gen_require(` + type clvmd_tmpfs_t; + ') + + allow $1 clvmd_tmpfs_t:file unlink; +') + +######################################## +## +## Send lvm a null signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_signull',` + gen_require(` + type lvm_t; + ') + + allow $1 lvm_t:process signull; +') + +######################################## +## +## Send a message to lvm over the +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_dgram_send',` + gen_require(` + type lvm_t; + ') + + allow $1 lvm_t:unix_dgram_socket sendto; +') + +######################################## +## +## Read and write a lvm unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_rw_pipes',` + gen_require(` + type lvm_var_run_t; + ') + + allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to access check cert dirs/files. +## +## +## +## Domain to not audit. +## +## +# +interface(`lvm_dontaudit_access_check_lock',` + gen_require(` + type lvm_lock_t; + ') + + dontaudit $1 lvm_lock_t:dir audit_access; +') + +######################################## +## +## Read the process state (/proc/pid) of lvm. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_read_state',` + gen_require(` + type lvm_t; + ') + + ps_process_pattern($1, lvm_t) +') + +######################################## +## +## Create, read, write, and delete +## lvm lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_manage_lock',` + gen_require(` + type lvm_lock_t; + ') + + files_search_locks($1) + manage_files_pattern($1, lvm_lock_t, lvm_lock_t) + manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t) +') + + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 79048c410..26e560e79 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) +type clvmd_tmpfs_t alias clmvd_tmpfs_t; +files_tmpfs_file(clvmd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t) role system_r types lvm_t; type lvm_etc_t; -files_type(lvm_etc_t) +files_config_file(lvm_etc_t) type lvm_lock_t; files_lock_file(lvm_lock_t) @@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t) type lvm_tmp_t; files_tmp_file(lvm_tmp_t) +type lvm_unit_file_t; +systemd_unit_file(lvm_unit_file_t) + ######################################## # # Cluster LVM daemon local policy @@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t) allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process { signal_perms setsched }; -dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; +manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) +manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) +fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + +manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) -files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) +files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) @@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) -corenet_all_recvfrom_unlabeled(clvmd_t) corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) @@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) -miscfiles_read_localization(clvmd_t) - -seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) @@ -140,6 +146,11 @@ ifdef(`distro_redhat',` ') ') +optional_policy(` + aisexec_stream_connect(clvmd_t) + corosync_stream_connect(clvmd_t) +') + optional_policy(` ccs_stream_connect(clvmd_t) ') @@ -165,20 +176,27 @@ optional_policy(` # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid # net_admin for multipath -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; +allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; +allow lvm_t self:sem create_sem_perms; allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; +allow lvm_t self:socket create_stream_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t self:sem create_sem_perms; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; +allow lvm_t lvm_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) +systemd_create_unit_file_dirs(lvm_t) +systemd_create_unit_file_lnk(lvm_t) + manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) @@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files +manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) files_lock_filetrans(lvm_t, lvm_lock_t, file) files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm") +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid") manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) @@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) +manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) +files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) +init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) +allow lvm_t lvm_etc_t:file map; read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) @@ -220,6 +243,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) +kernel_request_load_module(lvm_t) kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) @@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) +dev_write_kmsg(lvm_t) dev_manage_generic_symlinks(lvm_t) dev_relabel_generic_dev_dirs(lvm_t) dev_manage_generic_blk_files(lvm_t) # Read /sys/block. Device mapper metadata is kept there. -dev_read_sysfs(lvm_t) +# cryptsetup writes read_ahead_kb +dev_rw_sysfs(lvm_t) # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? @@ -246,6 +272,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +dev_rw_generic_files(lvm_t) domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) @@ -255,17 +282,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) +fs_rw_inherited_tmpfs_files(lvm_t) -fs_getattr_xattr_fs(lvm_t) +fs_getattr_all_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) fs_dontaudit_read_removable_files(lvm_t) fs_dontaudit_getattr_tmpfs_files(lvm_t) fs_rw_anon_inodefs_files(lvm_t) +fs_list_auto_mountpoints(lvm_t) +fs_list_hugetlbfs(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) +mls_file_upgrade(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) -term_use_all_terms(lvm_t) +term_use_all_inherited_terms(lvm_t) init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) @@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) +logging_stream_connect_syslog(lvm_t) -miscfiles_read_localization(lvm_t) +authlogin_rw_pipes(lvm_t) +auth_use_nsswitch(lvm_t) seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) +userdom_use_inherited_user_terminals(lvm_t) userdom_use_user_terminals(lvm_t) +userdom_rw_inherited_user_tmp_pipes(lvm_t) +userdom_rw_semaphores(lvm_t) +userdom_search_user_home_dirs(lvm_t) + +usermanage_read_crack_db(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: @@ -312,6 +351,11 @@ ifdef(`distro_redhat',` ') ') +optional_policy(` + aisexec_stream_connect(lvm_t) + corosync_stream_connect(lvm_t) +') + optional_policy(` bootloader_rw_tmp_files(lvm_t) ') @@ -332,14 +376,38 @@ optional_policy(` ') ') +optional_policy(` + container_rw_sem(lvm_t) +') + +optional_policy(` + kdump_rw_inherited_kdumpctl_tmp_pipes(lvm_t) +') + +optional_policy(` + livecd_rw_semaphores(lvm_t) +') + optional_policy(` modutils_domtrans_insmod(lvm_t) ') +optional_policy(` + raid_read_mdadm_pid(lvm_t) +') + optional_policy(` rpm_manage_script_tmp_files(lvm_t) ') +optional_policy(` + policykit_dbus_chat(lvm_t) +') + +optional_policy(` + systemd_manage_passwd_run(lvm_t) +') + optional_policy(` udev_read_db(lvm_t) udev_read_pid_files(lvm_t) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 9fe8e01e3..5cee43ebb 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,15 @@ ifdef(`distro_gentoo',` # /etc # /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) -/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) +/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/localtime -l gen_context(system_u:object_r:locale_t,s0) +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) @@ -37,24 +41,20 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) -/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - +/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) +/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) +/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) @@ -77,7 +77,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) + /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) @@ -89,7 +89,10 @@ ifdef(`distro_debian',` /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0) ') +/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0) + ifdef(`distro_redhat',` +/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index fc28bc31b..e229517af 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -65,6 +65,27 @@ interface(`miscfiles_read_all_certs',` read_lnk_files_pattern($1, cert_type, cert_type) ') +######################################## +## +## Read all SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_all_certs',` + gen_require(` + attribute cert_type; + ') + + allow $1 cert_type:dir list_dir_perms; + manage_files_pattern($1, cert_type, cert_type) + manage_lnk_files_pattern($1, cert_type, cert_type) +') + ######################################## ## ## Read generic SSL certificates. @@ -86,6 +107,25 @@ interface(`miscfiles_read_generic_certs',` read_lnk_files_pattern($1, cert_t, cert_t) ') +######################################## +## +## mmap generic SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_map_generic_certs',` + gen_require(` + type cert_t; + ') + + allow $1 cert_t:file map; +') + ######################################## ## ## Manage generic SSL certificates. @@ -104,6 +144,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` manage_dirs_pattern($1, cert_t, cert_t) ') +######################################## +## +## Dontaudit attempts to write generic SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_dontaudit_write_generic_cert_files',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:file write; +') + ######################################## ## ## Manage generic SSL certificates. @@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',` ') manage_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) + manage_lnk_files_pattern($1, cert_t, cert_t) ') ######################################## @@ -154,6 +212,26 @@ interface(`miscfiles_manage_cert_dirs',` refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') ') +######################################## +## +## Do not audit attempts to access check cert dirs/files. +## +## +## +## Domain to not audit. +## +## +# +interface(`miscfiles_dontaudit_access_check_cert',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:file audit_access; + dontaudit $1 cert_t:dir audit_access; +') + + ######################################## ## ## Manage SSL certificates. @@ -191,11 +269,13 @@ interface(`miscfiles_read_fonts',` allow $1 fonts_t:dir list_dir_perms; read_files_pattern($1, fonts_t, fonts_t) + allow $1 fonts_t:file map; read_lnk_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_cache_t:dir list_dir_perms; read_files_pattern($1, fonts_cache_t, fonts_cache_t) read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) + allow $1 fonts_cache_t:file map; ') ######################################## @@ -414,6 +494,7 @@ interface(`miscfiles_read_localization',` allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) + allow $1 locale_t:file map; ') ######################################## @@ -434,6 +515,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) + manage_lnk_files_pattern($1, locale_t, locale_t) ') ######################################## @@ -453,6 +535,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) + relabel_lnk_files_pattern($1, locale_t, locale_t) ') ######################################## @@ -470,7 +553,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') - miscfiles_read_localization($1) allow $1 locale_t:file execute; ') @@ -531,6 +613,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + + optional_policy(` + mandb_read_cache_files($1) + ') ') ######################################## @@ -554,6 +640,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + optional_policy(` + mandb_setattr_cache_dirs($1) + mandb_delete_cache($1) + ') +') +####################################### +## +## Create, read, write, and delete man pages +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_setattr_man_pages',` + gen_require(` + type man_t; + ') + + files_search_usr($1) + + allow $1 man_t:dir setattr; ') ######################################## @@ -620,6 +729,30 @@ interface(`miscfiles_manage_man_cache',` allow $1 man_cache_t:lnk_file manage_lnk_file_perms; ') +######################################## +## +## Allow process to relabel man_pages info +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_relabel_man_pages',` + gen_require(` + type man_t; + ') + + files_search_usr($1) + relabel_dirs_pattern($1, man_t, man_t) + relabel_files_pattern($1, man_t, man_t) + + optional_policy(` + mandb_relabel_cache($1) + ') +') + ######################################## ## ## Read public files used for file @@ -784,8 +917,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') - files_etc_filetrans($1, locale_t, file) - + files_etc_filetrans($1, locale_t, lnk_file) + files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) + files_etc_filetrans($1, locale_t, file, "locale.conf" ) + files_etc_filetrans($1, locale_t, file, "timezone" ) + files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) ') ######################################## @@ -809,3 +945,81 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') +######################################## +## +## Transition to miscfiles locale named content +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_filetrans_locale_named_content',` + gen_require(` + type locale_t; + ') + + files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") + files_etc_filetrans($1, locale_t, file, "locale.conf") + files_etc_filetrans($1, locale_t, file, "vconsole.conf") + files_etc_filetrans($1, locale_t, file, "locale.conf.new") + files_etc_filetrans($1, locale_t, file, "timezone") + files_etc_filetrans($1, locale_t, file, "clock") + files_usr_filetrans($1, locale_t, dir, "locale") + files_usr_filetrans($1, locale_t, dir, "zoneinfo") +') + +######################################## +## +## Transition to miscfiles named content +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_filetrans_named_content',` + gen_require(` + type man_t; + type cert_t; + type fonts_t; + type fonts_cache_t; + type hwdata_t; + type tetex_data_t; + type public_content_t; + ') + + miscfiles_filetrans_locale_named_content($1) + files_var_filetrans($1, man_t, dir, "man") + files_etc_filetrans($1, cert_t, dir, "pki") + files_usr_filetrans($1, cert_t, dir, "certs") + files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") + files_usr_filetrans($1, fonts_t, dir, "fonts") + files_usr_filetrans($1, hwdata_t, dir, "hwdata") + files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") + files_var_filetrans($1, tetex_data_t, dir, "fonts") + files_spool_filetrans($1, tetex_data_t, dir, "texmf") + files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") + files_var_filetrans($1, public_content_t, dir, "ftp") +') + + +######################################## +## +## Transition to miscfiles named content +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_filetrans_named_content_letsencrypt',` + gen_require(` + type cert_t; + ') + + files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 1361961d0..be6b7fc80 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -4,7 +4,6 @@ policy_module(miscfiles, 1.11.0) # # Declarations # - attribute cert_type; # @@ -48,10 +47,10 @@ files_type(man_cache_t) # Types for public content # type public_content_t; #, customizable; -files_type(public_content_t) +files_mountpoint(public_content_t) type public_content_rw_t; #, customizable; -files_type(public_content_rw_t) +files_mountpoint(public_content_rw_t) # # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index 993367709..7875b79fa 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -10,8 +10,6 @@ ifdef(`distro_gentoo',` /etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) ') -/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) - /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) @@ -23,3 +21,15 @@ ifdef(`distro_gentoo',` /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) + +/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) +/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) +/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) +/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) +/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) +/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) +/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) + +/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) + +/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 7449974f6..c19559d3b 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,11 +12,28 @@ # interface(`modutils_getattr_module_deps',` gen_require(` - type modules_dep_t; + type modules_dep_t, modules_object_t; ') getattr_files_pattern($1, modules_object_t, modules_dep_t) ') +######################################## +## +## Read the dependencies of kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_read_module_deps_files',` + gen_require(` + type modules_dep_t; + ') + + allow $1 modules_dep_t:file read_file_perms; +') ######################################## ## @@ -34,9 +51,48 @@ interface(`modutils_read_module_deps',` ') files_list_kernel_modules($1) + files_read_kernel_modules($1) allow $1 modules_dep_t:file read_file_perms; ') +######################################## +## +## Read the dependencies of kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_delete_module_deps',` + gen_require(` + type modules_dep_t; + ') + + delete_files_pattern($1, modules_dep_t, modules_dep_t) +') + +######################################## +## +## list the configuration options used when +## loading modules. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`modutils_list_module_config',` + gen_require(` + type modules_conf_t; + ') + + list_dirs_pattern($1, modules_conf_t, modules_conf_t) +') + ######################################## ## ## Read the configuration options used when @@ -159,6 +215,26 @@ interface(`modutils_domtrans_insmod',` corecmd_search_bin($1) domtrans_pattern($1, insmod_exec_t, insmod_t) + + allow $1 insmod_exec_t:file map; +') + +######################################## +## +## Allow send signal to insmod. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`modutils_signal_insmod',` + gen_require(` + type insmod_t; + ') + + allow $1 insmod_t:process signal; ') ######################################## @@ -208,6 +284,24 @@ interface(`modutils_exec_insmod',` can_exec($1, insmod_exec_t) ') +####################################### +## +## Don't audit execute insmod in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_dontaudit_exec_insmod',` + gen_require(` + type insmod_exec_t; + ') + + dontaudit $1 insmod_exec_t:file exec_file_perms; +') + ######################################## ## ## Execute depmod in the depmod domain. @@ -308,11 +402,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` gen_require(` - attribute_role update_modules_roles; + #attribute_role update_modules_roles; + type update_modules_t; ') + #modutils_domtrans_update_mods($1) + #roleattribute $2 update_modules_roles; + modutils_domtrans_update_mods($1) - roleattribute $2 update_modules_roles; + role $2 types update_modules_t; + + modutils_run_insmod(update_modules_t, $2) + ') ######################################## @@ -333,3 +434,39 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') + +######################################## +## +## Transition to modutils named content +## +## +## +## Domain allowed access. +## +## +# +interface(`modules_filetrans_named_content',` + gen_require(` + type modules_dep_t; + type modules_conf_t; + ') + + files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") + files_etc_filetrans($1, modules_conf_t, file, "modules.conf") + + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 7a363b8b2..4724b5550 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) # Declarations # -attribute_role update_modules_roles; +#attribute_role update_modules_roles; type depmod_t; type depmod_exec_t; @@ -16,11 +16,15 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; +type insmod_var_run_t; +files_pid_file(insmod_var_run_t) + # module loading config type modules_conf_t; -files_type(modules_conf_t) +files_config_file(modules_conf_t) # module dependencies type modules_dep_t; @@ -29,12 +33,16 @@ files_type(modules_dep_t) type update_modules_t; type update_modules_exec_t; init_system_domain(update_modules_t, update_modules_exec_t) -roleattribute system_r update_modules_roles; -role update_modules_roles types update_modules_t; +#roleattribute system_r update_modules_roles; +#role update_modules_roles types update_modules_t; +role system_r types update_modules_t; type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) +type insmod_tmpfs_t; +files_tmpfs_file(insmod_tmpfs_t) + ######################################## # # depmod local policy @@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) +files_delete_kernel_modules(depmod_t) files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) files_read_etc_runtime_files(depmod_t) files_read_etc_files(depmod_t) files_read_usr_src_files(depmod_t) files_list_usr(depmod_t) +files_append_var_files(depmod_t) +files_read_boot_files(depmod_t) fs_getattr_xattr_fs(depmod_t) @@ -69,10 +80,12 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) -userdom_use_user_terminals(depmod_t) +userdom_use_inherited_user_terminals(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) +userdom_manage_user_tmp_files(depmod_t) +userdom_home_reader(depmod_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` ') ') -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(depmod_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(depmod_t) +optional_policy(` + bootloader_rw_tmp_files(insmod_t) ') optional_policy(` @@ -94,7 +103,6 @@ optional_policy(` ') optional_policy(` - # Read System.map from home directories. unconfined_domain(depmod_t) ') @@ -103,11 +111,12 @@ optional_policy(` # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; +allow insmod_t self:shm create_shm_perms; # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) @@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) +manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) +files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) + can_exec(insmod_t, insmod_exec_t) +manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) +fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) + kernel_load_module(insmod_t) -kernel_request_load_module(insmod_t) +files_manage_kernel_modules(insmod_t) +files_map_kernel_modules(insmod_t) kernel_read_system_state(insmod_t) kernel_read_network_state(insmod_t) kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) +kernel_request_load_module(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -kernel_read_hotplug_sysctls(insmod_t) +kernel_read_usermodehelper_state(insmod_t) kernel_setsched(insmod_t) corecmd_exec_bin(insmod_t) @@ -142,40 +160,55 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) +dev_create_generic_chr_files(insmod_t) domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) files_read_kernel_modules(insmod_t) +files_load_kernel_modules(insmod_t) files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) +# users installing vbox put kernel modules in /var/lib +files_read_var_lib_files(insmod_t) +files_read_kernel_symbol_table(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) # for when /var is not mounted early in the boot: files_dontaudit_search_isid_type_dirs(insmod_t) # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) +allow insmod_t modules_dep_t:file manage_file_perms; fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_mount_rpc_pipefs(insmod_t) +fs_search_rpc(insmod_t) + +auth_use_nsswitch(insmod_t) init_rw_initctl(insmod_t) init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) +init_spec_domtrans_script(insmod_t) +init_rw_script_tmp_files(insmod_t) +init_dontaudit_getattr_stream_socket(insmod_t) logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -miscfiles_read_localization(insmod_t) - seutil_read_file_contexts(insmod_t) -userdom_use_user_terminals(insmod_t) - +term_use_all_inherited_terms(insmod_t) userdom_dontaudit_search_user_home_dirs(insmod_t) +# needed by depmod in MLS +userdom_manage_user_tmp_files(insmod_t) +userdom_manage_user_tmp_pipes(insmod_t) +userdom_manage_user_tmp_symlinks(insmod_t) +userdom_manage_user_tmp_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) @@ -184,28 +217,37 @@ optional_policy(` ') optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) + devicekit_use_fds_disk(insmod_t) + devicekit_dontaudit_read_pid_files(insmod_t) ') optional_policy(` - hal_write_log(insmod_t) + firstboot_dontaudit_leaks(insmod_t) ') optional_policy(` - hotplug_search_config(insmod_t) + firewalld_dontaudit_write_tmp_files(insmod_t) + firewallgui_dontaudit_rw_pipes(insmod_t) ') optional_policy(` - mount_domtrans(insmod_t) + iptables_read_var_run(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) + hal_write_log(insmod_t) ') optional_policy(` - nscd_use(insmod_t) + hotplug_search_config(insmod_t) +') + +optional_policy(` + kdump_manage_kdumpctl_tmp_files(insmod_t) +') + +optional_policy(` + mount_domtrans(insmod_t) ') optional_policy(` @@ -225,6 +267,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) + rpm_manage_script_tmp_files(insmod_t) ') optional_policy(` @@ -232,6 +275,10 @@ optional_policy(` unconfined_dontaudit_rw_pipes(insmod_t) ') +optional_policy(` + virt_dontaudit_write_pipes(insmod_t) +') + optional_policy(` # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) @@ -291,11 +338,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) -miscfiles_read_localization(update_modules_t) -modutils_run_insmod(update_modules_t, update_modules_roles) +#modutils_run_insmod(update_modules_t, update_modules_roles) -userdom_use_user_terminals(update_modules_t) +userdom_use_inherited_user_terminals(update_modules_t) userdom_dontaudit_search_user_home_dirs(update_modules_t) ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index a38605e50..f035d9fbb 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -1,6 +1,26 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) + +/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 4584457b1..9a4014c9a 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,14 @@ interface(`mount_domtrans',` ') domtrans_pattern($1, mount_exec_t, mount_t) + mount_domtrans_fusermount($1) + allow $1 mount_exec_t:file map; + + allow $1 mount_t:fd use; + ps_process_pattern(mount_t, $1) + + allow mount_t $1:key write; + allow mount_t $1:unix_stream_socket { read write }; ') ######################################## @@ -39,12 +47,117 @@ interface(`mount_domtrans',` interface(`mount_run',` gen_require(` attribute_role mount_roles; + type mount_t; ') mount_domtrans($1) roleattribute $2 mount_roles; ') +######################################## +## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the mount domain. +## +## +## +# +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; + ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; + + fstools_run(mount_t, $2) +') + +######################################## +## +## Read mount PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_read_pid_files',` + gen_require(` + type mount_var_run_t; + ') + + read_files_pattern($1, mount_var_run_t, mount_var_run_t) + files_search_pids($1) +') + +######################################## +## +## Read/write mount PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_rw_pid_files',` + gen_require(` + type mount_var_run_t; + ') + + rw_files_pattern($1, mount_var_run_t, mount_var_run_t) + files_search_pids($1) +') + +####################################### +## +## Do not audit attemps to write mount PID files. +## +## +## +## Domain to not audit. +## +## +# +interface(`mount_dontaudit_write_mount_pid',` + gen_require(` + type mount_var_run_t; + ') + + dontaudit $1 mount_var_run_t:file write; +') + +######################################## +## +## Manage mount PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_manage_pid_files',` + gen_require(` + type mount_var_run_t; + ') + + allow $1 mount_var_run_t:file manage_file_perms; + files_search_pids($1) +') + ######################################## ## ## Execute mount in the caller domain. @@ -91,7 +204,7 @@ interface(`mount_signal',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -131,45 +244,205 @@ interface(`mount_send_nfs_client_request',` ######################################## ## -## Execute mount in the unconfined mount domain. +## Read the mount tmp directory ## ## ## -## Domain allowed to transition. +## Domain allowed access. ## ## # -interface(`mount_domtrans_unconfined',` +interface(`mount_list_tmp',` gen_require(` - type unconfined_mount_t, mount_exec_t; + type mount_tmp_t; ') - domtrans_pattern($1, mount_exec_t, unconfined_mount_t) + allow $1 mount_tmp_t:dir list_dir_perms; ') ######################################## ## -## Execute mount in the unconfined mount domain, and -## allow the specified role the unconfined mount domain, -## and use the caller's terminal. +## Execute fusermount in the mount domain. ## ## ## -## Domain allowed to transition. +## Domain allowed access. ## ## -## +# +interface(`mount_domtrans_fusermount',` + gen_require(` + type mount_t, fusermount_exec_t; + ') + + domtrans_pattern($1, fusermount_exec_t, mount_t) + ps_process_pattern(mount_t, $1) + + allow mount_t $1:unix_stream_socket { read write }; + allow $1 mount_t:fd use; +') + +######################################## +## +## Execute fusermount. +## +## ## -## Role allowed access. +## Domain allowed access. ## ## +# +interface(`mount_exec_fusermount',` + gen_require(` + type fusermount_exec_t; + ') + + can_exec($1, fusermount_exec_t) +') + +######################################## +## +## dontaudit Execute fusermount. +## +## +## +## Domain to not audit. +## +## +# +interface(`mount_dontaudit_exec_fusermount',` + gen_require(` + type fusermount_exec_t; + ') + + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') + +###################################### +## +## Execute a domain transition to run showmount. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mount_domtrans_showmount',` + gen_require(` + type showmount_t, showmount_exec_t; + ') + + domtrans_pattern($1, showmount_exec_t, showmount_t) +') + +###################################### +## +## Execute showmount in the showmount domain, and +## allow the specified role the showmount domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the showmount domain. +## +## +# +interface(`mount_run_showmount',` + gen_require(` + type showmount_t; + ') + + mount_domtrans_showmount($1) + role $2 types showmount_t; +') + +####################################### +## +## Transition to ecryptmount. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mount_domtrans_ecryptmount',` + gen_require(` + type mount_ecryptfs_t, mount_ecryptfs_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) +') + +####################################### +## +## Execute mount in the unconfined mount domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mount_domtrans_unconfined',` + gen_require(` + type unconfined_mount_t, mount_exec_t; + ') + + domtrans_pattern($1, mount_exec_t, unconfined_mount_t) +') + +####################################### +## +## Execute mount in the unconfined mount domain, and +## allow the specified role the unconfined mount domain, +## and use the caller's terminal. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## ## # interface(`mount_run_unconfined',` + gen_require(` + type unconfined_mount_t; + ') + + mount_domtrans_unconfined($1) + role $2 types unconfined_mount_t; +') + +######################################## +## +## Allow mount programs to be an entrypoint for +## the specified domain. +## +## +## +## The domain for which mount programs is an entrypoint. +## +## +# +interface(`mount_entry_type',` gen_require(` - type unconfined_mount_t; + type mount_ecryptfs_exec_t; + type mount_exec_t; ') - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; + domain_entry_file($1, mount_ecryptfs_exec_t) + domain_entry_file($1, mount_exec_t) ') + diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 459a0efbc..ed4756edc 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) # Declarations # -## -##

      -## Allow the mount command to mount any directory or file. -##

      -##
      -gen_tunable(allow_mount_anyfile, false) - attribute_role mount_roles; roleattribute system_r mount_roles; @@ -20,14 +13,37 @@ type mount_exec_t; init_system_domain(mount_t, mount_exec_t) role mount_roles types mount_t; +type fusermount_exec_t; +domain_entry_file(mount_t, fusermount_exec_t) + +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; + type mount_loopback_t; # customizable files_type(mount_loopback_t) +typealias mount_loopback_t alias mount_loop_t; type mount_tmp_t; files_tmp_file(mount_tmp_t) type mount_var_run_t; files_pid_file(mount_var_run_t) +dev_associate(mount_var_run_t) + +# showmount - show mount information for an NFS server + +type showmount_t; +type showmount_exec_t; +application_domain(showmount_t, showmount_exec_t) +role system_r types showmount_t; + +type mount_ecryptfs_t; +type mount_ecryptfs_exec_t; +application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t) +role system_r types mount_ecryptfs_t; + +type mount_ecryptfs_tmpfs_t; +files_tmpfs_file(mount_ecryptfs_tmpfs_t) # causes problems with interfaces when # this is optionally declared in monolithic @@ -40,8 +56,12 @@ application_domain(unconfined_mount_t, mount_exec_t) # mount local policy # -# setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +# setuid/setgid needed to mount cifs +allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; +allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; allow mount_t mount_loopback_t:file read_file_perms; @@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) -create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) -create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +dev_filetrans(mount_t, mount_var_run_t, dir) kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) +kernel_relabelfrom_unlabeled_fs(mount_t) +kernel_list_unlabeled(mount_t) +kernel_manage_debugfs(mount_t) +kernel_mount_unlabeled(mount_t) +kernel_unmount_unlabeled(mount_t) +kernel_use_fds(mount_t) kernel_setsched(mount_t) kernel_dontaudit_getattr_core_if(mount_t) kernel_dontaudit_write_debugfs_dirs(mount_t) @@ -69,31 +96,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) +dev_getattr_generic_blk_files(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) +dev_read_urand(mount_t) dev_read_sysfs(mount_t) dev_dontaudit_write_sysfs_dirs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) +dev_rw_loop_control(mount_t) + +ifdef(`hide_broken_symptoms',` + dev_rw_generic_blk_files(mount_t) +') + # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(mount_t) domain_use_interactive_fds(mount_t) +domain_read_all_domains_state(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) +files_read_etc_runtime_files(mount_t) files_manage_etc_runtime_files(mount_t) files_etc_filetrans_etc_runtime(mount_t, file) +# for when /etc/mtab loses its type +files_delete_etc_files(mount_t) files_mounton_all_mountpoints(mount_t) +files_setattr_all_mountpoints(mount_t) +# ntfs-3g checks whether the mountpoint is writable before mounting +files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) + # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_fs(mount_t) +files_relabel_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) @@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) -fs_getattr_xattr_fs(mount_t) -fs_getattr_cifs(mount_t) +fs_list_all(mount_t) +fs_getattr_all_fs(mount_t) fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) -fs_list_auto_mountpoints(mount_t) +fs_rw_anon_inodefs_files(mount_t) fs_rw_tmpfs_chr_files(mount_t) +fs_rw_nfsd_fs(mount_t) +fs_rw_removable_blk_files(mount_t) +#fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) +fs_read_nfs_symlinks(mount_t) +fs_manage_cgroup_dirs(mount_t) +fs_manage_cgroup_files(mount_t) fs_dontaudit_write_tmpfs_dirs(mount_t) -mls_file_read_all_levels(mount_t) -mls_file_write_all_levels(mount_t) +mls_file_read_to_clearance(mount_t) +mls_file_write_to_clearance(mount_t) +mls_process_write_to_clearance(mount_t) selinux_get_enforce_mode(mount_t) +selinux_mounton_fs(mount_t) storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) +storage_rw_fuse(mount_t) -term_use_all_terms(mount_t) +term_use_all_inherited_terms(mount_t) term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) @@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) logging_send_syslog_msg(mount_t) -miscfiles_read_localization(mount_t) - sysnet_use_portmap(mount_t) seutil_read_config(mount_t) +systemd_passwd_agent_domtrans(mount_t) + userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) +userdom_list_user_tmp(mount_t) ifdef(`distro_redhat',` optional_policy(` @@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',` ') ') -tunable_policy(`allow_mount_anyfile',` - files_list_non_auth_dirs(mount_t) - files_read_non_auth_files(mount_t) +corecmd_exec_shell(mount_t) + +tunable_policy(`mount_anyfile',` + files_read_non_security_files(mount_t) files_mounton_non_security(mount_t) + files_rw_inherited_non_security_files(mount_t) ') optional_policy(` # for nfs - corenet_all_recvfrom_unlabeled(mount_t) corenet_all_recvfrom_netlabel(mount_t) - corenet_tcp_sendrecv_all_if(mount_t) - corenet_raw_sendrecv_all_if(mount_t) - corenet_udp_sendrecv_all_if(mount_t) - corenet_tcp_sendrecv_all_nodes(mount_t) - corenet_raw_sendrecv_all_nodes(mount_t) - corenet_udp_sendrecv_all_nodes(mount_t) + corenet_tcp_sendrecv_generic_if(mount_t) + corenet_raw_sendrecv_generic_if(mount_t) + corenet_udp_sendrecv_generic_if(mount_t) + corenet_tcp_sendrecv_generic_node(mount_t) + corenet_raw_sendrecv_generic_node(mount_t) + corenet_udp_sendrecv_generic_node(mount_t) corenet_tcp_sendrecv_all_ports(mount_t) corenet_udp_sendrecv_all_ports(mount_t) - corenet_tcp_bind_all_nodes(mount_t) - corenet_udp_bind_all_nodes(mount_t) + corenet_tcp_bind_generic_node(mount_t) + corenet_udp_bind_generic_node(mount_t) corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) @@ -188,12 +248,49 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) + + rpc_domtrans_rpcd(mount_t) + rpcbind_stream_connect(mount_t) ') optional_policy(` apm_use_fds(mount_t) ') +optional_policy(` + cron_system_entry(mount_t, mount_exec_t) +') + +optional_policy(` + devicekit_read_state_power(mount_t) +') + +optional_policy(` + fsadm_manage_pid(mount_t) +') + +optional_policy(` + glusterd_domtrans(mount_t) +') + +optional_policy(` + dbus_system_bus_client(mount_t) + + optional_policy(` + hal_dbus_chat(mount_t) + ') +') + +optional_policy(` + glusterd_domtrans(mount_t) +') + +optional_policy(` + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_dontaudit_rw_pipes(mount_t) +') + optional_policy(` ifdef(`hide_broken_symptoms',` # for a bug in the X server @@ -203,9 +300,31 @@ optional_policy(` ') optional_policy(` + livecd_rw_tmp_files(mount_t) +') + +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 +optional_policy(` + lvm_run(mount_t, mount_roles) +') + +optional_policy(` + modutils_run_insmod(mount_t, mount_roles) modutils_read_module_deps(mount_t) ') +optional_policy(` + fstools_run(mount_t, mount_roles) +') + +optional_policy(` + rhcs_stream_connect_gfs_controld(mount_t) +') + +optional_policy(` + rpc_run_rpcd(mount_t, mount_roles) +') + optional_policy(` puppet_rw_tmp(mount_t) ') @@ -213,18 +332,105 @@ optional_policy(` # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) + rpm_dontaudit_leaks(mount_t) ') optional_policy(` + samba_read_config(mount_t) samba_run_smbmount(mount_t, mount_roles) ') +optional_policy(` + ssh_exec(mount_t) + ssh_append_home_files(mount_t) +') + +optional_policy(` + usbmuxd_stream_connect(mount_t) +') + +optional_policy(` + userhelper_exec_consolehelper(mount_t) +') + +optional_policy(` + unconfined_write_keys(mount_t) +') + +optional_policy(` + virt_read_blk_images(mount_t) +') + +optional_policy(` + vmware_exec_host(mount_t) +') + +optional_policy(` + unconfined_domain(mount_t) +') + +###################################### +# +# showmount local policy +# + +allow showmount_t self:tcp_socket create_stream_socket_perms; +allow showmount_t self:udp_socket create_socket_perms; + +kernel_read_system_state(showmount_t) + +corenet_all_recvfrom_netlabel(showmount_t) +corenet_tcp_sendrecv_generic_if(showmount_t) +corenet_udp_sendrecv_generic_if(showmount_t) +corenet_tcp_sendrecv_generic_node(showmount_t) +corenet_udp_sendrecv_generic_node(showmount_t) +corenet_tcp_sendrecv_all_ports(showmount_t) +corenet_udp_sendrecv_all_ports(showmount_t) +corenet_tcp_bind_generic_node(showmount_t) +corenet_udp_bind_generic_node(showmount_t) +corenet_tcp_bind_all_rpc_ports(showmount_t) +corenet_udp_bind_all_rpc_ports(showmount_t) +corenet_tcp_connect_all_ports(showmount_t) + +files_read_etc_runtime_files(showmount_t) + +sysnet_dns_name_resolve(showmount_t) + +userdom_use_inherited_user_terminals(showmount_t) + +####################################### +# +# mount_ecryptfs local policy +# + +domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t) + +allow mount_ecryptfs_t self:capability setgid; +allow mount_ecryptfs_t self:capability { setuid sys_admin }; +allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms; +allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) +manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) +fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) +userdom_rw_user_tmp_files(mount_ecryptfs_t) + +domain_use_interactive_fds(mount_ecryptfs_t) + +files_read_etc_files(mount_ecryptfs_t) + +fs_read_ecryptfs_symlinks(mount_ecryptfs_t) +fs_read_ecryptfs_files(mount_ecryptfs_t) + +auth_use_nsswitch(mount_ecryptfs_t) +auth_manage_pam_console_data(mount_ecryptfs_t) + ######################################## # # Unconfined mount local policy # optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) ') diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc index b263a8af5..15576ab83 100644 --- a/policy/modules/system/netlabel.fc +++ b/policy/modules/system/netlabel.fc @@ -1 +1,6 @@ /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) + +/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0) + +/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) +/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index cbbda4a3e..2f59c4b98 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) type netlabel_mgmt_t; type netlabel_mgmt_exec_t; +init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) role system_r types netlabel_mgmt_t; +type netlabel_mgmt_unit_file_t; +systemd_unit_file(netlabel_mgmt_unit_file_t) + ######################################## # # NetLabel Management Tools Local policy @@ -18,11 +22,28 @@ role system_r types netlabel_mgmt_t; # modify the network subsystem configuration allow netlabel_mgmt_t self:capability net_admin; allow netlabel_mgmt_t self:netlink_socket create_socket_perms; +allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms; + +can_exec(netlabel_mgmt_t, netlabel_mgmt_exec_t) kernel_read_network_state(netlabel_mgmt_t) +kernel_read_system_state(netlabel_mgmt_t) + +corecmd_exec_bin(netlabel_mgmt_t) +corecmd_exec_shell(netlabel_mgmt_t) files_read_etc_files(netlabel_mgmt_t) +term_use_all_inherited_terms(netlabel_mgmt_t) + seutil_use_newrole_fds(netlabel_mgmt_t) -userdom_use_user_terminals(netlabel_mgmt_t) +auth_read_passwd(netlabel_mgmt_t) + +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + +optional_policy(` + sssd_stream_connect(netlabel_mgmt_t) + sssd_read_public_files(netlabel_mgmt_t) +') + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index d43f3b194..c5053dbbd 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,15 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/selinux/(minimum|mls|targeted)/active(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) -/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) # # /root @@ -35,19 +37,30 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) +/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) -/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) # # /var/lib # -/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) +/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) +/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) # # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) + + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index 38220721d..a67ee36d2 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -85,6 +85,7 @@ interface(`seutil_domtrans_loadpolicy',` corecmd_search_bin($1) domtrans_pattern($1, load_policy_exec_t, load_policy_t) + allow $1 load_policy_exec_t:file map; ') ######################################## @@ -131,6 +132,43 @@ interface(`seutil_exec_loadpolicy',` corecmd_search_bin($1) can_exec($1, load_policy_exec_t) + allow $1 load_policy_exec_t:file map; +') + +######################################## +## +## Allow access check on load_policy. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_access_check_load_policy',` + gen_require(` + type load_policy_exec_t; + ') + + allow $1 load_policy_exec_t:file execute; +') + +######################################## +## +## Dontaudit access check on load_policy. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dontaudit_access_check_load_policy',` + gen_require(` + type load_policy_exec_t; + ') + + dontaudit $1 load_policy_exec_t:file audit_access; ') ######################################## @@ -192,11 +230,22 @@ interface(`seutil_domtrans_newrole',` # interface(`seutil_run_newrole',` gen_require(` - attribute_role newrole_roles; + type newrole_t; + #attribute_role newrole_roles; ') + #seutil_domtrans_newrole($1) + #roleattribute $2 newrole_roles; + seutil_domtrans_newrole($1) - roleattribute $2 newrole_roles; + role $2 types newrole_t; + + auth_run_upd_passwd(newrole_t, $2) + + optional_policy(` + namespace_init_run(newrole_t, $2) + ') + ') ######################################## @@ -357,6 +406,27 @@ interface(`seutil_exec_restorecon',` seutil_exec_setfiles($1) ') +######################################## +## +## Execute restorecond in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`seutil_exec_restorecond',` + gen_require(` + type restorecond_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, restorecond_exec_t) +') + ######################################## ## ## Execute run_init in the run_init domain. @@ -425,11 +495,20 @@ interface(`seutil_init_script_domtrans_runinit',` # interface(`seutil_run_runinit',` gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; ') - seutil_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_domtrans_runinit($1) + #roleattribute $2 run_init_roles; + + auth_run_chk_passwd(run_init_t, $2) + seutil_domtrans_runinit($1) + role $2 types run_init_t; + + allow $2 system_r; + ') ######################################## @@ -461,11 +540,19 @@ interface(`seutil_run_runinit',` # interface(`seutil_init_script_run_runinit',` gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; ') - seutil_init_script_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_init_script_domtrans_runinit($1) + #roleattribute $2 run_init_roles; + auth_run_chk_passwd(run_init_t, $2) + seutil_init_script_domtrans_runinit($1) + role $2 types run_init_t; + + allow $2 system_r; + ') ######################################## @@ -504,6 +591,7 @@ interface(`seutil_domtrans_setfiles',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) + allow $1 setfiles_exec_t:file map; ') ######################################## @@ -533,6 +621,53 @@ interface(`seutil_run_setfiles',` role $2 types setfiles_t; ') +######################################## +## +## Execute setfiles in the setfiles domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_domtrans_setfiles_mac',` + gen_require(` + type setfiles_mac_t, setfiles_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) +') + +######################################## +## +## Execute setfiles in the setfiles_mac domain, and +## allow the specified role the setfiles_mac domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setfiles_mac domain. +## +## +## +# +interface(`seutil_run_setfiles_mac',` + gen_require(` + type setfiles_mac_t; + ') + + seutil_domtrans_setfiles_mac($1) + role $2 types setfiles_mac_t; +') + ######################################## ## ## Execute setfiles in the caller domain. @@ -553,6 +688,42 @@ interface(`seutil_exec_setfiles',` can_exec($1, setfiles_exec_t) ') +######################################## +## +## Allow access check on setfiles. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_access_check_setfiles',` + gen_require(` + type setfiles_exec_t; + ') + + allow $1 setfiles_exec_t:file execute; +') + +######################################## +## +## Dontaudit access check on setfiles. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dontaudit_access_check_setfiles',` + gen_require(` + type setfiles_exec_t; + ') + + dontaudit $1 setfiles_exec_t:file audit_access; +') + ######################################## ## ## Do not audit attempts to search the SELinux @@ -572,6 +743,25 @@ interface(`seutil_dontaudit_search_config',` dontaudit $1 selinux_config_t:dir search_dir_perms; ') +######################################## +## +## Allow attempts to search the SELinux +## configuration directory (/etc/selinux). +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_search_config',` + gen_require(` + type selinux_config_t; + ') + + allow $1 selinux_config_t:dir search_dir_perms; +') + ######################################## ## ## Do not audit attempts to read the SELinux @@ -680,8 +870,113 @@ interface(`seutil_manage_config',` ') files_search_etc($1) + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) + manage_lnk_files_pattern($1, selinux_config_t, selinux_config_t) +') + +###################################### +## +## Create, read, write, and delete +## the general selinux configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`seutil_manage_config_dirs',` + gen_require(` + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir manage_dir_perms; +') + +######################################## +## +## Do not audit attempts to search the SELinux +## login configuration directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`seutil_dontaudit_search_login_config',` + gen_require(` + type selinux_login_config_t; + ') + + dontaudit $1 selinux_login_config_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to read the SELinux +## login configuration. +## +## +## +## Domain to not audit. +## +## +# +interface(`seutil_dontaudit_read_login_config',` + gen_require(` + type selinux_login_config_t; + ') + dontaudit $1 selinux_login_config_t:dir search_dir_perms; + dontaudit $1 selinux_login_config_t:file read_file_perms; +') + +######################################## +## +## Read the SELinux login configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_read_login_config',` + gen_require(` + type selinux_config_t; + type selinux_login_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + allow $1 selinux_login_config_t:dir list_dir_perms; + read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) +') + +######################################## +## +## Read and write the SELinux login configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_rw_login_config',` + gen_require(` + type selinux_config_t; + type selinux_login_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + allow $1 selinux_login_config_t:dir list_dir_perms; + rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ####################################### @@ -694,15 +989,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. ## ## -## # -interface(`seutil_manage_config_dirs',` +interface(`seutil_rw_login_config_dirs',` gen_require(` type selinux_config_t; + type selinux_login_config_t; ') files_search_etc($1) - allow $1 selinux_config_t:dir manage_dir_perms; + allow $1 selinux_config_t:dir search_dir_perms; + allow $1 selinux_login_config_t:dir rw_dir_perms; +') + +###################################### +## +## Create, read, write, and delete +## the general selinux configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_manage_login_config',` + gen_require(` + type selinux_config_t; + type selinux_login_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) + manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) +') + +###################################### +## +## manage the login selinux configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_manage_login_config_files',` + gen_require(` + type selinux_config_t; + type selinux_login_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') ######################################## @@ -746,6 +1088,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') +####################################### +## +## Read and write the default_contexts files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`seutil_rw_default_contexts',` + gen_require(` + type default_context_t; + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:dir list_dir_perms; + allow $1 default_context_t:dir list_dir_perms; + rw_files_pattern($1, default_context_t, default_context_t) +') + ######################################## ## ## Create, read, write, and delete the default_contexts files. @@ -766,6 +1131,25 @@ interface(`seutil_manage_default_contexts',` manage_files_pattern($1, default_context_t, default_context_t) ') +######################################## +## +## Create, read, write, and delete the default_contexts dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_manage_default_contexts_dirs',` + gen_require(` + type selinux_config_t, default_context_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, default_context_t, default_context_t) +') + ######################################## ## ## Read the file_contexts files. @@ -784,7 +1168,10 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + list_dirs_pattern($1, file_context_t, file_context_t) read_files_pattern($1, file_context_t, file_context_t) + read_lnk_files_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') ######################################## @@ -805,6 +1192,7 @@ interface(`seutil_dontaudit_read_file_contexts',` dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; dontaudit $1 file_context_t:file read_file_perms; + dontaudit $1 file_context_t:file map; ') ######################################## @@ -825,6 +1213,7 @@ interface(`seutil_rw_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; rw_files_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') ######################################## @@ -846,6 +1235,8 @@ interface(`seutil_manage_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) + manage_dirs_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') ######################################## @@ -866,6 +1257,7 @@ interface(`seutil_read_bin_policy',` files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; read_files_pattern($1, policy_config_t, policy_config_t) + allow $1 policy_config_t:file map; ') ######################################## @@ -997,6 +1389,26 @@ interface(`seutil_domtrans_semanage',` domtrans_pattern($1, semanage_exec_t, semanage_t) ') +######################################## +## +## Execute a domain transition to run setsebool. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`seutil_domtrans_setsebool',` + gen_require(` + type setsebool_t, setsebool_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setsebool_exec_t, setsebool_t) +') + ######################################## ## ## Execute semanage in the semanage domain, and @@ -1017,11 +1429,125 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` - attribute_role semanage_roles; + #attribute_role semanage_roles; + type semanage_t; ') + #seutil_domtrans_semanage($1) + #roleattribute $2 semanage_roles; + seutil_domtrans_semanage($1) - roleattribute $2 semanage_roles; + seutil_run_setfiles(semanage_t, $2) + seutil_run_loadpolicy(semanage_t, $2) + role $2 types semanage_t; + +') + +######################################## +## +## Execute setsebool in the semanage domain, and +## allow the specified role the semanage domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the setsebool domain. +## +## +## +# +interface(`seutil_run_setsebool',` + gen_require(` + type semanage_t; + ') + + seutil_domtrans_setsebool($1) + role $2 types setsebool_t; +') + +######################################## +## +## List of the semanage +## module store. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_access_check_module_store',` + gen_require(` + type semanage_store_t; + ') + + files_search_etc($1) + allow $1 semanage_store_t:dir_file_class_set audit_access; +') + +######################################## +## +## Full management of the semanage +## module store. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_read_module_store',` + gen_require(` + type selinux_config_t, semanage_store_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) + read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) +') + +######################################## +## +## Dontaudit read selinux module store +## module store. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dontaudit_read_module_store',` + gen_require(` + type semanage_store_t; + ') + +dontaudit $1 semanage_store_t:dir list_dir_perms; +dontaudit $1 semanage_store_t:file read_file_perms; +') + +####################################### +## +## Dontaudit access check on module store +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dontaudit_access_check_semanage_module_store',` + gen_require(` + type semanage_store_t; + ') + + dontaudit $1 semanage_store_t:dir_file_class_set audit_access; ') ######################################## @@ -1041,9 +1567,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) + files_search_var($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_dirs_pattern($1, semanage_store_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) + manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") ') ####################################### @@ -1065,6 +1597,24 @@ interface(`seutil_get_semanage_read_lock',` rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) ') +####################################### +## +## Dontaudit access check on module store +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dontaudit_access_check_semanage_read_lock',` + gen_require(` + type semanage_read_lock_t; + ') + + dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access; +') + ####################################### ## ## Get trans lock on module store @@ -1137,3 +1687,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') + +####################################### +## +## All rules necessary to run semanage command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_semanage_policy',` + gen_require(` + type semanage_tmp_t; + type policy_config_t; + attribute policy_manager_domain; + ') + typeattribute $1 policy_manager_domain; + + kernel_read_system_state($1) + + # Running genhomedircon requires this for finding all users + auth_use_nsswitch($1) + + mls_file_write_all_levels($1) + mls_file_read_all_levels($1) + + selinux_get_enforce_mode($1) + + seutil_manage_bin_policy($1) + + logging_send_syslog_msg($1) +') + +####################################### +## +## All rules necessary to run setfiles command +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_setfiles',` + + gen_require(` + attribute setfiles_domain; + ') + typeattribute $1 setfiles_domain; + + kernel_read_system_state($1) + seutil_libselinux_linked($1) + + files_relabel_all_files($1) + + mls_file_read_all_levels($1) + mls_file_write_all_levels($1) + mls_file_upgrade($1) + mls_file_downgrade($1) + + # this is to satisfy the assertion: + auth_relabelto_shadow($1) + + logging_send_syslog_msg($1) +') + +##################################### +## +## File name transition for selinux utility content +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_filetrans_named_content',` + gen_require(` + type default_context_t, semanage_store_t; + type selinux_config_t, semanage_trans_lock_t; + type file_context_t, selinux_login_config_t; + ') + + filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") + filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") + filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") + filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") + filetrans_pattern($1, default_context_t, file_context_t, dir, "files") + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') + +######################################## +## +## Send and receive messages from +## semanage dbus server over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_dbus_chat_semanage',` + gen_require(` + type semanage_t; + class dbus send_msg; + ') + + ps_process_pattern(semanage_t, $1) + + allow $1 semanage_t:dbus send_msg; + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index dc4642022..87680f157 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +attribute setfiles_domain; +attribute policy_manager_domain; -attribute_role newrole_roles; +#attribute_role newrole_roles; -attribute_role run_init_roles; -role system_r types run_init_t; +#attribute_role run_init_roles; +#role system_r types run_init_t; -attribute_role semanage_roles; -roleattribute system_r semanage_roles; +#attribute_role semanage_roles; +#roleattribute system_r semanage_roles; # # selinux_config_t is the type applied to @@ -28,7 +30,13 @@ roleattribute system_r semanage_roles; # in the domain_type interface # (fix dup decl) type selinux_config_t; -files_type(selinux_config_t) +files_security_file(selinux_config_t) + +type selinux_login_config_t; +files_security_file(selinux_login_config_t) + +type selinux_var_lib_t; +files_type(selinux_var_lib_t) type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; @@ -40,14 +48,14 @@ role system_r types checkpolicy_t; # /etc/selinux/*/contexts/* # type default_context_t; -files_type(default_context_t) +files_security_file(default_context_t) # # file_context_t is the type applied to # /etc/selinux/*/contexts/files # type file_context_t; -files_type(file_context_t) +files_security_file(file_context_t) type load_policy_t; type load_policy_exec_t; @@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) -role newrole_roles types newrole_t; +#role newrole_roles types newrole_t; +role system_r types newrole_t; # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # -type policy_config_t; -files_type(policy_config_t) +#type policy_config_t; +#files_type(policy_config_t) +gen_require(` + type semanage_store_t; +') + +typealias semanage_store_t alias { policy_config_t semanage_var_lib_t }; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -83,7 +97,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) -role system_r types restorecond_t; type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) @@ -92,40 +105,49 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) -role run_init_roles types run_init_t; +#role run_init_roles types run_init_t; +role system_r types run_init_t; type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) +init_daemon_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) -role semanage_roles types semanage_t; +#role semanage_roles types semanage_t; +role system_r types semanage_t; + +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) type semanage_store_t; -files_type(semanage_store_t) +files_security_file(semanage_store_t) type semanage_read_lock_t; -files_type(semanage_read_lock_t) +files_lock_file(semanage_read_lock_t) type semanage_tmp_t; files_tmp_file(semanage_tmp_t) -type semanage_trans_lock_t; -files_type(semanage_trans_lock_t) - -type semanage_var_lib_t; -files_type(semanage_var_lib_t) +type semanage_trans_lock_t; +files_lock_file(semanage_trans_lock_t) type setfiles_t alias restorecon_t, can_relabelto_binary_policy; type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) +type setfiles_mac_t; +domain_type(setfiles_mac_t) +domain_entry_file(setfiles_mac_t, setfiles_exec_t) +domain_obj_id_change_exemption(setfiles_mac_t) + ######################################## # # Checkpolicy local policy # -allow checkpolicy_t self:capability dac_override; +allow checkpolicy_t self:capability { dac_read_search dac_override }; # able to create and modify binary policy files manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) @@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) allow checkpolicy_t selinux_config_t:dir search_dir_perms; +allow checkpolicy_t selinux_login_config_t:dir search_dir_perms; domain_use_interactive_fds(checkpolicy_t) @@ -151,7 +174,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) -userdom_use_user_terminals(checkpolicy_t) +userdom_use_inherited_user_terminals(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` @@ -165,10 +188,11 @@ ifdef(`distro_ubuntu',` # Load_policy local policy # -allow load_policy_t self:capability dac_override; +allow load_policy_t self:capability { dac_read_search dac_override }; # only allow read of policy config files read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) +allow load_policy_t policy_config_t:file map; domain_use_interactive_fds(load_policy_t) @@ -188,13 +212,13 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) - -miscfiles_read_localization(load_policy_t) +init_write_script_pipes(load_policy_t) seutil_libselinux_linked(load_policy_t) -userdom_use_user_terminals(load_policy_t) +userdom_use_inherited_user_terminals(load_policy_t) userdom_use_all_users_fds(load_policy_t) +userdom_dontaudit_read_user_tmp_files(load_policy_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -205,6 +229,7 @@ ifdef(`distro_ubuntu',` ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; + dontaudit load_policy_t selinux_login_config_t:file write; optional_policy(` unconfined_dontaudit_read_pipes(load_policy_t) @@ -215,12 +240,21 @@ optional_policy(` portage_dontaudit_use_fds(load_policy_t) ') +optional_policy(` + sssd_rw_inherited_pipes(load_policy_t) +') + +optional_policy(` + # pki is leaking + pki_dontaudit_write_log(load_policy_t) +') + ######################################## # # Newrole local policy # -allow newrole_t self:capability { fowner setuid setgid dac_override }; +allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; @@ -232,7 +266,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(newrole_t) read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) @@ -249,6 +283,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) +files_list_var(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) @@ -276,25 +311,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) -auth_use_nsswitch(newrole_t) -auth_run_chk_passwd(newrole_t, newrole_roles) -auth_run_upd_passwd(newrole_t, newrole_roles) -auth_rw_faillog(newrole_t) +auth_use_pam(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) init_use_fds(newrole_t) -logging_send_syslog_msg(newrole_t) - -miscfiles_read_localization(newrole_t) seutil_libselinux_linked(newrole_t) +userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) +# need to talk with dbus +optional_policy(` + dbus_system_bus_client(newrole_t) +') + +#optional_policy(` +# namespace_init_run(newrole_t, newrole_roles) +#') + + +optional_policy(` + xserver_dontaudit_exec_xauth(newrole_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) @@ -309,7 +353,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } -tunable_policy(`allow_polyinstantiation',` +tunable_policy(`polyinstantiation_enabled',` files_polyinstantiate_all(newrole_t) ') @@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) +dev_relabel_all_dev_nodes(restorecond_t) + +files_dontaudit_read_all_symlinks(restorecond_t) + fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) -fs_getattr_xattr_fs(restorecond_t) +fs_getattr_all_fs(restorecond_t) fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) @@ -341,16 +389,17 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) + auth_use_nsswitch(restorecond_t) locallogin_dontaudit_use_fds(restorecond_t) logging_send_syslog_msg(restorecond_t) -miscfiles_read_localization(restorecond_t) - seutil_libselinux_linked(restorecond_t) +userdom_read_user_home_content_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) @@ -366,21 +415,24 @@ optional_policy(` # Run_init local policy # -allow run_init_roles system_r; +#allow run_init_roles system_r; allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; -allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(run_init_t) # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; +kernel_dontaudit_getattr_core_if(run_init_t) + corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) +dev_dontaudit_getattr_all(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) @@ -398,23 +450,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) +term_use_console(run_init_t) + +#auth_use_nsswitch(run_init_t) +#auth_run_chk_passwd(run_init_t, run_init_roles) +#auth_run_upd_passwd(run_init_t, run_init_roles) +#auth_dontaudit_read_shadow(run_init_t) + auth_use_nsswitch(run_init_t) -auth_run_chk_passwd(run_init_t, run_init_roles) -auth_run_upd_passwd(run_init_t, run_init_roles) +auth_domtrans_chk_passwd(run_init_t) +auth_domtrans_upd_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) + init_spec_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) +init_dontaudit_getattr_initctl(run_init_t) logging_send_syslog_msg(run_init_t) -miscfiles_read_localization(run_init_t) - seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) -userdom_use_user_terminals(run_init_t) +userdom_use_inherited_user_terminals(run_init_t) ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` @@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',` ') ') +# need to talk with dbus +optional_policy(` + dbus_system_bus_client(run_init_t) +') + +optional_policy(` + gpm_dontaudit_getattr_gpmctl(run_init_t) +') + +optional_policy(` + rpm_domtrans(run_init_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) @@ -440,81 +512,86 @@ optional_policy(` # semodule local policy # -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow semanage_t self:fifo_file rw_fifo_file_perms; - -allow semanage_t policy_config_t:file rw_file_perms; - -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) - -manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) -manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) -files_list_pids(semanage_t) - -mls_file_write_all_levels(semanage_t) -mls_file_read_all_levels(semanage_t) - -selinux_validate_context(semanage_t) -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: +selinux_set_enforce_mode(semanage_t) selinux_set_all_booleans(semanage_t) +can_exec(semanage_t, semanage_exec_t) -term_use_all_terms(semanage_t) - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) +seutil_semanage_policy(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) -seutil_run_setfiles(semanage_t, semanage_roles) -seutil_run_loadpolicy(semanage_t, semanage_roles) -seutil_manage_bin_policy(semanage_t) -seutil_use_newrole_fds(semanage_t) -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) +seutil_domtrans_setfiles(semanage_t) + +#seutil_run_setfiles(semanage_t, semanage_roles) +#seutil_run_loadpolicy(semanage_t, semanage_roles) +#seutil_manage_bin_policy(semanage_t) +#seutil_use_newrole_fds(semanage_t) +#seutil_manage_module_store(semanage_t) +#seutil_get_semanage_trans_lock(semanage_t) +#seutil_get_semanage_read_lock(semanage_t) # netfilter_contexts: seutil_manage_default_contexts(semanage_t) # Handle pp files created in homedir and /tmp userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) +userdom_home_reader(semanage_t) +userdom_map_tmp_files(semanage_t) ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) ') -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) - ') +optional_policy(` + dbus_system_domain(semanage_t, semanage_exec_t) +') + +optional_policy(` + mock_manage_lib_files(semanage_t) + mock_manage_lib_dirs(semanage_t) +') + +optional_policy(` + unconfined_domain(semanage_t) +') + +####################################n#### +# +# setsebool local policy +# +seutil_semanage_policy(setsebool_t) +selinux_set_all_booleans(setsebool_t) + +init_dontaudit_use_fds(setsebool_t) + +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) + +######################################## +# +# Setfiles mac local policy +# +seutil_setfiles(setfiles_mac_t) +allow setfiles_mac_t self:capability2 mac_admin; +kernel_relabelto_unlabeled(setfiles_mac_t) + +optional_policy(` + files_dontaudit_write_isid_chr_files(setfiles_mac_t) + livecd_dontaudit_leaks(setfiles_mac_t) + livecd_rw_tmp_files(setfiles_mac_t) + dev_dontaudit_write_all_chr_files(setfiles_mac_t) +') + +optional_policy(` + unconfined_domain(setfiles_mac_t) ') ######################################## @@ -522,111 +599,201 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # -allow setfiles_t self:capability { dac_override dac_read_search fowner }; -dontaudit setfiles_t self:capability sys_tty_config; -allow setfiles_t self:fifo_file rw_file_perms; - -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; - -kernel_read_system_state(setfiles_t) -kernel_relabelfrom_unlabeled_dirs(setfiles_t) -kernel_relabelfrom_unlabeled_files(setfiles_t) -kernel_relabelfrom_unlabeled_symlinks(setfiles_t) -kernel_relabelfrom_unlabeled_pipes(setfiles_t) -kernel_relabelfrom_unlabeled_sockets(setfiles_t) -kernel_use_fds(setfiles_t) -kernel_rw_pipes(setfiles_t) -kernel_rw_unix_dgram_sockets(setfiles_t) -kernel_dontaudit_list_all_proc(setfiles_t) -kernel_dontaudit_list_all_sysctls(setfiles_t) - -dev_relabel_all_dev_nodes(setfiles_t) -# to handle when /dev/console needs to be relabeled -dev_rw_generic_chr_files(setfiles_t) - -domain_use_interactive_fds(setfiles_t) -domain_dontaudit_search_all_domains_state(setfiles_t) - -files_read_etc_runtime_files(setfiles_t) -files_read_etc_files(setfiles_t) -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) -files_read_usr_symlinks(setfiles_t) -files_dontaudit_read_all_symlinks(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) -fs_relabelfrom_noxattr_fs(setfiles_t) - -mls_file_read_all_levels(setfiles_t) -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) - -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) - -term_use_all_ttys(setfiles_t) -term_use_all_ptys(setfiles_t) -term_use_unallocated_ttys(setfiles_t) - -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - -init_use_fds(setfiles_t) -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) + +# needs to be able to read symlinks to make restorecon on symlink working +files_read_all_symlinks(setfiles_t) +allow setfiles_t file_context_t:file map; + +fs_mount_tracefs(setfiles_t) logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) -miscfiles_read_localization(setfiles_t) +optional_policy(` + cloudform_dontaudit_write_cloud_log(setfiles_t) +') + +optional_policy(` + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) +') -seutil_libselinux_linked(setfiles_t) +optional_policy(` + # pki is leaking + pki_dontaudit_write_log(setfiles_t) +') + +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') + +ifdef(`hide_broken_symptoms',` + + optional_policy(` + setroubleshoot_fixit_dontaudit_leaks(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setsebool_t) + setroubleshoot_fixit_dontaudit_leaks(load_policy_t) + ') +') +ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(setfiles_t) + ') +') -userdom_use_all_users_fds(setfiles_t) +######################################## +# +# Setfiles common policy +# +allow setfiles_domain self:capability { dac_override dac_read_search fowner }; +dontaudit setfiles_domain self:capability sys_tty_config; +allow setfiles_domain self:fifo_file rw_file_perms; +dontaudit setfiles_domain self:dir relabelfrom; +dontaudit setfiles_domain self:file relabelfrom; +dontaudit setfiles_domain self:lnk_file relabelfrom; + +domain_relabelfrom(setfiles_domain) + +allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; +allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; +allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; + +logging_send_audit_msgs(setfiles_domain) + +kernel_relabelfrom_unlabeled_dirs(setfiles_domain) +kernel_relabelfrom_unlabeled_files(setfiles_domain) +kernel_relabelfrom_unlabeled_symlinks(setfiles_domain) +kernel_relabelfrom_unlabeled_pipes(setfiles_domain) +kernel_relabelfrom_unlabeled_sockets(setfiles_domain) +kernel_use_fds(setfiles_domain) +kernel_rw_pipes(setfiles_domain) +kernel_rw_unix_dgram_sockets(setfiles_domain) +kernel_dontaudit_list_all_proc(setfiles_domain) +kernel_read_all_sysctls(setfiles_domain) +kernel_read_network_state_symlinks(setfiles_domain) + +dev_relabel_all_dev_nodes(setfiles_domain) +dev_dontaudit_rw_lvm_control(setfiles_domain) +dev_dontaudit_read_rand(setfiles_domain) +dev_dontaudit_read_urand(setfiles_domain) + +domain_use_interactive_fds(setfiles_domain) +domain_read_all_domains_state(setfiles_domain) + +files_read_etc_runtime_files(setfiles_domain) +files_read_etc_files(setfiles_domain) +files_list_all(setfiles_domain) +files_list_isid_type_dirs(setfiles_domain) +files_read_isid_type_files(setfiles_domain) +files_dontaudit_read_all_symlinks(setfiles_domain) + +fs_getattr_all_fs(setfiles_domain) +fs_list_all(setfiles_domain) +fs_getattr_all_files(setfiles_domain) +fs_search_auto_mountpoints(setfiles_domain) +fs_relabelfrom_noxattr_fs(setfiles_domain) + +selinux_validate_context(setfiles_domain) +selinux_compute_access_vector(setfiles_domain) +selinux_compute_create_context(setfiles_domain) +selinux_compute_relabel_context(setfiles_domain) +selinux_compute_user_contexts(setfiles_domain) + +term_use_all_inherited_terms(setfiles_domain) + +init_use_fds(setfiles_domain) +init_use_script_fds(setfiles_domain) +init_use_script_ptys(setfiles_domain) +init_exec_script_files(setfiles_domain) + +userdom_use_all_users_fds(setfiles_domain) # for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) +userdom_read_user_home_content_files(setfiles_domain) +userdom_read_admin_home_files(setfiles_domain) +userdom_rw_inherited_user_home_content_files(setfiles_domain) ifdef(`distro_debian',` # udev tmpfs is populated with static device nodes # and then relabeled afterwards; thus # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) + fs_rw_tmpfs_chr_files(setfiles_domain) ') -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) - fs_rw_tmpfs_blk_files(setfiles_t) - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) +ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files(setfiles_domain) + fs_rw_tmpfs_blk_files(setfiles_domain) + fs_relabel_tmpfs_blk_file(setfiles_domain) + fs_relabel_tmpfs_chr_file(setfiles_domain) ') -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) - ') +optional_policy(` + hotplug_use_fds(setfiles_domain) ') -ifdef(`hide_broken_symptoms',` - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) - ') - - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') +optional_policy(` + dbus_read_pid_files(setfiles_domain) ') +allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource }; +dontaudit policy_manager_domain self:capability sys_tty_config; +allow policy_manager_domain self:process { signal setsched }; +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; +allow policy_manager_domain self:unix_dgram_socket create_socket_perms; +allow policy_manager_domain self:fifo_file rw_fifo_file_perms; + +dev_read_rand(policy_manager_domain) +dev_read_urand(policy_manager_domain) + +logging_send_audit_msgs(policy_manager_domain) + +# Domains that will manage policy +allow policy_manager_domain policy_config_t:file rw_file_perms; + +allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms; +allow policy_manager_domain semanage_tmp_t:file manage_file_perms; +files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(policy_manager_domain) + +corecmd_exec_bin(policy_manager_domain) +corecmd_exec_shell(policy_manager_domain) + +domain_use_interactive_fds(policy_manager_domain) + +files_read_etc_files(policy_manager_domain) +files_read_etc_runtime_files(policy_manager_domain) +files_read_usr_files(policy_manager_domain) +files_mmap_usr_files(policy_manager_domain) +files_list_pids(policy_manager_domain) +fs_list_inotifyfs(policy_manager_domain) +fs_getattr_all_fs(policy_manager_domain) + +selinux_validate_context(policy_manager_domain) +selinux_read_policy(policy_manager_domain) + +term_use_all_inherited_terms(policy_manager_domain) + +locallogin_use_fds(policy_manager_domain) + +seutil_search_default_contexts(policy_manager_domain) +seutil_domtrans_loadpolicy(policy_manager_domain) +seutil_read_config(policy_manager_domain) +seutil_use_newrole_fds(policy_manager_domain) +seutil_manage_module_store(policy_manager_domain) +seutil_get_semanage_trans_lock(policy_manager_domain) +seutil_get_semanage_read_lock(policy_manager_domain) + +userdom_dontaudit_write_user_home_content_files(policy_manager_domain) +userdom_use_user_ptys(policy_manager_domain) + +files_rw_inherited_generic_pid_files(setfiles_domain) +files_rw_inherited_generic_pid_files(policy_manager_domain) +files_create_boot_flag(policy_manager_domain, ".autorelabel") +files_delete_boot_flag(policy_manager_domain) + optional_policy(` - hotplug_use_fds(setfiles_t) + policykit_dbus_chat(policy_manager_domain) ') diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index bea462999..06e2834f7 100644 --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc @@ -2,4 +2,7 @@ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) +/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index efa9c27f6..536a514fc 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -40,3 +40,21 @@ interface(`setrans_translate_context',` stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) ') +####################################### +## +## Allow a domain to manage pid files +## +## +## +## Domain allowed access. +## +## +# +interface(`setrans_manage_pid_files',` + gen_require(` + type setrans_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) +') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687d5..0b1da4d3e 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -12,6 +12,7 @@ gen_require(` type setrans_t; type setrans_exec_t; init_daemon_domain(setrans_t, setrans_exec_t) +mls_trusted_object(setrans_t) type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) @@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) +kernel_read_system_state(setrans_t) kernel_read_kernel_sysctls(setrans_t) kernel_read_proc_symlinks(setrans_t) @@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t) logging_send_syslog_msg(setrans_t) -miscfiles_read_localization(setrans_t) seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 40edc18ab..95f4458d2 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -17,23 +17,29 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) +/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0) +/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ') +/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) # # /sbin @@ -44,6 +50,7 @@ ifdef(`distro_redhat',` /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) @@ -55,6 +62,21 @@ ifdef(`distro_redhat',` # # /usr # +/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + +/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) +/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) +/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) +/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # @@ -77,3 +99,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 2cea692c0..1fb3ada18 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -17,6 +17,7 @@ interface(`sysnet_domtrans_dhcpc',` corecmd_search_bin($1) domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) + allow $1 dhcpc_exec_t:file map; ') ######################################## @@ -38,11 +39,30 @@ interface(`sysnet_domtrans_dhcpc',` # interface(`sysnet_run_dhcpc',` gen_require(` + type dhcpc_t; attribute_role dhcpc_roles; ') sysnet_domtrans_dhcpc($1) roleattribute $2 dhcpc_roles; + + optional_policy(` + networkmanager_run(dhcpc_t, $2) + ') + + optional_policy(` + nis_run_ypbind(dhcpc_t, $2) + ') + + optional_policy(` + nscd_run(dhcpc_t, $2) + ') + + optional_policy(` + ntp_run(dhcpc_t, $2) + ') + + seutil_run_setfiles(dhcpc_t, $2) ') ######################################## @@ -231,7 +251,7 @@ interface(`sysnet_rw_dhcp_config',` ') files_search_etc($1) - allow $1 dhcp_etc_t:file rw_file_perms; + rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') ######################################## @@ -269,6 +289,7 @@ interface(`sysnet_read_dhcpc_state',` type dhcpc_state_t; ') + list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -290,6 +311,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') +######################################## +## +## Allow caller to relabel dhcpc_state files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelfrom_dhcpc_state',` + + gen_require(` + type dhcpc_state_t; + ') + + allow $1 dhcpc_state_t:file relabelfrom; +') + +####################################### +## +## Manage the dhcp client state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_dhcpc_state',` + gen_require(` + type dhcpc_state_t; + ') + + manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) +') + ####################################### ## ## Set the attributes of network config files. @@ -309,6 +367,44 @@ interface(`sysnet_setattr_config',` allow $1 net_conf_t:file setattr_file_perms; ') +####################################### +## +## Allow caller to relabel net_conf files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelfrom_net_conf',` + + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:file relabelfrom; +') + +###################################### +## +## Allow caller to relabel net_conf files +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelto_net_conf',` + + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:file relabelto; +') + ####################################### ## ## Read network config files. @@ -355,7 +451,10 @@ interface(`sysnet_read_config',` ') ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:lnk_file read_lnk_file_perms; read_files_pattern($1, net_conf_t, net_conf_t) ') ') @@ -438,6 +537,42 @@ interface(`sysnet_etc_filetrans_config',` ') files_etc_filetrans($1, net_conf_t, file, $2) + files_etc_filetrans($1, net_conf_t, lnk_file, $2) + +') + +######################################## +## +## Transition content to the type used for +## the network config files. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the directory to which the object will be created. +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`sysnet_filetrans_config_fromdir',` + gen_require(` + type net_conf_t; + ') + + filetrans_pattern($1, $2, net_conf_t, $3, $4) ') ####################################### @@ -453,7 +588,7 @@ interface(`sysnet_etc_filetrans_config',` interface(`sysnet_manage_config',` gen_require(` type net_conf_t; - ') + ') allow $1 net_conf_t:file manage_file_perms; @@ -463,7 +598,41 @@ interface(`sysnet_manage_config',` ') ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; manage_files_pattern($1, net_conf_t, net_conf_t) + manage_lnk_files_pattern($1, net_conf_t, net_conf_t) + ') +') + +####################################### +## +## Create, read, write, and delete network config dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_config_dirs',` + gen_require(` + type net_conf_t; + ') + + allow $1 net_conf_t:dir manage_dir_perms; + + ifdef(`distro_debian',` + files_search_pids($1) + manage_dirs_pattern($1, net_conf_t, net_conf_t) + ') + + ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; + manage_dirs_pattern($1, net_conf_t, net_conf_t) ') ') @@ -501,9 +670,29 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') + files_rw_pid_dirs($1) allow $1 dhcpc_var_run_t:file unlink; ') +####################################### +## +## Manage the dhcp client pid file. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_dhcpc_pid',` + gen_require(` + type dhcpc_var_run_t; + ') + + files_rw_pid_dirs($1) + manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t) +') + ####################################### ## ## Execute ifconfig in the ifconfig domain. @@ -523,6 +712,24 @@ interface(`sysnet_domtrans_ifconfig',` domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) ') +######################################## +## +## NNP Transition to ifconfig_t. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`sysnet_nnp_domtrans_ifconfig',` + gen_require(` + type ifconfig_t; + ') + + allow $1 ifconfig_t:process2 { nnp_transition nosuid_transition }; +') + ######################################## ## ## Execute ifconfig in the ifconfig domain, and @@ -608,6 +815,25 @@ interface(`sysnet_signull_ifconfig',` allow $1 ifconfig_t:process signull; ') +######################################## +## +## Send a kill signal to iconfig. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`sysnet_kill_ifconfig',` + gen_require(` + type ifconfig_t; + ') + + allow $1 ifconfig_t:process sigkill; +') + ######################################## ## ## Read the DHCP configuration files. @@ -626,6 +852,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) + allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -647,6 +874,26 @@ interface(`sysnet_search_dhcp_state',` allow $1 dhcp_state_t:dir search_dir_perms; ') +####################################### +## +## Set the attributes of network config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_setattr_dhcp_state',` + gen_require(` + type dhcp_state_t; + ') + + files_search_var_lib($1) + allow $1 dhcp_state_t:file setattr_file_perms; +') + + ######################################## ## ## Create DHCP state data. @@ -711,8 +958,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) @@ -720,8 +965,13 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) + corenet_tcp_connect_dnssec_port($1) corenet_sendrecv_dns_client_packets($1) + files_search_all_pids($1) + + miscfiles_read_generic_certs($1) + sysnet_read_config($1) optional_policy(` @@ -750,8 +1000,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) @@ -760,9 +1008,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) + # LDAP Configuration using encrypted requires dev_read_urand($1) sysnet_read_config($1) + + optional_policy(` + ldap_read_certs($1) + ') ') ######################################## @@ -784,7 +1037,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) @@ -796,3 +1048,143 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') + +######################################## +## +## Do not audit attempts to use +## the dhcp file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`sysnet_dontaudit_dhcpc_use_fds',` + gen_require(` + type dhcpc_t; + ') + + dontaudit $1 dhcpc_t:fd use; +') + +######################################## +## +## Transition to system_r when execute an dhclient script +## +## +##

      +## Execute dhclient script in a specified role +##

      +##

      +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

      +##
      +## +## +## Role to transition from. +## +## +interface(`sysnet_role_transition_dhcpc',` + gen_require(` + type dhcpc_exec_t; + ') + + role_transition $1 dhcpc_exec_t system_r; +') + +######################################## +## +## Transition to sysnet named content +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_filetrans_named_content',` + gen_require(` + type net_conf_t; + ') + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") + files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf") + files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") + files_etc_filetrans($1, net_conf_t, file, "ethers") + files_etc_filetrans($1, net_conf_t, file, "yp.conf") + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") + init_pid_filetrans($1, net_conf_t, dir, "network") + + optional_policy(` + networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") + networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") + ') +') + +######################################## +## +## Transition to sysnet ifconfig named content +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_manage_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) +') + +######################################## +## +## Transition to sysnet ifconfig named content +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_filetrans_named_content_ifconfig',` + gen_require(` + type ifconfig_var_run_t; + ') + + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') + +######################################## +## +## Transition to sysnet ifconfig named content +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_filetrans_net_conf',` + gen_require(` + type net_conf_t; + ') + + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index a392fc4bc..4b8dc5630 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) # Declarations # +## +##

      +## Allow dhcpc client applications to execute iptables commands +##

      +##
      +gen_tunable(dhcpc_exec_iptables, false) + attribute_role dhcpc_roles; roleattribute system_r dhcpc_roles; @@ -20,7 +27,9 @@ files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; init_daemon_domain(dhcpc_t, dhcpc_exec_t) -role dhcpc_roles types dhcpc_t; + +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) type dhcpc_state_t; files_type(dhcpc_state_t) @@ -36,8 +45,12 @@ type ifconfig_exec_t; init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; +type ifconfig_var_run_t; +files_pid_file(ifconfig_var_run_t) +files_mountpoint(ifconfig_var_run_t) + type net_conf_t alias resolv_conf_t; -files_type(net_conf_t) +files_config_file(net_conf_t) ifdef(`distro_debian',` init_daemon_run_dir(net_conf_t, "network") @@ -47,11 +60,11 @@ ifdef(`distro_debian',` # # DHCP client local policy # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; +allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; @@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; +allow dhcpc_t dhcp_state_t:file relabel_file_perms; + manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcpc_state_t:file { map relabel_file_perms }; # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. +allow dhcpc_t net_conf_t:file manage_file_perms; +allow dhcpc_t net_conf_t:file relabel_file_perms; sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) @@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) -corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) -corenet_tcp_sendrecv_all_if(dhcpc_t) -corenet_raw_sendrecv_all_if(dhcpc_t) -corenet_udp_sendrecv_all_if(dhcpc_t) -corenet_tcp_sendrecv_all_nodes(dhcpc_t) -corenet_raw_sendrecv_all_nodes(dhcpc_t) -corenet_udp_sendrecv_all_nodes(dhcpc_t) +corenet_tcp_sendrecv_generic_if(dhcpc_t) +corenet_raw_sendrecv_generic_if(dhcpc_t) +corenet_udp_sendrecv_generic_if(dhcpc_t) +corenet_tcp_sendrecv_generic_node(dhcpc_t) +corenet_raw_sendrecv_generic_node(dhcpc_t) +corenet_udp_sendrecv_generic_node(dhcpc_t) corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) @@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_udp_bind_all_unreserved_ports(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) +corenet_sendrecv_dhcpc_server_packets(dhcpc_t) corenet_sendrecv_all_server_packets(dhcpc_t) +corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) dev_read_sysfs(dhcpc_t) # for SSP: dev_read_urand(dhcpc_t) +domain_obj_id_change_exemption(dhcpc_t) domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) -files_read_usr_files(dhcpc_t) files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) files_getattr_generic_locks(dhcpc_t) +files_rw_inherited_tmp_file(dhcpc_t) +files_dontaudit_rw_inherited_locks(dhcpc_t) fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) @@ -137,15 +157,22 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) +auth_use_nsswitch(dhcpc_t) + init_rw_utmp(dhcpc_t) +init_stream_connect(dhcpc_t) +init_stream_send(dhcpc_t) + +libs_exec_ldconfig(dhcpc_t) logging_send_syslog_msg(dhcpc_t) -miscfiles_read_localization(dhcpc_t) +miscfiles_read_generic_certs(dhcpc_t) modutils_run_insmod(dhcpc_t, dhcpc_roles) sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) +allow dhcpc_t ifconfig_exec_t:file map; userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) @@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - consoletype_run(dhcpc_t, dhcpc_roles) + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) + chronyd_domtrans(dhcpc_t) + chronyd_read_keys(dhcpc_t) +') + +optional_policy(` + cloudform_init_domtrans(dhcpc_t) + cloudform_read_lib_files(dhcpc_t) + cloudform_read_lib_lnk_files(dhcpc_t) +') + +optional_policy(` + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) ') optional_policy(` @@ -176,10 +217,7 @@ optional_policy(` optional_policy(` hostname_run(dhcpc_t, dhcpc_roles) -') - -optional_policy(` - hal_dontaudit_rw_dgram_sockets(dhcpc_t) + allow dhcpc_t hostname_exec_t:file map; ') optional_policy(` @@ -195,23 +233,32 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) -',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; + allow dhcpc_t netutils_exec_t:file map; ') optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) + networkmanager_manage_lib(dhcpc_t) + networkmanager_stream_connect(dhcpc_t) +') + +optional_policy(` + nis_initrc_domtrans_ypbind(dhcpc_t) nis_read_ypbind_pid(dhcpc_t) + nis_systemctl_ypbind(dhcpc_t) ') optional_policy(` nscd_initrc_domtrans(dhcpc_t) + nscd_systemctl(dhcpc_t) nscd_domtrans(dhcpc_t) nscd_read_pid(dhcpc_t) ') optional_policy(` ntp_initrc_domtrans(dhcpc_t) + ntp_systemctl(dhcpc_t) ') optional_policy(` @@ -221,7 +268,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) +') +optional_policy(` + systemd_passwd_agent_domtrans(dhcpc_t) + systemd_signal_passwd_agent(dhcpc_t) ') optional_policy(` @@ -232,6 +283,10 @@ optional_policy(` userdom_use_all_users_fds(dhcpc_t) ') +optional_policy(` + virt_manage_pid_files(dhcpc_t) +') + optional_policy(` vmware_append_log(dhcpc_t) ') @@ -264,32 +319,73 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; +allow ifconfig_t self:appletalk_socket create_socket_perms; # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; +allow ifconfig_t self:netlink_socket create_socket_perms; +allow ifconfig_t self:netlink_generic_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; +allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; + allow ifconfig_t self:tcp_socket { create ioctl }; +can_exec(ifconfig_t, ifconfig_exec_t) + +manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +manage_lnk_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) +allow ifconfig_t ifconfig_var_run_t:file mounton; +allow ifconfig_t ifconfig_var_run_t:dir mounton; + kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) kernel_request_load_module(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) +kernel_getattr_proc(ifconfig_t) +kernel_unmount_proc(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) +corecmd_exec_bin(ifconfig_t) +corecmd_exec_shell(ifconfig_t) + dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) +# needed by tuned +dev_rw_netcontrol(ifconfig_t) +dev_mounton_sysfs(ifconfig_t) +dev_mount_sysfs_fs(ifconfig_t) +dev_unmount_sysfs_fs(ifconfig_t) +dev_getattr_sysfs_fs(ifconfig_t) domain_use_interactive_fds(ifconfig_t) +domain_read_all_domains_state(ifconfig_t) + +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + +files_dontaudit_rw_inherited_pipes(ifconfig_t) +files_dontaudit_rw_inherited_locks(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) +files_dontaudit_rw_var_files(ifconfig_t) + +files_mounton_rootfs(ifconfig_t) files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) +fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +fs_read_nsfs_files(ifconfig_t) +fs_mount_nsfs(ifconfig_t) +fs_unmount_nsfs(ifconfig_t) selinux_dontaudit_getattr_fs(ifconfig_t) @@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) -files_dontaudit_read_root_files(ifconfig_t) +auth_use_nsswitch(ifconfig_t) init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) +init_rw_inherited_script_tmp_files(ifconfig_t) libs_read_lib_files(ifconfig_t) logging_send_syslog_msg(ifconfig_t) -miscfiles_read_localization(ifconfig_t) - -modutils_domtrans_insmod(ifconfig_t) - seutil_use_runinit_fds(ifconfig_t) +sysnet_dns_name_resolve(ifconfig_t) sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) +sysnet_filetrans_named_content_ifconfig(ifconfig_t) -userdom_use_user_terminals(ifconfig_t) +userdom_use_inherited_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) +optional_policy(` + hostname_exec(ifconfig_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(ifconfig_t) ') ') +optional_policy(` + brctl_domtrans(ifconfig_t) +') + +optional_policy(` + cfengine_dontaudit_write_log(ifconfig_t) +') + +optional_policy(` + ctdbd_read_lib_files(ifconfig_t) +') + ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit ifconfig_t self:capability sys_module; + optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') @@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` - devicekit_read_pid_files(ifconfig_t) + dnsmasq_domtrans(ifconfig_t) +') + +optional_policy(` + devicekit_dontaudit_read_pid_files(ifconfig_t) ') optional_policy(` @@ -347,10 +465,20 @@ optional_policy(` optional_policy(` ipsec_write_pid(ifconfig_t) ipsec_setcontext_default_spd(ifconfig_t) + ipsec_dontaudit_write_log(ifconfig_t) ') optional_policy(` - nis_use_ypbind(ifconfig_t) + kdump_dontaudit_read_config(ifconfig_t) + kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t) +') + +optional_policy(` + libs_exec_ldconfig(ifconfig_t) +') + +optional_policy(` + modutils_domtrans_insmod(ifconfig_t) ') optional_policy(` @@ -371,3 +499,17 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') + +optional_policy(` + iptables_domtrans(ifconfig_t) +') + +optional_policy(` + tlp_manage_pid_files(ifconfig_t) +') + +optional_policy(` + tunable_policy(`dhcpc_exec_iptables',` + iptables_domtrans(dhcpc_t) + ') +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 index 000000000..67ab548ba --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,71 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) + +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0) + +/usr/lib/systemd/systemd-bootchart -- gen_context(system_u:object_r:systemd_bootchart_exec_t,s0) + +/usr/lib/systemd/systemd-initctl -- gen_context(system_u:object_r:systemd_initctl_exec_t,s0) + +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) + +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-machined\.service gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) +/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0) +/usr/lib/systemd/system/systemd-bootchart.*\.service -- gen_context(system_u:object_r:systemd_bootchart_unit_file_t,s0) + +/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*reboot.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*sleep.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*shutdown.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*suspend.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) +/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) +/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0) +/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0) +/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +/usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) +/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) + +/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) +/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) +/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) + +/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) +/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) +/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) + +/var/run/log/bootchart.* -- gen_context(system_u:object_r:systemd_bootchart_var_run_t,s0) + +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 index 000000000..8f75416ce --- /dev/null +++ b/policy/modules/system/systemd.if @@ -0,0 +1,1783 @@ +## SELinux policy for systemd components + +###################################### +## +## Creates types and rules for a basic +## systemd domains. +## +## +## +## Prefix for the domain. +## +## +# +template(`systemd_domain_template',` + gen_require(` + attribute systemd_domain; + ') + + type $1_t, systemd_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + kernel_read_system_state($1_t) + + auth_use_nsswitch($1_t) +') + +###################################### +## +## Create a domain for processes which are started +## exuting systemctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_stub_unit_file',` + gen_require(` + type systemd_unit_file_t; + ') +') + +####################################### +## +## Create a domain for processes which are started +## exuting systemctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_systemctl_domain',` + gen_require(` + type systemd_systemctl_exec_t; + role system_r; + attribute systemctl_domain; + ') + + type $1_systemctl_t, systemctl_domain; + domain_type($1_systemctl_t) + domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) + + role system_r types $1_systemctl_t; + + domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) +') + +######################################## +## +## Execute systemctl in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_exec_systemctl',` + gen_require(` + type systemd_systemctl_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, systemd_systemctl_exec_t) + + fs_list_cgroup_dirs($1) + fs_read_cgroup_files($1) + systemd_list_unit_dirs($1) + init_list_pid_dirs($1) + init_read_state($1) + init_stream_send($1) + init_stream_connect($1) + + systemd_login_list_pid_dirs($1) + systemd_login_read_pid_files($1) + systemd_passwd_agent_exec($1) + + dontaudit $1 self:capability net_admin; +') + +####################################### +## +## Create a file type used for systemd unit files. +## +## +## +## Type to be used for an unit file. +## +## +# +interface(`systemd_unit_file',` + gen_require(` + attribute systemd_unit_file_type; + ') + + typeattribute $1 systemd_unit_file_type; + files_type($1) +') + +###################################### +## +## Allow domain to search systemd unit dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_search_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir search_dir_perms; +') + +###################################### +## +## Allow domain to list systemd unit dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_list_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir list_dir_perms; +') + +###################################### +## +## Allow domain to list systemd unit dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_create_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir create; +') + +##################################### +## +## Allow domain to getattr all systemd unit files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_getattr_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + files_search_var_lib($1) + getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +##################################### +## +## Allow domain to getattr all systemd unit directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_getattr_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + allow $1 systemd_unit_file_type:dir getattr; +') + +###################################### +## +## Allow domain to read all systemd unit files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + files_search_var_lib($1) + allow $1 systemd_unit_file_type:file read_file_perms; + allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; + allow $1 systemd_unit_file_type:dir list_dir_perms; +') + +##################################### +## +## Dontaudit domain to read all systemd unit files. +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_dontaudit_read_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + dontaudit $1 systemd_unit_file_type:file read_file_perms; +') + +###################################### +## +## Read systemd_login PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_read_pid_files',` + gen_require(` + type systemd_logind_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) +') + +###################################### +## +## Read systemd_resolved PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_resolved_read_pid',` + gen_require(` + type systemd_resolved_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +') + +###################################### +## +## Read systemd_login PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_manage_pid_files',` + gen_require(` + type systemd_logind_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") +') + +###################################### +## +## Read systemd_login PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_list_pid_dirs',` + gen_require(` + type systemd_logind_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) +') + +###################################### +## +## Use and and inherited systemd +## logind file descriptors. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_use_fds_logind',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:fd use; +') + +###################################### +## +## Read logind sessions files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_logind_sessions_files',` + gen_require(` + type systemd_logind_sessions_t; + ') + + init_search_pid_dirs($1) + allow $1 systemd_logind_sessions_t:dir list_dir_perms; + read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) +') + +###################################### +## +## Write inherited logind sessions pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_write_inherited_logind_sessions_pipes',` + gen_require(` + type systemd_logind_sessions_t; + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:fd use; + allow $1 systemd_logind_sessions_t:fifo_file write; +') + +###################################### +## +## Dontaudit attempts to write inherited logind sessions pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_dontaudit_write_inherited_logind_sessions_pipes',` + gen_require(` + type systemd_logind_sessions_t; + ') + + dontaudit $1 systemd_logind_sessions_t:fifo_file write; +') + +###################################### +## +## Write systemd inhibit pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_write_inhibit_pipes',` + gen_require(` + type systemd_logind_inhibit_var_run_t; + ') + + allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; +') + +######################################## +## +## Send and receive messages from +## systemd logind over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_logind',` + gen_require(` + type systemd_logind_t; + class dbus send_msg; + ') + + allow $1 systemd_logind_t:dbus send_msg; + allow systemd_logind_t $1:dbus send_msg; + ps_process_pattern(systemd_logind_t, $1) + allow systemd_logind_t $1:process signal; + allow $1 systemd_logind_t:fd use; +') + +####################################### +## +## Execute a domain transition to run systemd-sysctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_domtrans_sysctl',` + gen_require(` + type systemd_sysctl_t, systemd_sysctl_exec_t; + ') + + domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t) +') + +####################################### +## +## Allow a domain to execute systemd-sysctl in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_exec_sysctl',` + gen_require(` + type systemd_sysctl_exec_t; + ') + + can_exec($1,systemd_sysctl_exec_t) + +') + +####################################### +## +## Execute a domain transition to run systemd-tmpfiles. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_tmpfiles_domtrans',` + gen_require(` + type systemd_tmpfiles_t, systemd_tmpfiles_exec_t; + ') + + domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t) +') + +####################################### +## +## Execute a domain transition to run systemd-localed. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_localed_domtrans',` + gen_require(` + type systemd_localed_t, systemd_localed_exec_t; + ') + + domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t) +') + +######################################## +## +## Execute a domain transition to run systemd-tty-ask-password-agent. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_passwd_agent_domtrans',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) +') + +####################################### +## +## Execute systemd-tty-ask-password-agent in the caller domain +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_passwd_agent_exec',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + can_exec($1, systemd_passwd_agent_exec_t) + systemd_manage_passwd_run($1) +') + +######################################## +## +## Execute a domain transition to run systemd_rfkill. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_rfkill_domtrans',` + gen_require(` + type systemd_rfkill_t, systemd_rfkill_exec_t; + ') + + domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t) +') + +######################################## +## +## Execute a domain transition to run systemd_notify. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_notify_domtrans',` + gen_require(` + type systemd_notify_t, systemd_notify_exec_t; + ') + + domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t) +') + +######################################## +## +## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and +## allow the specified role the systemd_passwd_agent domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the systemd_passwd_agent domain. +## +## +# +interface(`systemd_passwd_agent_run',` + gen_require(` + type systemd_passwd_agent_t; + ') + + systemd_passwd_agent_domtrans($1) + role $2 types systemd_passwd_agent_t; +') + +######################################## +## +## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and +## allow the specified role the systemd_tmpfiles domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the systemd_tmpfiles domain. +## +## +# +interface(`systemd_tmpfiles_run',` + gen_require(` + type systemd_tmpfiles_t; + ') + + systemd_tmpfiles_domtrans($1) + role $2 types systemd_tmpfiles_t; +') + +######################################## +## +## Role access for systemd_passwd_agent +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`systemd_passwd_agent_role',` + gen_require(` + type systemd_passwd_agent_t; + ') + + role $1 types systemd_passwd_agent_t; + + systemd_passwd_agent_domtrans($2) + + ps_process_pattern($2, systemd_passwd_agent_t) + allow $2 systemd_passwd_agent_t:process signal; +') + +######################################## +## +## Send generic signals to systemd_passwd_agent processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_signal_passwd_agent',` + gen_require(` + type systemd_passwd_agent_t; + ') + + allow $1 systemd_passwd_agent_t:process signal; +') + +###################################### +## +## Allow to domain to read systemd-passwd pipe +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_fifo_file_passwd_run',` + gen_require(` + type systemd_passwd_var_run_t; + ') + + init_search_pid_dirs($1) + read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) +') + +######################################## +## +## Relabel to user home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabelto_fifo_file_passwd_run',` + gen_require(` + type systemd_passwd_var_run_t; + ') + + allow $1 systemd_passwd_var_run_t:fifo_file relabelto; +') + +####################################### +## +## Relabel systemd unit directories +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabel_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +####################################### +## +## Relabel systemd unit files +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabel_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +####################################### +## +## Send generic signals to systemd_passwd_agent processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_passwd_run',` + gen_require(` + type systemd_passwd_agent_t; + type systemd_passwd_var_run_t; + ') + + init_search_pid_dirs($1) + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + + allow systemd_passwd_agent_t $1:process signull; + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; +') + +###################################### +## +## Template for temporary sockets and files in /dev/.systemd/ask-password +## which are used by systemd-passwd-agent +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +# +interface(`systemd_passwd_agent_dev_template',` + gen_require(` + type systemd_passwd_agent_t; + ') + + type systemd_$1_device_t; + files_type(systemd_$1_device_t) + dev_associate(systemd_$1_device_t) + + dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) + init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) + allow $1_t systemd_$1_device_t:file manage_file_perms; + allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; + + allow systemd_passwd_agent_t $1_t:process signull; + allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto; + allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write; + allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms; +') + +######################################## +## +## Allow the specified domain to connect to +## systemd_logger with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_logger_stream_connect',` + gen_require(` + type systemd_logger_t; + ') + + allow $1 systemd_logger_t:unix_stream_socket connectto; +') + +######################################## +## +## manage systemd unit dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_unit_dirs',` + gen_require(` + attribute systemd_unit_file_type; + ') + + manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +######################################## +## +## manage systemd unit link files +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_unit_symlinks',` + gen_require(` + attribute systemd_unit_file_type; + ') + + manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +######################################## +## +## manage all systemd unit files +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_all_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) + manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +######################################## +## +## manage all systemd unit lnk_files +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_all_unit_lnk_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) +') + +######################################## +## +## Allow the specified domain to start all systemd services. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_start_all_services',` + gen_require(` + attribute systemd_unit_file_type; + ') + + allow $1 systemd_unit_file_type:service start; +') + +####################################### +## +## Allow the specified domain to reload all systemd services. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_reload_all_services',` + gen_require(` + attribute systemd_unit_file_type; + ') + + allow $1 systemd_unit_file_type:service reload; +') + +######################################## +## +## Allow the specified domain to modify the systemd configuration of +## all systemd services +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_config_all_services',` + gen_require(` + attribute systemd_unit_file_type; + ') + + allow $1 systemd_unit_file_type:service all_service_perms; + init_config_all_script_files($1) +') + +######################################## +## +## Allow the specified domain to start systemd services. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_start_systemd_services',` + gen_require(` + type systemd_unit_file_t; + ') + + allow $1 systemd_unit_file_t:service start; +') + +####################################### +## +## Allow the specified domain to reload all systemd services. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_reload_systemd_services',` + gen_require(` + type systemd_unit_file_t; + ') + + allow $1 systemd_unit_file_t:service reload; +') + +######################################## +## +## Allow the specified domain to modify the systemd configuration of +## all systemd services +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_config_systemd_services',` + gen_require(` + type systemd_unit_file_t; + ') + + allow $1 systemd_unit_file_t:service all_service_perms; + init_config_all_script_files($1) +') + +######################################## +## +## manage all systemd random seed file +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_random_seed',` + gen_require(` + type random_seed_t; + ') + + allow $1 random_seed_t:file manage_file_perms; + files_var_lib_filetrans($1, random_seed_t, file, "random_seed") +') + +######################################## +## +## Allow process to read hostname config file. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_hostnamed_read_config',` + gen_require(` + type hostname_etc_t; + ') + + files_search_etc($1) + allow $1 hostname_etc_t:file read_file_perms; +') + +######################################## +## +## Allow process to manage hostname config file. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_hostnamed_manage_config',` + gen_require(` + type hostname_etc_t; + ') + + files_search_etc($1) + allow $1 hostname_etc_t:file manage_file_perms; + files_etc_filetrans($1, hostname_etc_t, file, "hostname") +') + +####################################### +## +## Create objects in /run/systemd/generator directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`systemd_unit_file_filetrans',` + gen_require(` + type systemd_unit_file_t; + ') + + files_search_pids($1) + filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) +') + +####################################### +## +## Create a directory in the /usr/lib/systemd/system directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_create_unit_file_dirs',` + gen_require(` + type systemd_unit_file_t; + ') + + create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) +') + +####################################### +## +## Create a link in the /usr/lib/systemd/system directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_create_unit_file_lnk',` + gen_require(` + type systemd_unit_file_t; + ') + + create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) +') + +######################################## +## +## Transition to systemd named content +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_filetrans_named_content',` + gen_require(` + type systemd_passwd_var_run_t; + type systemd_logind_var_run_t; + type hostname_etc_t; + type systemd_home_t; + ') + + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) + files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) +') + +######################################## +## +## read systemd homedir content +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_home_content',` + gen_require(` + type systemd_home_t; + ') + + optional_policy(` + gnome_search_gconf_data_dir($1) + ') + read_files_pattern($1, systemd_home_t, systemd_home_t) + read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) +') + +######################################## +## +## Manage systemd homedir content +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_home_content',` + gen_require(` + type systemd_home_t; + ') + + optional_policy(` + gnome_search_gconf_data_dir($1) + ') + manage_dirs_pattern($1, systemd_home_t, systemd_home_t) + manage_files_pattern($1, systemd_home_t, systemd_home_t) + manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) + + systemd_filetrans_home_content($1) +') + +######################################## +## +## Transition to systemd named content +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_filetrans_home_content',` + gen_require(` + type systemd_home_t; + ') + + optional_policy(` + gnome_data_filetrans($1, systemd_home_t, dir, "systemd") + ') +') + +######################################## +## +## Transition to systemd named content for /etc/hostname +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_filetrans_named_hostname',` + gen_require(` + type hostname_etc_t; + ') + + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) + files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) +') + +######################################## +## +## Get the system status information from systemd_login +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_status',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:system status; +') + +######################################## +## +## Send systemd_login a null signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_signull',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:process signull; +') + +######################################## +## +## Tell systemd_login to reboot the system. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_reboot',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:system reboot; +') + +######################################## +## +## Tell systemd_login to halt the system. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_halt',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:system halt; +') + +######################################## +## +## Tell systemd_login to do an unknown access. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_login_undefined',` + gen_require(` + type systemd_logind_t; + ') + + allow $1 systemd_logind_t:system undefined; +') + +######################################## +## +## Configure generic unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_config_generic_services',` + gen_require(` + type systemd_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_unit_file_t:file read_file_perms; + allow $1 systemd_unit_file_t:service manage_service_perms; +') + +######################################## +## +## Configure power unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_config_power_services',` + gen_require(` + type power_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 power_unit_file_t:file read_file_perms; + allow $1 power_unit_file_t:service manage_service_perms; +') + +######################################## +## +## Start power unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_start_power_services',` + gen_require(` + type power_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 power_unit_file_t:service start; +') + +######################################## +## +## Status power unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_status_power_services',` + gen_require(` + type power_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 power_unit_file_t:service status; +') + +####################################### +## +## Start power unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_start_all_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_unit_file_type:service start; +') + +####################################### +## +## Start power unit files domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`systemd_status_all_unit_files',` + gen_require(` + attribute systemd_unit_file_type; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_unit_file_type:service status; +') + +######################################## +## +## Send and receive messages from +## systemd timedated over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_timedated',` + gen_require(` + type systemd_timedated_t; + class dbus send_msg; + ') + + allow $1 systemd_timedated_t:dbus send_msg; + allow systemd_timedated_t $1:dbus send_msg; + ps_process_pattern(systemd_timedated_t, $1) +') + +######################################## +## +## Send and receive messages from +## systemd hostnamed over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_hostnamed',` + gen_require(` + type systemd_hostnamed_t; + class dbus send_msg; + ') + + allow $1 systemd_hostnamed_t:dbus send_msg; + allow systemd_hostnamed_t $1:dbus send_msg; + ps_process_pattern(systemd_hostnamed_t, $1) +') + +######################################## +## +## Send and receive messages from +## systemd localed over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_localed',` + gen_require(` + type systemd_localed_t; + class dbus send_msg; + ') + + allow $1 systemd_localed_t:dbus send_msg; + allow systemd_localed_t $1:dbus send_msg; + ps_process_pattern(systemd_localed_t, $1) +') + +######################################## +## +## Dontaudit attempts to send dbus domains chat messages +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_dontaudit_dbus_chat',` + gen_require(` + attribute systemd_domain; + class dbus send_msg; + ') + + dontaudit $1 systemd_domain:dbus send_msg; +') + +###################################### +## +## Read systemd-machined PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_read_pid_files',` + gen_require(` + type systemd_machined_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) + read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) +') + +###################################### +## +## Manage systemd-machined PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_manage_pid_files',` + gen_require(` + type systemd_machined_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) + manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) +') + +###################################### +## +## List systemd-machined PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_list_pid_dirs',` + gen_require(` + type systemd_machined_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) +') + + + +######################################## +## +## Search systemd-machined lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_search_lib',` + gen_require(` + type systemd_machined_var_lib_t; + ') + + allow $1 systemd_machined_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read systemd-machined lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_read_lib_files',` + gen_require(` + type systemd_machined_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +') + +######################################## +## +## Manage systemd-machined lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_machined_manage_lib_files',` + gen_require(` + type systemd_machined_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +') + +######################################## +## +## Send and receive messages from +## systemd machined over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_dbus_chat_machined',` + gen_require(` + type systemd_machined_t; + class dbus send_msg; + ') + + allow $1 systemd_machined_t:dbus send_msg; + allow systemd_machined_t $1:dbus send_msg; + ps_process_pattern(systemd_machined_t, $1) +') + + +######################################## +## +## Allow process to mmap hwdb config file. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_hwdb_mmap_config',` + gen_require(` + type systemd_hwdb_etc_t; + ') + + allow $1 systemd_hwdb_etc_t:file map; +') + +######################################## +## +## Allow process to manage hwdb config file. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_hwdb_manage_config',` + gen_require(` + type systemd_hwdb_etc_t; + ') + + files_search_etc($1) + manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) + mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) + allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; + files_etc_filetrans($1, systemd_hwdb_etc_t, file) +') + +######################################## +## +## Mmap systemd_networkd_exec_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_map_networkd_exec_files',` + gen_require(` + type systemd_networkd_exec_t; + ') + + allow $1 systemd_networkd_exec_t:file map; +') + +######################################## +## +## Allow process to read hwdb config file. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_hwdb_read_config',` + gen_require(` + type systemd_hwdb_etc_t; + ') + + files_search_etc($1) + allow $1 systemd_hwdb_etc_t:file read_file_perms; +') \ No newline at end of file diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 index 000000000..3cf2e1230 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,919 @@ +policy_module(systemd, 1.0.0) + +####################################### +# +# Declarations +# + +attribute systemd_unit_file_type; +attribute systemd_domain; +attribute systemctl_domain; + +systemd_domain_template(systemd_logger) +systemd_domain_template(systemd_logind) + +# /run/systemd/sessions +type systemd_logind_sessions_t; +files_pid_file(systemd_logind_sessions_t) + +type systemd_logind_var_lib_t; +files_type(systemd_logind_var_lib_t) + +# /run/systemd/{seats, users} +type systemd_logind_var_run_t; +files_pid_file(systemd_logind_var_run_t) + +type systemd_logind_inhibit_var_run_t; +files_pid_file(systemd_logind_inhibit_var_run_t) + +type systemd_home_t; +userdom_user_home_content(systemd_home_t) + +type random_seed_t; +files_security_file(random_seed_t) +files_mountpoint(random_seed_t) + +systemd_domain_template(systemd_hwdb) + +type systemd_hwdb_unit_file_t; +systemd_unit_file(systemd_hwdb_unit_file_t) + +systemd_domain_template(systemd_networkd) + +type systemd_networkd_unit_file_t; +systemd_unit_file(systemd_networkd_unit_file_t) + +type systemd_networkd_var_run_t; +files_pid_file(systemd_networkd_var_run_t) + +systemd_domain_template(systemd_initctl) + +systemd_domain_template(systemd_bootchart) + +type systemd_bootchart_unit_file_t; +systemd_unit_file(systemd_bootchart_unit_file_t) + +type systemd_bootchart_var_run_t; +files_pid_file(systemd_bootchart_var_run_t) + +type systemd_bootchart_tmpfs_t; +files_tmpfs_file(systemd_bootchart_tmpfs_t) + +systemd_domain_template(systemd_resolved) + +type systemd_resolved_var_run_t; +files_pid_file(systemd_resolved_var_run_t) + +type systemd_resolved_unit_file_t; +systemd_unit_file(systemd_resolved_unit_file_t) + +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + +systemd_domain_template(systemd_passwd_agent) + +type systemd_passwd_var_run_t alias systemd_device_t; +files_pid_file(systemd_passwd_var_run_t) + +# domain for systemd-tmpfiles component +systemd_domain_template(systemd_tmpfiles) +systemd_domain_template(systemd_notify) + +# type for systemd unit files +type systemd_unit_file_t; +systemd_unit_file(systemd_unit_file_t) + +type systemd_runtime_unit_file_t; +systemd_unit_file(systemd_runtime_unit_file_t) + +type power_unit_file_t; +systemd_unit_file(power_unit_file_t) + +type systemd_vconsole_unit_file_t; +systemd_unit_file(systemd_vconsole_unit_file_t) + +# executable for systemctl +type systemd_systemctl_exec_t; +corecmd_executable_file(systemd_systemctl_exec_t) + +systemd_domain_template(systemd_localed) +systemd_domain_template(systemd_hostnamed) + +type hostname_etc_t; +files_config_file(hostname_etc_t) + +type systemd_hwdb_etc_t; +files_config_file(systemd_hwdb_etc_t) + +systemd_domain_template(systemd_timedated) +typeattribute systemd_timedated_t systemd_domain; +typealias systemd_timedated_t alias gnomeclock_t; + +type systemd_timedated_unit_file_t; +systemd_unit_file(systemd_timedated_unit_file_t) + +systemd_domain_template(systemd_sysctl) + +type systemd_gpt_generator_unit_file_t; +systemd_unit_file(systemd_gpt_generator_unit_file_t) + +#domain for systemd-machined +systemd_domain_template(systemd_machined) + +type systemd_machined_unit_file_t; +systemd_unit_file(systemd_machined_unit_file_t) + +# /run/systemd/machines +type systemd_machined_var_run_t; +files_pid_file(systemd_machined_var_run_t) + +# /var/lib/machines +type systemd_machined_var_lib_t; +files_type(systemd_machined_var_lib_t) + +####################################### +# +# Systemd_logind local policy +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) +allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin }; +allow systemd_logind_t self:capability2 block_suspend; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; + +mls_file_read_all_levels(systemd_logind_t) +mls_file_write_all_levels(systemd_logind_t) +mls_dbus_send_all_levels(systemd_logind_t) + +files_delete_tmpfs_files(systemd_logind_t) + +fs_mount_tmpfs(systemd_logind_t) +fs_unmount_tmpfs(systemd_logind_t) +fs_list_tmpfs(systemd_logind_t) +fs_manage_fusefs_dirs(systemd_logind_t) +fs_manage_fusefs_files(systemd_logind_t) + +manage_dirs_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) +manage_files_pattern(systemd_logind_t, systemd_logind_var_lib_t, systemd_logind_var_lib_t) +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir, "linger") + +manage_dirs_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_sessions_t systemd_logind_var_run_t }) +manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t }) +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t }) +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions") +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) +files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin") + +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) + +corenet_tcp_bind_dhcpd_port(systemd_logind_t) +corenet_tcp_bind_pki_ca_port(systemd_logind_t) +corenet_tcp_bind_flash_port(systemd_logind_t) + +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) +dev_rw_dri(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_generic_usb_dev(systemd_logind_t) +dev_setattr_input_dev(systemd_logind_t) +dev_setattr_kvm_dev(systemd_logind_t) +dev_setattr_mouse_dev(systemd_logind_t) +dev_setattr_sound_dev(systemd_logind_t) +dev_setattr_video_dev(systemd_logind_t) +dev_write_kmsg(systemd_logind_t) + +domain_read_all_domains_state(systemd_logind_t) +domain_signal_all_domains(systemd_logind_t) +domain_signull_all_domains(systemd_logind_t) +domain_kill_all_domains(systemd_logind_t) +domain_destroy_all_semaphores(systemd_logind_t) + +# /etc/udev/udev.conf should probably have a private type if only for confined administration +# /etc/nsswitch.conf + +# /sys/fs/cgroup/systemd/user +fs_manage_cgroup_dirs(systemd_logind_t) +# write getattr open setattr +fs_manage_cgroup_files(systemd_logind_t) +fs_getattr_tmpfs(systemd_logind_t) +fs_read_tmpfs_symlinks(systemd_logind_t) +fs_mount_tmpfs(systemd_logind_t) +userdom_mounton_tmp_dirs(systemd_logind_t) + +storage_setattr_removable_dev(systemd_logind_t) +storage_setattr_scsi_generic_dev(systemd_logind_t) + +term_use_unallocated_ttys(systemd_logind_t) + +init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") + +init_status(systemd_logind_t) +init_signal(systemd_logind_t) +init_reboot(systemd_logind_t) +init_halt(systemd_logind_t) +init_undefined(systemd_logind_t) +init_signal_script(systemd_logind_t) + +getty_systemctl(systemd_logind_t) + +systemd_config_generic_services(systemd_logind_t) + +# /run/user/.* +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) +auth_use_nsswitch(systemd_logind_t) + +authlogin_read_state(systemd_logind_t) + +init_dbus_chat(systemd_logind_t) +init_dbus_chat_script(systemd_logind_t) +init_read_script_state(systemd_logind_t) +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) + +udev_read_db(systemd_logind_t) +udev_manage_rules_files(systemd_logind_t) + +userdom_destroy_unpriv_user_shared_mem(systemd_logind_t) +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) +userdom_manage_tmp_role(system_r, systemd_logind_t) +userdom_manage_tmpfs_role(system_r, systemd_logind_t) + +xserver_dbus_chat(systemd_logind_t) + +optional_policy(` + apache_read_tmp_files(systemd_logind_t) +') + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) + cron_read_state_crond(systemd_logind_t) +') + +optional_policy(` + dbus_connect_system_bus(systemd_logind_t) + dbus_system_bus_client(systemd_logind_t) +') + +optional_policy(` + devicekit_dbus_chat_power(systemd_logind_t) + devicekit_dbus_chat_disk(systemd_logind_t) +') + +optional_policy(` + # we label /run/user/$USER/dconf as config_home_t + gnome_manage_home_config_dirs(systemd_logind_t) + gnome_manage_home_config(systemd_logind_t) + gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t) + gnome_manage_gstreamer_home_dirs(systemd_logind_t) +') + +optional_policy(` + nis_use_ypbind(systemd_logind_t) +') + +optional_policy(` + rpm_dbus_chat(systemd_logind_t) +') + +optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') + +######################################## +# +# systemd_machined local policy +# + +allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace }; +allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) +manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) +manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) +init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines") + +manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") + +kernel_dgram_send(systemd_machined_t) +# This is a bug, but need for now. +kernel_read_unlabeled_state(systemd_machined_t) + +init_dbus_chat(systemd_machined_t) +init_status(systemd_machined_t) + +userdom_dbus_send_all_users(systemd_machined_t) + +term_use_ptmx(systemd_machined_t) + +optional_policy(` + dbus_connect_system_bus(systemd_machined_t) + dbus_system_bus_client(systemd_machined_t) +') + +optional_policy(` + container_read_share_files(systemd_machined_t) + container_spc_read_state(systemd_machined_t) +') + +optional_policy(` + virt_dbus_chat(systemd_machined_t) + virt_sandbox_read_state(systemd_machined_t) + virt_signal_sandbox(systemd_machined_t) + virt_stream_connect_sandbox(systemd_machined_t) + virt_rw_svirt_dev(systemd_machined_t) + virt_getattr_sandbox_filesystem(systemd_machined_t) + virt_read_sandbox_files(systemd_machined_t) +') + +####################################### +# +# systemd-networkd local policy +# + +allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap }; +allow systemd_networkd_t self:process { getcap setcap }; + +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; +allow systemd_networkd_t self:packet_socket create_socket_perms; +allow systemd_networkd_t self:udp_socket create_socket_perms; +allow systemd_networkd_t self:rawip_socket create_socket_perms; +allow systemd_networkd_t self:tun_socket { relabelfrom relabelto create_socket_perms }; + +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + +kernel_dgram_send(systemd_networkd_t) +kernel_request_load_module(systemd_networkd_t) +kernel_rw_net_sysctls(systemd_networkd_t) + +corenet_rw_tun_tap_dev(systemd_networkd_t) +corenet_tcp_bind_all_nodes(systemd_networkd_t) +corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_tcp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t) + +dev_read_sysfs(systemd_networkd_t) +dev_write_kmsg(systemd_networkd_t) + +auth_use_nsswitch(systemd_networkd_t) + +logging_send_syslog_msg(systemd_networkd_t) + +sysnet_manage_config(systemd_networkd_t) +sysnet_manage_config_dirs(systemd_networkd_t) + +init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif") + +optional_policy(` + dbus_system_bus_client(systemd_networkd_t) + dbus_connect_system_bus(systemd_networkd_t) +') + +optional_policy(` + udev_read_db(systemd_networkd_t) +') + +optional_policy(` + unconfined_dbus_send(systemd_networkd_t) +') + +####################################### +# +# Local policy +# + +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) + +domain_read_all_domains_state(systemd_passwd_agent_t) + +kernel_stream_connect(systemd_passwd_agent_t) + +dev_create_generic_dirs(systemd_passwd_agent_t) +dev_read_generic_files(systemd_passwd_agent_t) +dev_write_generic_sock_files(systemd_passwd_agent_t) +dev_write_kmsg(systemd_passwd_agent_t) + +term_read_console(systemd_passwd_agent_t) + +auth_use_nsswitch(systemd_passwd_agent_t) + +init_create_pid_dirs(systemd_passwd_agent_t) +init_rw_pipes(systemd_passwd_agent_t) +init_read_utmp(systemd_passwd_agent_t) +init_stream_connect(systemd_passwd_agent_t) + +logging_send_syslog_msg(systemd_passwd_agent_t) + +userdom_use_user_ptys(systemd_passwd_agent_t) +userdom_use_user_ttys(systemd_passwd_agent_t) + +optional_policy(` + lvm_signull(systemd_passwd_agent_t) +') + +optional_policy(` + plymouthd_stream_connect(systemd_passwd_agent_t) +') + +####################################### +# +# Local policy +# + +allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; + +kernel_read_network_state(systemd_tmpfiles_t) +kernel_request_load_module(systemd_tmpfiles_t) +kernel_relabelto_usermodehelper(systemd_tmpfiles_t) + +dev_write_kmsg(systemd_tmpfiles_t) +dev_rw_sysfs(systemd_tmpfiles_t) +dev_relabel_all_sysfs(systemd_tmpfiles_t) +dev_relabel_cpu_online(systemd_tmpfiles_t) +dev_read_cpu_online(systemd_tmpfiles_t) +dev_manage_all_dev_nodes(systemd_tmpfiles_t) +dev_relabel_all_dev_nodes(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + +# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev +fs_manage_tmpfs_dirs(systemd_tmpfiles_t) +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) +fs_list_all(systemd_tmpfiles_t) + +files_manage_non_auth_files(systemd_tmpfiles_t) +files_relabel_non_auth_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) +files_map_system_db_files(systemd_tmpfiles_t) + +mls_file_read_all_levels(systemd_tmpfiles_t) +mls_file_write_all_levels(systemd_tmpfiles_t) +mls_file_upgrade(systemd_tmpfiles_t) + +selinux_get_enforce_mode(systemd_tmpfiles_t) +selinux_setcheckreqprot(systemd_tmpfiles_t) + +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) +auth_manage_var_auth(systemd_tmpfiles_t) +auth_manage_login_records(systemd_tmpfiles_t) +auth_relabel_var_auth_dirs(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) +auth_use_nsswitch(systemd_tmpfiles_t) + +init_dgram_send(systemd_tmpfiles_t) +init_rw_stream_sockets(systemd_tmpfiles_t) + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) +logging_setattr_all_log_dirs(systemd_tmpfiles_t) +logging_relabel_all_log_dirs(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) +miscfiles_relabel_man_pages(systemd_tmpfiles_t) +miscfiles_delete_man_pages(systemd_tmpfiles_t) + +ifdef(`distro_redhat',` + userdom_list_user_home_content(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_files(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t) + userdom_delete_admin_home_files(systemd_tmpfiles_t) +') + +optional_policy(` + apache_delete_sys_content_rw(systemd_tmpfiles_t) + apache_list_cache(systemd_tmpfiles_t) + apache_delete_cache_dirs(systemd_tmpfiles_t) + apache_delete_cache_files(systemd_tmpfiles_t) + apache_setattr_cache_dirs(systemd_tmpfiles_t) +') + + +optional_policy(` + auth_rw_login_records(systemd_tmpfiles_t) +') + +optional_policy(` + # we have /run/user/$USER/dconf + gnome_delete_home_config(systemd_tmpfiles_t) + gnome_delete_home_config_dirs(systemd_tmpfiles_t) + gnome_setattr_home_config_dirs(systemd_tmpfiles_t) +') + +optional_policy(` + lpd_manage_spool(systemd_tmpfiles_t) + lpd_relabel_spool(systemd_tmpfiles_t) +') + +optional_policy(` + rpm_read_db(systemd_tmpfiles_t) + rpm_delete_db(systemd_tmpfiles_t) +') + +optional_policy(` + sandbox_list(systemd_tmpfiles_t) + sandbox_delete_dirs(systemd_tmpfiles_t) + sandbox_delete_files(systemd_tmpfiles_t) + sandbox_delete_lnk_files(systemd_tmpfiles_t) + sandbox_delete_pipes(systemd_tmpfiles_t) + sandbox_delete_sock_files(systemd_tmpfiles_t) + sandbox_setattr_dirs(systemd_tmpfiles_t) +') + +######################################## +# +# systemd_notify local policy +# +allow systemd_notify_t self:capability chown; +allow systemd_notify_t self:process { fork setfscreate setsockcreate }; + +allow systemd_notify_t self:fifo_file rw_fifo_file_perms; +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_notify_t self:unix_dgram_socket create_socket_perms; + +dev_write_kmsg(systemd_notify_t) + +domain_use_interactive_fds(systemd_notify_t) + +fs_getattr_cgroup_files(systemd_notify_t) + +auth_use_nsswitch(systemd_notify_t) + +init_rw_stream_sockets(systemd_notify_t) + +optional_policy(` + rhcs_read_log_cluster(systemd_notify_t) +') + +optional_policy(` + readahead_manage_pid_files(systemd_notify_t) +') + +######################################## +# +# systemd_logger local policy +# + +allow systemd_logger_t self:capability { sys_admin chown kill }; +allow systemd_logger_t self:process { fork setfscreate setsockcreate }; + +allow systemd_logger_t self:fifo_file rw_fifo_file_perms; +allow systemd_logger_t self:unix_stream_socket create_stream_socket_perms; + +kernel_use_fds(systemd_logger_t) + +dev_write_kmsg(systemd_logger_t) + +domain_use_interactive_fds(systemd_logger_t) + +# only needs write +term_use_generic_ptys(systemd_logger_t) + +auth_use_nsswitch(systemd_logger_t) + +# /run/systemd/notify +init_write_pid_socket(systemd_logger_t) + +logging_send_syslog_msg(systemd_logger_t) + +######################################## +# +# systemd_sysctl domains local policy +# + +allow systemctl_domain systemd_unit_file_type:dir search_dir_perms; + +fs_list_cgroup_dirs(systemctl_domain) +fs_read_cgroup_files(systemctl_domain) + +# needed by systemctl +init_dgram_send(systemctl_domain) +init_stream_connect(systemctl_domain) +init_read_state(systemctl_domain) +init_list_pid_dirs(systemctl_domain) +init_use_fds(systemctl_domain) + +####################################### +# +# Localed policy +# +allow systemd_localed_t self:process setfscreate; +allow systemd_localed_t self:fifo_file rw_fifo_file_perms; +allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_localed_t self:unix_dgram_socket create_socket_perms; + +dev_write_kmsg(systemd_localed_t) + +init_dbus_chat(systemd_localed_t) +init_reload_services(systemd_localed_t) + +logging_stream_connect_syslog(systemd_localed_t) +logging_send_syslog_msg(systemd_localed_t) + +allow systemd_localed_t systemd_vconsole_unit_file_t:service start; + +miscfiles_manage_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t) + +userdom_dbus_send_all_users(systemd_localed_t) + +xserver_manage_config(systemd_localed_t) + +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) + dbus_system_bus_client(systemd_localed_t) +') + +####################################### +# +# Hostnamed policy +# +allow systemd_hostnamed_t self:capability sys_admin; +dontaudit systemd_hostnamed_t self:capability sys_ptrace; + +allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; +allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" ) + +kernel_dgram_send(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t) +kernel_read_sysctl(systemd_hostnamed_t) + +dev_write_kmsg(systemd_hostnamed_t) +dev_read_sysfs(systemd_hostnamed_t) + +init_status(systemd_hostnamed_t) +init_stream_connect(systemd_hostnamed_t) + +logging_send_syslog_msg(systemd_hostnamed_t) + +userdom_read_all_users_state(systemd_hostnamed_t) +userdom_dbus_send_all_users(systemd_hostnamed_t) + +optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) +') + +####################################### +# +# Timedated policy +# + +allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override }; +allow systemd_timedated_t self:process { getattr getsched setfscreate }; +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_timedated_t self:unix_dgram_socket create_socket_perms; + +allow systemd_timedated_t systemd_timedated_unit_file_t:service manage_service_perms; + +corecmd_exec_bin(systemd_timedated_t) +corecmd_exec_shell(systemd_timedated_t) +corecmd_dontaudit_access_check_bin(systemd_timedated_t) + +corenet_tcp_connect_time_port(systemd_timedated_t) + +dev_rw_realtime_clock(systemd_timedated_t) +dev_write_kmsg(systemd_timedated_t) +dev_read_sysfs(systemd_timedated_t) + +fs_getattr_xattr_fs(systemd_timedated_t) + +auth_use_nsswitch(systemd_timedated_t) + +init_dbus_chat(systemd_timedated_t) +init_status(systemd_timedated_t) + +logging_send_syslog_msg(systemd_timedated_t) + +miscfiles_manage_localization(systemd_timedated_t) +miscfiles_etc_filetrans_localization(systemd_timedated_t) + +userdom_read_all_users_state(systemd_timedated_t) + +optional_policy(` + chronyd_systemctl(systemd_timedated_t) +') + +optional_policy(` + clock_manage_adjtime(systemd_timedated_t) + clock_filetrans_named_content(systemd_timedated_t) + clock_domtrans(systemd_timedated_t) +') + +optional_policy(` + consolekit_dbus_chat(systemd_timedated_t) +') + +optional_policy(` + consoletype_exec(systemd_timedated_t) +') + +optional_policy(` + dbus_system_bus_client(systemd_timedated_t) + dbus_connect_system_bus(systemd_timedated_t) +') + +optional_policy(` + gnome_manage_usr_config(systemd_timedated_t) + gnome_manage_home_config(systemd_timedated_t) + gnome_manage_home_config_dirs(systemd_timedated_t) +') + +optional_policy(` + ntp_domtrans_ntpdate(systemd_timedated_t) + ntp_initrc_domtrans(systemd_timedated_t) + init_dontaudit_getattr_all_script_files(systemd_timedated_t) + init_dontaudit_getattr_exec(systemd_timedated_t) + ntp_systemctl(systemd_timedated_t) +') + +optional_policy(` + policykit_domtrans_auth(systemd_timedated_t) + policykit_read_lib(systemd_timedated_t) + policykit_read_reload(systemd_timedated_t) +') + +optional_policy(` + xserver_manage_config(systemd_timedated_t) + xserver_read_state_xdm(systemd_timedated_t) +') + +######################################## +# +# systemd_sysctl domains local policy +# +allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_rawio sys_resource }; +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; +kernel_dgram_send(systemd_sysctl_t) +kernel_request_load_module(systemd_sysctl_t) +kernel_rw_all_sysctls(systemd_sysctl_t) +kernel_write_security_state(systemd_sysctl_t) + +files_read_system_conf_files(systemd_sysctl_t) + +dev_write_kmsg(systemd_sysctl_t) + +domain_use_interactive_fds(systemd_sysctl_t) + +init_stream_connect(systemd_sysctl_t) + +logging_send_syslog_msg(systemd_sysctl_t) + + +####################################### +# +# systemd_hwdb domain +# + +manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t) +allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto}; +files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file) + +####################################### +# +# systemd_resolved domain +# + +allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; +allow systemd_resolved_t self:process setcap; +allow systemd_resolved_t self:tcp_socket { accept listen }; +allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; +allow systemd_resolved_t self:netlink_route_socket create_socket_perms; + +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) +init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) + +list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +read_files_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + +kernel_dgram_send(systemd_resolved_t) +kernel_read_net_sysctls(systemd_resolved_t) + +auth_read_passwd(systemd_resolved_t) + +corenet_tcp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t) + +dev_write_kmsg(systemd_resolved_t) +dev_read_sysfs(systemd_resolved_t) + +sysnet_manage_config(systemd_resolved_t) + +userdom_dbus_send_all_users(systemd_resolved_t) + +optional_policy(` + dbus_system_bus_client(systemd_resolved_t) + dbus_connect_system_bus(systemd_resolved_t) +') + +######################################## +# +# Common rules for systemd domains +# +allow systemd_domain self:process { setfscreate signal_perms }; +dontaudit systemd_domain self:capability net_admin; + +dev_read_urand(systemd_domain) + +fs_search_all(systemd_domain) + +files_read_etc_files(systemd_domain) +files_read_etc_runtime_files(systemd_domain) +files_read_usr_files(systemd_domain) + +init_search_pid_dirs(systemd_domain) +init_start_transient_unit(systemd_domain) +init_stop_transient_unit(systemd_domain) +init_status_transient_unit(systemd_domain) +init_reload_transient_unit(systemd_domain) +init_read_state(systemd_domain) + +logging_stream_connect_syslog(systemd_domain) + +seutil_read_config(systemd_domain) +seutil_read_file_contexts(systemd_domain) + +optional_policy(` + lvm_read_state(systemd_domain) +') + +optional_policy(` + policykit_dbus_chat(systemd_domain) +') + +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) + + +####################################### +# +# systemd_modules_load domain +# + +allow systemd_bootchart_t self:capability2 wake_alarm; +allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms; + +kernel_dgram_send(systemd_bootchart_t) +kernel_rw_kernel_sysctl(systemd_bootchart_t) +dev_list_sysfs(systemd_bootchart_t) + +domain_read_all_domains_state(systemd_bootchart_t) + +manage_files_pattern(systemd_bootchart_t, systemd_bootchart_var_run_t, systemd_bootchart_var_run_t) +logging_syslogd_pid_filetrans(systemd_bootchart_t, systemd_bootchart_var_run_t, file) + +manage_files_pattern(systemd_bootchart_t, systemd_bootchart_tmpfs_t, systemd_bootchart_tmpfs_t) +fs_tmpfs_filetrans(systemd_bootchart_t, systemd_bootchart_tmpfs_t, file ) + +####################################### +# +# systemd_modules_load domain +# +allow systemd_initctl_t self:unix_dgram_socket create_socket_perms; + +kernel_dgram_send(systemd_initctl_t) + +init_rw_initctl(systemd_initctl_t) +init_stream_connectto(systemd_initctl_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e09..49fd32e17 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,8 @@ -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) +/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) @@ -10,6 +12,7 @@ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ifdef(`distro_debian',` /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -27,11 +30,23 @@ ifdef(`distro_redhat',` ') /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) - -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + +/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) + +/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 9a1650d37..d7e8a0193 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` ') domtrans_pattern($1, udev_exec_t, udev_t) + allow $1 udev_t:process noatsecure; ') ######################################## @@ -88,8 +89,7 @@ interface(`udev_read_state',` ') kernel_search_proc($1) - allow $1 udev_t:file read_file_perms; - allow $1 udev_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, udev_t) ') ######################################## @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` # interface(`udev_dontaudit_search_db',` gen_require(` - type udev_tbl_t; + type udev_var_run_t; ') - dontaudit $1 udev_tbl_t:dir search_dir_perms; + dontaudit $1 udev_var_run_t:dir search_dir_perms; ') ######################################## @@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',` ## # interface(`udev_read_db',` + udev_read_pid_files($1) +') + +######################################## +## +## Allow process to modify list of devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_rw_db',` gen_require(` - type udev_tbl_t; + type udev_var_run_t; ') - allow $1 udev_tbl_t:dir list_dir_perms; + files_search_pids($1) + dev_list_all_dev_nodes($1) + rw_files_pattern($1, udev_var_run_t, udev_var_run_t) +') - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) +######################################## +## +## Allow process to modify relabelto udev database +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_relabelto_db',` + gen_require(` + type udev_var_run_t; + ') - dev_list_all_dev_nodes($1) + files_search_pids($1) + allow $1 udev_var_run_t:file relabelto_file_perms; +') - files_search_etc($1) +######################################## +## +## Relabel the udev sock_file. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_relabel_pid_sockfile',` + gen_require(` + type udev_var_run_t; + ') - udev_search_pids($1) + allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; ') ######################################## ## -## Allow process to modify list of devices. +## Create, read, write, and delete +## udev pid files. ## ## ## @@ -213,13 +258,16 @@ interface(`udev_read_db',` ## ## # -interface(`udev_rw_db',` +interface(`udev_read_pid_files',` gen_require(` - type udev_tbl_t; + type udev_var_run_t; ') dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:file rw_file_perms; + files_search_pids($1) + allow $1 udev_var_run_t:dir list_dir_perms; + read_files_pattern($1, udev_var_run_t, udev_var_run_t) + read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) ') ######################################## @@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',` ######################################## ## -## Read udev pid files. +## Create, read, write, and delete +## udev pid files. ## ## ## @@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',` ## ## # -interface(`udev_read_pid_files',` +interface(`udev_manage_pid_files',` gen_require(` type udev_var_run_t; ') files_search_pids($1) - read_files_pattern($1, udev_var_run_t, udev_var_run_t) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ') -######################################## +####################################### ## -## Create, read, write, and delete -## udev pid files. +## Execute udev in the udev domain, and +## allow the specified role the udev domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the iptables domain. +## +## +## +# +interface(`udev_run',` + gen_require(` + type udev_t; + ') + + udev_domtrans($1) + role $2 types udev_t; +') + +####################################### +## +## Allow caller to create kobject uevent socket for udev ## ## ## @@ -291,13 +365,45 @@ interface(`udev_read_pid_files',` ## ## # -interface(`udev_manage_pid_files',` +interface(`udev_create_kobject_uevent_socket',` gen_require(` - type udev_var_run_t; + type udev_t; + role system_r; ') - files_search_pids($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; +') + +######################################## +## +## Create a domain for processes +## which can be started by udev. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`udev_system_domain',` + gen_require(` + type udev_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(udev_t, $2, $1) + + dontaudit $1 udev_t:unix_dgram_socket { read write }; ') ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 39f185f68..fb61dca9a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) -type udev_tbl_t alias udev_tdb_t; -files_type(udev_tbl_t) - type udev_rules_t; files_type(udev_rules_t) type udev_var_run_t; files_pid_file(udev_var_run_t) +typealias udev_var_run_t alias udev_tbl_t; init_daemon_run_dir(udev_var_run_t, "udev") +type udev_tmp_t; +files_tmp_file(udev_tmp_t) + ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) @@ -37,10 +38,10 @@ ifdef(`enable_mcs',` # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability2 { block_suspend compromise_kernel }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; @@ -53,7 +54,10 @@ allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; +allow udev_t self:netlink_generic_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; +allow udev_t self:netlink_socket create_socket_perms; +allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) @@ -64,31 +68,40 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) +allow udev_t udev_tmp_t:dir manage_dir_perms; +allow udev_t udev_tmp_t:file manage_file_perms; +files_tmp_filetrans(udev_t, udev_tmp_t, { file dir }) list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) -read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_chr_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev") +allow udev_t udev_var_run_t:file mounton; +allow udev_t udev_var_run_t:dir mounton; +allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) +kernel_load_module(udev_t) kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) kernel_getattr_core_if(udev_t) kernel_use_fds(udev_t) kernel_read_device_sysctls(udev_t) -kernel_read_hotplug_sysctls(udev_t) -kernel_read_modprobe_sysctls(udev_t) +kernel_read_fs_sysctls(udev_t) kernel_read_kernel_sysctls(udev_t) -kernel_rw_hotplug_sysctls(udev_t) +kernel_rw_usermodehelper_state(udev_t) kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) -kernel_signal(udev_t) kernel_search_debugfs(udev_t) +kernel_setsched(udev_t) +kernel_stream_connect(udev_t) +kernel_signal(udev_t) #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) @@ -99,6 +112,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) +dev_rw_generic_usb_dev(udev_t) dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) @@ -107,23 +121,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) +dev_filetrans_all_named_dev(udev_t) domain_read_all_domains_state(udev_t) -domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) -files_read_etc_files(udev_t) +files_read_kernel_modules(udev_t) +files_read_system_conf_files(udev_t) + + +# console_init manages files in /etc/sysconfig +files_manage_etc_files(udev_t) files_exec_etc_files(udev_t) +files_exec_usr_files(udev_t) files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) +files_list_tmp(udev_t) fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) fs_rw_anon_inodefs_files(udev_t) - -mcs_ptrace_all(udev_t) +fs_list_auto_mountpoints(udev_t) +fs_list_hugetlbfs(udev_t) +fs_read_cgroup_files(udev_t) mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) @@ -145,17 +167,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) +init_stream_connect(udev_t) logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) logging_send_audit_msgs(udev_t) +logging_stream_connect_syslog(udev_t) -miscfiles_read_localization(udev_t) miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) +modutils_list_module_config(udev_t) +modutils_read_module_config(udev_t) seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) @@ -169,9 +194,14 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) -sysnet_etc_filetrans_config(udev_t) +#sysnet_etc_filetrans_config(udev_t) + +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) +systemd_hwdb_manage_config(udev_t) userdom_dontaudit_search_user_home_content(udev_t) +userdom_rw_inherited_user_tmp_pipes(udev_t) ifdef(`distro_debian',` files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") @@ -195,16 +225,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` - fs_manage_tmpfs_dirs(udev_t) - fs_manage_tmpfs_files(udev_t) - fs_manage_tmpfs_symlinks(udev_t) - fs_manage_tmpfs_sockets(udev_t) - fs_manage_tmpfs_blk_files(udev_t) - fs_manage_tmpfs_chr_files(udev_t) - fs_relabel_tmpfs_blk_file(udev_t) - fs_relabel_tmpfs_chr_file(udev_t) + fs_manage_hugetlbfs_dirs(udev_t) - term_search_ptys(udev_t) + term_use_generic_ptys(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -242,6 +265,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) + cups_read_config(udev_t) ') optional_policy(` @@ -249,17 +273,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` - consolekit_dbus_chat(udev_t) - ') + systemd_dbus_chat_logind(udev_t) + ') ') optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) + devicekit_domtrans_disk(udev_t) +') + +optional_policy(` + gnome_read_home_config(udev_t) +') + +optional_policy(` + gpsd_domtrans(udev_t) +') + +optional_policy(` + kdump_systemctl(udev_t) ') optional_policy(` lvm_domtrans(udev_t) + lvm_dgram_send(udev_t) ') optional_policy(` @@ -280,6 +318,10 @@ optional_policy(` hotplug_search_pids(udev_t) ') +optional_policy(` + kdump_rw_inherited_kdumpctl_tmp_pipes(udev_t) +') + optional_policy(` lvm_domtrans(udev_t) ') @@ -288,6 +330,10 @@ optional_policy(` mount_domtrans(udev_t) ') +optional_policy(` + networkmanager_dbus_chat(udev_t) +') + optional_policy(` openct_read_pid_files(udev_t) openct_domtrans(udev_t) @@ -302,6 +348,15 @@ optional_policy(` raid_domtrans_mdadm(udev_t) ') +optional_policy(` + radvd_read_pid_files(udev_t) +') + +optional_policy(` + usbmuxd_domtrans(udev_t) + usbmuxd_stream_connect(udev_t) +') + optional_policy(` unconfined_signal(udev_t) ') @@ -315,6 +370,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) + xen_stream_connect_xenstore(udev_t) ') optional_policy(` diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 0abaf8432..8b34dbc09 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -1,21 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) - -/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -ifdef(`distro_debian',` -/usr/bin/gcj-dbtool-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/gij-4\.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice/program/soffice\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') - -ifdef(`distro_gentoo',` -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 5ca20a97d..99a38b017 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ # interface(`unconfined_domain_noaudit',` gen_require(` - type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') - # Use most Linux capabilities - allow $1 self:capability ~sys_module; - allow $1 self:fifo_file manage_fifo_file_perms; + # Use any Linux capability. + + allow $1 self:capability ~{ sys_module }; + allow $1 self:capability2 ~{ mac_admin mac_override }; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; # Transition to myself, to make get_ordered_context_list happy. - allow $1 self:process transition; + allow $1 self:process { dyntransition transition }; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; + allow $1 self:dir rw_dir_perms; # Userland object managers - allow $1 self:nscd *; - allow $1 self:dbus *; - allow $1 self:passwd *; - allow $1 self:association *; + allow $1 self:nscd all_nscd_perms; + allow $1 self:dbus all_dbus_perms; + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; + allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) - domain_dontaudit_read_all_domains_state($1) - domain_dontaudit_ptrace_all_domains($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) + systemd_config_all_services($1) + + domain_mmap_low($1) - tunable_policy(`allow_execheap',` + ubac_process_exempt($1) + + tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') - tunable_policy(`allow_execmem',` + tunable_policy(`deny_execmem',`',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') - tunable_policy(`allow_execstack',` - # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; + tunable_policy(`selinuxuser_execstack',` + allow $1 self:process execstack; # auditallow $1 self:process execstack; ') @@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',` ') optional_policy(` + # Communicate via dbusd. + dbus_system_bus_unconfined($1) dbus_unconfined($1) ') @@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` + gen_require(` + attribute unconfined_services; + ') + unconfined_domain_noaudit($1) - tunable_policy(`allow_execheap',` + tunable_policy(`selinuxuser_execheap',` auditallow $1 self:process execheap; ') ') @@ -149,7 +159,7 @@ interface(`unconfined_domain',` ## # interface(`unconfined_alias_domain',` - refpolicywarn(`$0($1) has been deprecated.') + refpolicywarn(`$0() has been deprecated.') ') ######################################## @@ -175,343 +185,12 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` - refpolicywarn(`$0($1) has been deprecated.') -') - -######################################## -## -## Transition to the unconfined domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`unconfined_domtrans',` - gen_require(` - type unconfined_t, unconfined_exec_t; - ') - - domtrans_pattern($1, unconfined_exec_t, unconfined_t) -') - -######################################## -## -## Execute specified programs in the unconfined domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the unconfined domain. -## -## -# -interface(`unconfined_run',` - gen_require(` - type unconfined_t; - ') - - unconfined_domtrans($1) - role $2 types unconfined_t; -') - -######################################## -## -## Transition to the unconfined domain by executing a shell. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`unconfined_shell_domtrans',` - gen_require(` - type unconfined_t; - ') - - corecmd_shell_domtrans($1, unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. -## -## -##

      -## Allow unconfined to execute the specified program in -## the specified domain. -##

      -##

      -## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

      -##
      -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_domtrans_to',` - gen_require(` - type unconfined_t; - ') - - domtrans_pattern(unconfined_t,$2,$1) -') - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -## -## -##

      -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##

      -##

      -## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

      -##
      -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# -interface(`unconfined_run_to',` - gen_require(` - type unconfined_t; - role unconfined_r; - ') - - domtrans_pattern(unconfined_t,$2,$1) - role unconfined_r types $1; - userdom_use_user_terminals($1) -') - -######################################## -## -## Inherit file descriptors from the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_use_fds',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fd use; -') - -######################################## -## -## Send a SIGCHLD signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_sigchld',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process sigchld; -') - -######################################## -## -## Send a SIGNULL signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signull',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signull; -') - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_signal',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signal; -') - -######################################## -## -## Read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_read_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file read_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_read_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file read; -') - -######################################## -## -## Read and write unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file rw_fifo_file_perms; -') - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_pipes',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file rw_file_perms; -') - -######################################## -## -## Connect to the unconfined domain using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`unconfined_stream_connect',` - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; -') - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -## -## -##

      -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##

      -##

      -## This interface was added due to a broken -## symptom in ldconfig. -##

      -##
      -## -## -## Domain to not audit. -## -## -# -interface(`unconfined_dontaudit_rw_tcp_sockets',` - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:tcp_socket { read write }; + refpolicywarn(`$0() has been deprecated.') ') ######################################## ## -## Create keys for the unconfined domain. +## Connect to unconfined_server with a unix socket. ## ## ## @@ -519,17 +198,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` ## ## # -interface(`unconfined_create_keys',` +interface(`unconfined_server_stream_connect',` gen_require(` - type unconfined_t; + type unconfined_service_t; ') - allow $1 unconfined_t:key create; + files_search_pids($1) + files_write_generic_pid_pipes($1) + allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ') ######################################## ## -## Send messages to the unconfined domain over dbus. +## Connect to unconfined_server with a unix socket. ## ## ## @@ -537,19 +218,17 @@ interface(`unconfined_create_keys',` ## ## # -interface(`unconfined_dbus_send',` +interface(`unconfined_server_domtrans',` gen_require(` - type unconfined_t; - class dbus send_msg; + type unconfined_service_t; ') - allow $1 unconfined_t:dbus send_msg; + corecmd_bin_domtrans($1, unconfined_service_t) ') ######################################## ## -## Send and receive messages from -## unconfined_t over dbus. +## Allow caller domain to dbus chat unconfined_server. ## ## ## @@ -557,20 +236,19 @@ interface(`unconfined_dbus_send',` ## ## # -interface(`unconfined_dbus_chat',` +interface(`unconfined_server_dbus_chat',` gen_require(` - type unconfined_t; - class dbus send_msg; + type unconfined_service_t; + class dbus send_msg; ') - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; + allow $1 unconfined_service_t:dbus send_msg; + allow unconfined_service_t $1:dbus send_msg; ') ######################################## ## -## Connect to the the unconfined DBUS -## for service (acquire_svc). +## Send signull to unconfined_service_t. ## ## ## @@ -578,11 +256,10 @@ interface(`unconfined_dbus_chat',` ## ## # -interface(`unconfined_dbus_connect',` +interface(`unconfined_server_signull',` gen_require(` - type unconfined_t; - class dbus acquire_svc; + type unconfined_service_t; ') - allow $1 unconfined_t:dbus acquire_svc; + allow $1 unconfined_service_t:process signull; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 5fe902db3..fe649d908 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,207 +1,33 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) ######################################## # # Declarations # +attribute unconfined_services; -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types -userdom_base_user_template(unconfined) -userdom_manage_home_role(unconfined_r, unconfined_t) -userdom_manage_tmp_role(unconfined_r, unconfined_t) -userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +type unconfined_service_t; +domain_type(unconfined_service_t) +role system_r types unconfined_service_t; +init_nnp_daemon_domain(unconfined_service_t) -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) +unconfined_domain(unconfined_service_t) -type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -role unconfined_r types unconfined_execmem_t; +unconfined_stub_role() -######################################## -# -# Local policy -# - -domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) - -files_create_boot_flag(unconfined_t) - -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - -init_run_daemon(unconfined_t, unconfined_r) - -libs_run_ldconfig(unconfined_t, unconfined_r) - -logging_send_syslog_msg(unconfined_t) -logging_run_auditctl(unconfined_t, unconfined_r) - -mount_run_unconfined(unconfined_t, unconfined_r) - -seutil_run_setfiles(unconfined_t, unconfined_r) -seutil_run_semanage(unconfined_t, unconfined_r) - -unconfined_domain(unconfined_t) - -userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) -') - -optional_policy(` - ada_domtrans(unconfined_t) -') - -optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) -') - -optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - -optional_policy(` - bootloader_run(unconfined_t, unconfined_r) -') - -optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) -') - -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') - -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') - -optional_policy(` - hadoop_role(unconfined_r, unconfined_t) -') - -optional_policy(` - inn_domtrans(unconfined_t) -') - -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') - -optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -') - -optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - -optional_policy(` - mono_domtrans(unconfined_t) -') - -optional_policy(` - mta_role(unconfined_r, unconfined_t) -') - -optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) -') - -optional_policy(` - portage_run(unconfined_t, unconfined_r) - portage_run_fetch(unconfined_t, unconfined_r) - portage_run_gcc_config(unconfined_t, unconfined_r) -') - -optional_policy(` - prelink_run(unconfined_t, unconfined_r) -') - -optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - postfix_run_map(unconfined_t, unconfined_r) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -') - -optional_policy(` - pyzor_role(unconfined_r, unconfined_t) -') - -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -') - -optional_policy(` - rtkit_scheduled(unconfined_t) -') - -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') +role unconfined_r types unconfined_service_t; -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) -') - -optional_policy(` - spamassassin_role(unconfined_r, unconfined_t) -') - -optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) -') - -optional_policy(` - tzdata_run(unconfined_t, unconfined_r) -') - -optional_policy(` - unconfined_dbus_chat(unconfined_t) -') +corecmd_bin_entry_type(unconfined_service_t) +corecmd_shell_entry_type(unconfined_service_t) optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) + rpm_transition_script(unconfined_service_t, system_r) ') optional_policy(` - vpn_run(unconfined_t, unconfined_r) + chronyd_run_chronyc(unconfined_service_t, system_r) ') optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - -optional_policy(` - wine_domtrans(unconfined_t) -') - -optional_policy(` - xserver_domtrans(unconfined_t) -') - -######################################## -# -# Unconfined Execmem Local policy -# - -allow unconfined_execmem_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_execmem_t) - -optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) + dbus_chat_system_bus(unconfined_service_t) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db7597682..c54480a1d 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,4 +1,37 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/root/\.debug(/.*)? <> +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/\.local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.local/share/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs/.* <> +HOME_DIR/\.debug(/.*)? <> +HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) +HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) +HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) + +/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) + + + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) + +/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 9dc60c6c0..c8efa15c9 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` ') attribute $1_file_type; + attribute $1_usertype; - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; domain_type($1_t) + role $1_r; corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) @@ -44,79 +46,133 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) - - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; - - allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_t, user_devpts_t) + term_dontaudit_getattr_generic_ptys($1_t) + + allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + tunable_policy(`deny_ptrace',`',` + allow $1_usertype $1_usertype:process ptrace; + ') + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; + + allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; + allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; + allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_usertype $1_usertype:shm create_shm_perms; + allow $1_usertype $1_usertype:sem create_sem_perms; + allow $1_usertype $1_usertype:msgq create_msgq_perms; + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; + + allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_devpts_t:chr_file ioctl; + dontaudit $1_usertype user_devpts_t:chr_file ioctl; - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; - - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) - kernel_dontaudit_getattr_unlabeled_symlinks($1_t) - kernel_dontaudit_getattr_unlabeled_pipes($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) - - dev_dontaudit_getattr_all_blk_files($1_t) - dev_dontaudit_getattr_all_chr_files($1_t) + dontaudit $1_usertype user_tty_device_t:chr_file ioctl; + + application_exec_all($1_usertype) + + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) + kernel_dontaudit_list_unlabeled($1_usertype) + kernel_dontaudit_getattr_unlabeled_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) + kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) + kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) + kernel_dontaudit_list_proc($1_usertype) + + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) + domain_dontaudit_read_all_domains_state($1_usertype) + domain_dontaudit_getattr_all_domains($1_usertype) + domain_dontaudit_getsession_all_domains($1_usertype) + dev_dontaudit_all_access_check($1_usertype) + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) + files_list_var($1_usertype) + files_read_mnt_files($1_usertype) + files_dontaudit_all_access_check($1_usertype) + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) + files_read_usr_src_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) - files_read_world_readable_pipes($1_t) - files_read_world_readable_sockets($1_t) + files_list_world_readable($1_usertype) + files_read_world_readable_files($1_usertype) + files_read_world_readable_symlinks($1_usertype) + files_read_world_readable_pipes($1_usertype) + files_read_world_readable_sockets($1_usertype) # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_all_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) + files_dontaudit_setattr_etc_runtime_files($1_usertype) + + files_exec_usr_files($1_t) + + fs_list_cgroup_dirs($1_usertype) + fs_dontaudit_rw_cgroup_files($1_usertype) + + storage_rw_fuse($1_usertype) + + auth_use_nsswitch($1_t) + + init_stream_connect($1_usertype) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. + init_dontaudit_rw_utmp($1_usertype) - libs_exec_ld_so($1_t) + libs_exec_ld_so($1_usertype) - miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) - sysnet_read_config($1_t) + miscfiles_read_all_certs($1_usertype) + miscfiles_read_public_files($1_usertype) - tunable_policy(`allow_execmem',` + systemd_dbus_chat_logind($1_usertype) + systemd_read_logind_sessions_files($1_usertype) + systemd_write_inhibit_pipes($1_usertype) + systemd_write_inherited_logind_sessions_pipes($1_usertype) + systemd_login_read_pid_files($1_usertype) + + tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; ') - tunable_policy(`allow_execmem && allow_execstack',` + tunable_policy(`selinuxuser_execstack',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` + abrt_stream_connect($1_usertype) + ') + + optional_policy(` + fs_list_cgroup_dirs($1_usertype) + ') + + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_rw_dgram_sockets($1_usertype) + ssh_delete_tmp($1_t) + ssh_signal($1_t) + ') ') ####################################### @@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') + role $1 types { user_home_t user_home_dir_t }; + ############################## # # Domain access to home dir @@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($2) - fs_read_nfs_files($2) - fs_read_nfs_symlinks($2) - fs_read_nfs_named_sockets($2) - fs_read_nfs_named_pipes($2) - ',` - fs_dontaudit_list_nfs($2) - fs_dontaudit_read_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($2) - fs_read_cifs_files($2) - fs_read_cifs_symlinks($2) - fs_read_cifs_named_sockets($2) - fs_read_cifs_named_pipes($2) - ',` - fs_dontaudit_list_cifs($2) - fs_dontaudit_read_cifs_files($2) - ') ') ####################################### @@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; + attribute user_home_type; ') + role $1 types { user_home_type user_home_dir_t }; + ############################## # # Domain access to home dir @@ -229,46 +269,144 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory + allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + + allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + userdom_filetrans_home_content($2) + files_list_home($2) # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs($2) + fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) fs_manage_nfs_named_sockets($2) fs_manage_nfs_named_pipes($2) - ',` - fs_dontaudit_manage_nfs_dirs($2) - fs_dontaudit_manage_nfs_files($2) ') tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs($2) + fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) fs_manage_cifs_named_sockets($2) fs_manage_cifs_named_pipes($2) - ',` - fs_dontaudit_manage_cifs_dirs($2) - fs_dontaudit_manage_cifs_files($2) ') ') +####################################### +## +## Manage user temporary files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_manage_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + manage_files_pattern($1, user_tmp_t, user_tmp_t) +') + +####################################### +## +## Mmap user temporary files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_map_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file map; +') + +####################################### +## +## Manage user temporary sockets +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_manage_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + + manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) +') + +####################################### +## +## Manage user temporary directories +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_manage_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + manage_dirs_pattern($1, user_tmp_t, user_tmp_t) +') + +####################################### +## +## Manage user temporary directories +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_mounton_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir mounton; +') + ####################################### ## ## Manage user temporary files @@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` + attribute user_tmp_type; type user_tmp_t; ') + role $1 types user_tmp_t; + files_poly_member_tmp($2, user_tmp_t) - manage_dirs_pattern($2, user_tmp_t, user_tmp_t) - manage_files_pattern($2, user_tmp_t, user_tmp_t) - manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) - manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) - manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) + allow $2 user_tmp_type:dir mounton; + manage_dirs_pattern($2, user_tmp_type, user_tmp_type) + manage_files_pattern($2, user_tmp_type, user_tmp_type) + manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) + manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) + manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) + relabel_files_pattern($2, user_tmp_type, user_tmp_type) + relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) + relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) + relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) +') + +####################################### +## +## Dontaudit search of user bin dirs. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_search_user_bin_dirs',` + gen_require(` + type home_bin_t; + ') + + dontaudit $1 home_bin_t:dir search_dir_perms; +') + +####################################### +## +## Execute user bin files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_exec_user_bin_files',` + gen_require(` + attribute user_home_type; + type home_bin_t, user_home_dir_t; + ') + + exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) + files_search_home($1) ') ####################################### @@ -317,9 +503,29 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) + dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) ') +####################################### +## +## Manage user temporary file system files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_manage_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +') + ####################################### ## ## Role access for the user tmpfs type @@ -347,60 +553,45 @@ interface(`userdom_exec_user_tmp_files',` ## # interface(`userdom_manage_tmpfs_role',` - gen_require(` - type user_tmpfs_t; - ') - - manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') + userdom_manage_tmp_role($1,$2) ') ####################################### ## -## The template allowing the user basic +## The interface allowing the user basic ## network permissions ## -## +## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The user domain ## ## ## # -template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') +interface(`userdom_basic_networking',` - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) - - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_ports($1) + corenet_sendrecv_all_client_packets($1) optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) + init_tcp_recvfrom_all_daemons($1) + init_udp_recvfrom_all_daemons($1) ') optional_policy(` - ipsec_match_default_spd($1_t) + ipsec_match_default_spd($1) ') + ') ####################################### @@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_t) xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) @@ -463,8 +655,8 @@ template(`userdom_change_password_template',` ') optional_policy(` - usermanage_run_chfn($1_t, $1_r) - usermanage_run_passwd($1_t, $1_r) + usermanage_run_chfn($1_t,$1_r) + usermanage_run_passwd($1_t,$1_r) ') ') @@ -491,51 +683,69 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') - userdom_basic_networking_template($1) + userdom_basic_networking($1_usertype) + corenet_all_recvfrom_netlabel($1_t) ############################## # # User domain Local policy # + allow $1_t self:packet_socket create_socket_perms; # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_t self:socket create_socket_perms; - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) + kernel_read_network_state($1_usertype) + kernel_read_software_raid_state($1_usertype) + kernel_read_net_sysctls($1_usertype) + kernel_read_afs_state($1_usertype) # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) - - corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) + files_search_locks($1_usertype) # Check to see if cdrom is mounted - files_search_mnt($1_t) + files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) - files_read_var_lib_files($1_t) + files_read_var_files($1_usertype) + files_read_var_symlinks($1_usertype) + files_read_generic_spool($1_usertype) + files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) + files_read_config_files($1_usertype) + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) + + application_getattr_socket($1_usertype) + - fs_rw_cgroup_files($1_t) + ifdef(`enable_mls',` + init_rw_tcp_sockets($1_t) + ') + + logging_send_syslog_msg($1_t) + + selinux_get_enforce_mode($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) @@ -546,93 +756,141 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject - storage_getattr_fixed_disk_dev($1_t) + storage_getattr_fixed_disk_dev($1_usertype) - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) - auth_run_pam($1_t, $1_r) - auth_run_utempter($1_t, $1_r) + auth_read_login_records($1_usertype) + auth_run_pam_timestamp($1_t,$1_r) + auth_run_utempter($1_t,$1_r) + auth_filetrans_admin_home_content($1_t) - init_read_utmp($1_t) + init_read_utmp($1_usertype) - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) - seutil_run_newrole($1_t, $1_r) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) - tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) - ') + term_getattr_all_ttys($1_t) + + optional_policy(` + afs_read_config($1_t) + ') - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_ttys($1_t) + optional_policy(` + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) ') optional_policy(` - alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") - alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) - alsa_relabel_home_files($1_t) + chrome_role($1_r, $1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + canna_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) + colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) + ') + + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') + + optional_policy(` + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) + ') + + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + ') + + optional_policy(` + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) + ') + + optional_policy(` + firewalld_dbus_chat($1_usertype) + ') + + optional_policy(` + geoclue_dbus_chat($1_usertype) + ') + + optional_policy(` + gnome_dbus_chat_gconfdefault($1_usertype) + ') optional_policy(` - bluetooth_dbus_chat($1_t) + hal_dbus_chat($1_usertype) ') optional_policy(` - consolekit_dbus_chat($1_t) + hwloc_exec_dhwd($1_t) + hwloc_read_runtime_files($1_t) + ') + + optional_policy(` + kde_dbus_chat_backlighthelper($1_usertype) ') + optional_policy(` + memcached_stream_connect($1_usertype) + ') + optional_policy(` - cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) + policykit_dbus_chat($1_usertype) ') optional_policy(` - policykit_dbus_chat($1_t) + vpn_dbus_chat($1_usertype) ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) + ') + + optional_policy(` + lircd_stream_connect($1_usertype) ') optional_policy(` @@ -642,23 +900,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) + mpd_stream_connect($1_t) ') # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) ') optional_policy(` - mysql_manage_mysqld_home_files($1_t) - mysql_relabel_mysqld_home_files($1_t) - mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") - - tunable_policy(`allow_user_mysql_connect',` + tunable_policy(`selinuxuser_mysql_connect_enabled',` mysql_stream_connect($1_t) ') ') @@ -671,7 +927,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + pcmcia_read_pid($1_usertype) ') optional_policy(` @@ -680,9 +936,9 @@ template(`userdom_common_user_template',` ') optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + tunable_policy(`selinuxuser_postgresql_connect_enabled',` + postgresql_stream_connect($1_usertype) + postgresql_tcp_connect($1_usertype) ') ') @@ -693,32 +949,35 @@ template(`userdom_common_user_template',` ') optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) + rpc_dontaudit_getattr_exports($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) + rpcbind_stream_connect($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) + sandbox_transition($1_usertype, $1_r) ') optional_policy(` - virt_home_filetrans_virt_home($1_t, dir, ".libvirt") - virt_home_filetrans_virt_home($1_t, dir, ".virtinst") - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") + seunshare_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + slrnpull_search_spool($1_usertype) + ') + + optional_policy(` + thumb_role($1_r, $1_usertype) ') ') @@ -743,17 +1002,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; + attribute login_userdomain; ') userdom_base_user_template($1) + typeattribute $1_t login_userdomain; + userdom_manage_home_role($1_r, $1_t) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) + ') + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') + + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') + ') userdom_change_password_template($1) @@ -761,86 +1035,118 @@ template(`userdom_login_user_template', ` # # User domain Local policy # - - allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; + allow $1_t self:process ~{ ptrace execmem execstack execheap }; + + tunable_policy(`selinuxuser_use_ssh_chroot',` + allow $1_t self:capability { setuid setgid sys_chroot }; + ') - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + domain_dyntrans_type($1_t) allow $1_t self:context contains; - kernel_dontaudit_read_system_state($1_t) + kernel_dontaudit_read_system_state($1_usertype) + kernel_dontaudit_list_all_proc($1_usertype) - dev_read_sysfs($1_t) - dev_read_urand($1_t) + dev_read_sysfs($1_usertype) + dev_read_rand($1_usertype) + dev_read_urand($1_usertype) - domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) + domain_dontaudit_exec_all_entry_files($1_usertype) - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_cgroup_dirs($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_dontaudit_rw_cgroup_files($1_t) + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) + auth_role($1_r, $1_t) + auth_create_cache($1_t) + auth_rw_cache($1_t) + auth_search_pam_console_data($1_t) + auth_dontaudit_read_login_records($1_t) auth_dontaudit_write_login_records($1_t) application_exec_all($1_t) - # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_rw_utmp($1_t) + # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) - logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) + kerberos_use($1_usertype) + init_write_key($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) + mysql_filetrans_named_content($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + quota_dontaudit_getattr_db($1_usertype) ') -') -####################################### + optional_policy(` + rpm_read_db($1_usertype) + rpm_dontaudit_manage_db($1_usertype) + rpm_read_cache($1_usertype) + ') + + optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) + oddjob_run($1_t, $1_r) + ') + + optional_policy(` + chronyd_run_chronyc($1_t, $1_r) + ') + + optional_policy(` + ipa_run_helper($1_t, $1_r) + ') + + optional_policy(` + wine_filetrans_named_content($1_usertype) + ') +') + +####################################### ## ## The template for creating a unprivileged login user. ## @@ -868,6 +1174,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) + allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; + + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) + ############################## # # Local policy @@ -907,53 +1219,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # + kernel_stream_connect($1_usertype) - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) - - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) + + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) + + libs_dontaudit_setattr_lib_files($1_usertype) + + init_read_state($1_usertype) + + tunable_policy(`selinuxuser_rw_noexattrfile',` + dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_usertype) + + fs_manage_noxattr_fs_files($1_usertype) + fs_manage_noxattr_fs_dirs($1_usertype) + fs_manage_dos_dirs($1_usertype) + fs_manage_dos_files($1_usertype) + storage_raw_read_removable_device($1_usertype) + storage_raw_write_removable_device($1_usertype) + ') logging_send_syslog_msg($1_t) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) xserver_restricted_role($1_r, $1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) + ') + + # cjp: needed by KDE apps + # bug: #682499 + optional_policy(` + gnome_read_usr_config($1_usertype) + # cjp: telepathy F15 bugs + telepathy_role($1_r, $1_t, $1) + ') + + optional_policy(` + obex_role($1_r, $1_t, $1) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') + + optional_policy(` + accountsd_dbus_chat($1_usertype) + ') + + optional_policy(` + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') + + optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) + ') + + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') optional_policy(` - consolekit_dbus_chat($1_t) + fprintd_dbus_chat($1_t) ') optional_policy(` - cups_dbus_chat($1_t) + realmd_dbus_chat($1_t) ') optional_policy(` gnome_role_template($1, $1_r, $1_t) + ') + + optional_policy(` wm_role_template($1, $1_r, $1_t) ') ') optional_policy(` - java_role($1_r, $1_t) + policykit_role($1_r, $1_usertype) + ') + + optional_policy(` + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + ') + + optional_policy(` + rtkit_scheduled($1_usertype) + ') + + optional_policy(` + systemd_filetrans_home_content($1_usertype) ') optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) ') + + optional_policy(` + udev_read_db($1_usertype) + ') + + optional_policy(` + xserver_xdm_ioctl_log($1_t) + ') ') ####################################### @@ -987,27 +1383,39 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. - userdom_restricted_user_template($1) + userdom_restricted_xwindows_user_template($1) userdom_common_user_template($1) ############################## # # Local policy # + allow $1_t self:capability { setgid chown fowner }; + allow $1_t self:bluetooth_socket create_socket_perms; + allow $1_t self:alg_socket create_socket_perms; + allow $1_t self:dccp_socket create_socket_perms; + allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + dontaudit $1_t self:capability { setuid }; + dontaudit $1_t self:netlink_selinux_socket create_socket_perms; + + corecmd_exec_chroot($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_generic_node($1_usertype) + + storage_rw_fuse($1_t) files_exec_usr_files($1_t) - # cjp: why? + # cjp: why? files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` fs_exec_noxattr($1_t) - tunable_policy(`user_rw_noexattrfile',` + tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies @@ -1018,23 +1426,63 @@ template(`userdom_unpriv_user_template', ` ') ') - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) - ') + miscfiles_read_hwdata($1_usertype) + + fs_mounton_fusefs($1_usertype) # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + + tunable_policy(`selinuxuser_share_music',` + corenet_tcp_bind_daap_port($1_usertype) + ') + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) + ') + + tunable_policy(`selinuxuser_udp_server',` + corenet_udp_bind_all_unreserved_ports($1_usertype) + ') + optional_policy(` + cdrecord_role($1_r, $1_t) + ') + + optional_policy(` + cron_role($1_r, $1_t) + ') + + optional_policy(` + games_manage_data_files($1_usertype) + ') + + optional_policy(` + gpg_role($1_r, $1_usertype) + ') + + optional_policy(` + systemd_dbus_chat_timedated($1_t) + systemd_dbus_chat_hostnamed($1_t) + systemd_dbus_chat_localed($1_t) + ') + + optional_policy(` + gpm_stream_connect($1_usertype) + ') + + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) + wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user @@ -1043,7 +1491,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` - setroubleshoot_stream_connect($1_t) + vdagent_getattr_log($1_t) + vdagent_getattr_exec_files($1_t) + vdagent_stream_connect($1_t) ') ') @@ -1079,7 +1529,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; - class passwd { passwd chfn chsh rootok }; + attribute confined_admindomain; + + class passwd { passwd chfn chsh rootok crontab }; ') ############################## @@ -1095,6 +1547,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; + typeattribute $1_t confined_admindomain; ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) @@ -1105,14 +1558,18 @@ template(`userdom_admin_user_template',` # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; - # Set password information for other users. - allow $1_t self:passwd { passwd chfn chsh }; - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; + + allow $1_t self:bluetooth_socket create_socket_perms; + allow $1_t self:alg_socket create_socket_perms; + + allow $1_t self:bluetooth_socket create_stream_socket_perms; + allow $1_t self:alg_socket create_socket_perms; + + allow $1_t self:bluetooth_socket create_socket_perms; + allow $1_t self:alg_socket create_socket_perms; + allow $1_t self:dccp_socket create_socket_perms; kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) @@ -1120,6 +1577,7 @@ template(`userdom_admin_user_template',` kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) + kernel_read_afs_state($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes: @@ -1128,6 +1586,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) + kernel_signal($1_t) + kernel_stream_connect($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels @@ -1145,10 +1605,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) + dev_rw_generic_usb_dev($1_t) + dev_rw_usbfs($1_t) + dev_read_kmsg($1_t) + dev_read_cpuid($1_t) domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) domain_getattr_all_domains($1_t) + domain_getcap_all_domains($1_t) domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) @@ -1159,29 +1624,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) + domain_dontaudit_getattr_all_sockets($1_t) files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) + fs_getattr_all_files($1_t) + fs_list_all($1_t) fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) + storage_dontaudit_read_fixed_disk($1_t) - term_use_all_terms($1_t) + term_use_all_inherited_terms($1_t) + term_use_unallocated_ttys($1_t) auth_getattr_shadow($1_t) # Manage almost all files - files_manage_non_auth_files($1_t) + files_manage_non_security_dirs($1_t) + files_manage_non_security_files($1_t) # Relabel almost all files - files_relabel_non_auth_files($1_t) + files_relabel_non_security_files($1_t) + + files_mounton_rootfs($1_t) init_telinit($1_t) logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) + optional_policy(` + modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) + ') # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator @@ -1191,6 +1667,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) + systemd_config_all_services($1_t) + userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) @@ -1198,13 +1676,30 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - tunable_policy(`user_rw_noexattrfile',` + tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) ',` fs_read_noxattr_fs_files($1_t) ') + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_t) + ') + + tunable_policy(`selinuxuser_udp_server',` + corenet_udp_bind_all_unreserved_ports($1_t) + ') + + optional_policy(` + afs_read_config($1_t) + ') + + optional_policy(` + abrt_dbus_chat($1_t) + abrt_run_helper($1_t, $1_r) + ') + optional_policy(` postgresql_unconfined($1_t) ') @@ -1212,6 +1707,12 @@ template(`userdom_admin_user_template',` optional_policy(` userhelper_exec($1_t) ') + + optional_policy(` + vdagent_getattr_log($1_t) + vdagent_getattr_exec_files($1_t) + vdagent_stream_connect($1_t) + ') ') ######################################## @@ -1240,8 +1741,10 @@ template(`userdom_admin_user_template',` ## ## # -template(`userdom_security_admin_template',` - allow $1 self:capability { dac_read_search dac_override }; +template(`userdom_security_admin',` + allow $1 self:capability { audit_control dac_read_search dac_override }; + + allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; corecmd_exec_shell($1) @@ -1250,6 +1753,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) + files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) @@ -1262,8 +1767,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) + selinux_read_policy($1) + + files_relabel_all_files($1) - files_relabel_non_auth_files($1) auth_relabel_shadow($1) init_exec($1) @@ -1274,29 +1781,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) + seutil_manage_default_contexts($1) + seutil_manage_file_contexts($1) + seutil_manage_module_store($1) + seutil_manage_config($1) + seutil_manage_login_config($1) + seutil_run_checkpolicy($1,$2) + seutil_run_loadpolicy($1,$2) + seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` - aide_run($1, $2) + aide_run($1,$2) ') optional_policy(` consoletype_exec($1) ') - optional_policy(` - dmesg_exec($1) - ') - - optional_policy(` - ipsec_run_setkey($1, $2) + optional_policy(` + ipsec_run_setkey($1,$2) ') optional_policy(` - netlabel_run_mgmt($1, $2) + netlabel_run_mgmt($1,$2) ') optional_policy(` @@ -1357,14 +1866,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; + attribute user_home_type; ') typeattribute $1 user_home_content_type; allow $1 user_home_t:filesystem associate; files_type($1) - files_poly_member($1) ubac_constrained($1) + + files_poly_member($1) + typeattribute $1 user_home_type; ') ######################################## @@ -1397,10 +1909,49 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` - files_tmpfs_file($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') + userdom_user_tmp_file($1) +') + +######################################## +## +## Allow domain to attach to TUN devices created by administrative users. +## +## +## +## Type to be used as a file in the +## generic temporary directory. +## +## +# +interface(`userdom_user_tmp_content',` + gen_require(` + attribute user_tmp_type; + ') + + typeattribute $1 user_tmp_type; + + files_tmp_file($1) ubac_constrained($1) ') +######################################## +## +## Make the specified type usable in a +## generic tmpfs_t directory. +## +## +## +## Type to be used as a file in the +## generic temporary directory. +## +## +# +interface(`userdom_user_tmpfs_content',` + refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') + userdom_user_tmp_content($1) +') + ######################################## ## ## Allow domain to attach to TUN devices created by administrative users. @@ -1509,9 +2060,29 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; files_search_home($1) ') +######################################## +## +## Search user tmp directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + files_search_tmp($1) + allow $1 user_tmp_t:dir search_dir_perms; +') + ######################################## ## ## Do not audit attempts to search user home directories. @@ -1555,6 +2126,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') ') ######################################## @@ -1570,9 +2149,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; + type user_home_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_t:dir list_dir_perms; ') ######################################## @@ -1611,6 +2192,24 @@ interface(`userdom_manage_user_home_dirs',` allow $1 user_home_dir_t:dir manage_dir_perms; ') +######################################## +## +## Create user home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_manage_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + dontaudit $1 user_home_dir_t:dir manage_dir_perms; +') + ######################################## ## ## Relabel to user home directories. @@ -1629,6 +2228,59 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') +######################################## +## +## Relabel to user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelto_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file relabelto; +') +######################################## +## +## Relabel user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabel_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file relabel_file_perms; +') + +######################################## +## +## Relabel user home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabel_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + allow $1 user_home_t:dir relabel_file_perms; +') + ######################################## ## ## Create directories in the home dir root with @@ -1704,10 +2356,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` - type user_home_t; + attribute user_home_type; ') - dontaudit $1 user_home_t:dir search_dir_perms; + dontaudit $1 user_home_type:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) ') ######################################## @@ -1741,10 +2395,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` - type user_home_t; + type user_home_dir_t; + attribute user_home_type; ') - allow $1 user_home_t:dir list_dir_perms; + files_list_home($1) + allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## @@ -1769,7 +2425,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## -## Delete all user home content directories. +## Delete directories in a user home subdirectory. ## ## ## @@ -1777,19 +2433,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # -interface(`userdom_delete_all_user_home_content_dirs',` +interface(`userdom_delete_user_home_content_dirs',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; ') - userdom_search_user_home_dirs($1) - delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) + allow $1 user_home_t:dir delete_dir_perms; ') ######################################## ## -## Delete directories in a user home subdirectory. +## Delete all directories in a user home subdirectory. ## ## ## @@ -1797,31 +2451,125 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # -interface(`userdom_delete_user_home_content_dirs',` +interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` - type user_home_t; + attribute user_home_type; ') - allow $1 user_home_t:dir delete_dir_perms; + allow $1 user_home_type:dir delete_dir_perms; ') ######################################## ## -## Set attributes of all user home content directories. +## Set the attributes of user home files. ## ## ## ## Domain allowed access. ## ## +## # -interface(`userdom_setattr_all_user_home_content_dirs',` +interface(`userdom_setattr_user_home_content_files',` gen_require(` - attribute user_home_content_type; + type user_home_t; ') - userdom_search_user_home_dirs($1) - allow $1 user_home_content_type:dir setattr_dir_perms; + allow $1 user_home_t:file setattr; +') + +######################################## +## +## Set the attributes of user tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_setattr_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file setattr; +') + +######################################## +## +## Create a user tmp sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_create_user_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + + files_search_tmp($1) + allow $1 user_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Dontaudit getattr on user tmp sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; +') + +######################################## +## +## Relabel user tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_relabel_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file relabel_file_perms; +') + +######################################## +## +## Relabel user tmp files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_relabel_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir relabel_dir_perms; ') ######################################## @@ -1843,6 +2591,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` dontaudit $1 user_home_t:file setattr_file_perms; ') +######################################## +## +## Set the attributes of all user home directories. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_setattr_all_user_home_content_dirs',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:dir setattr_dir_perms; +') + ######################################## ## ## Mmap user home files. @@ -1858,10 +2625,28 @@ interface(`userdom_mmap_user_home_content_files',` type user_home_dir_t, user_home_t; ') - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') +######################################## +## +## map user home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_map_user_home_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file map; +') + ######################################## ## ## Read user home files. @@ -1875,12 +2660,34 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; + attribute user_home_type; ') - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) files_search_home($1) ') +######################################## +## +## Do not audit attempts to getattr user home files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_getattr_user_home_content',` + gen_require(` + attribute user_home_type; + ') + + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; +') + ######################################## ## ## Do not audit attempts to read user home files. @@ -1893,11 +2700,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type user_home_t; + attribute user_home_type; + type user_home_dir_t; ') - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; ') ######################################## @@ -1938,7 +2748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## -## Delete all user home content files. +## Delete files in a user home subdirectory. ## ## ## @@ -1946,10 +2756,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # -interface(`userdom_delete_all_user_home_content_files',` +interface(`userdom_delete_user_home_content_files',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; ') userdom_search_user_home_content($1) @@ -1958,7 +2767,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## -## Delete files in a user home subdirectory. +## Delete all files in a user home subdirectory. ## ## ## @@ -1966,12 +2775,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # -interface(`userdom_delete_user_home_content_files',` +interface(`userdom_delete_all_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file delete_file_perms; +') + +######################################## +## +## Delete sock files in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_home_content_sock_files',` gen_require(` type user_home_t; ') - allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; +') + +######################################## +## +## Delete all sock files in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_home_content_sock_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:sock_file delete_file_perms; +') + +######################################## +## +## Delete all files in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_home_content',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:dir_file_class_set delete_file_perms; ') ######################################## @@ -2007,8 +2870,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') - read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) + allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ') ######################################## @@ -2024,20 +2886,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; ') files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') -') ######################################## ## @@ -2075,6 +2931,7 @@ interface(`userdom_manage_user_home_content_files',` manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_t:file map; files_search_home($1) ') @@ -2120,7 +2977,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## -## Delete all user home content symbolic links. +## Delete symbolic links in a user home directory. ## ## ## @@ -2128,19 +2985,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # -interface(`userdom_delete_all_user_home_content_symlinks',` +interface(`userdom_delete_user_home_content_symlinks',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; ') - userdom_search_user_home_dirs($1) - delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) + allow $1 user_home_t:lnk_file delete_lnk_file_perms; ') ######################################## ## -## Delete symbolic links in a user home directory. +## Delete all symbolic links in a user home directory. ## ## ## @@ -2148,12 +3003,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # -interface(`userdom_delete_user_home_content_symlinks',` +interface(`userdom_delete_all_user_home_content_symlinks',` gen_require(` - type user_home_t; + attribute user_home_type; ') - allow $1 user_home_t:lnk_file delete_lnk_file_perms; + allow $1 user_home_type:lnk_file delete_lnk_file_perms; ') ######################################## @@ -2378,6 +3233,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` dontaudit $1 user_tmp_t:dir manage_dir_perms; ') +######################################## +## +## Read user temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_getattr_user_tmp_files',` + gen_require(` + attribute user_tmp_type; + ') + + getattr_files_pattern($1, user_tmp_type, user_tmp_type) + files_search_tmp($1) +') + ######################################## ## ## Read user temporary files. @@ -2390,14 +3264,31 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` - type user_tmp_t; + attribute user_tmp_type; ') - read_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; + read_files_pattern($1, user_tmp_type, user_tmp_type) + allow $1 user_tmp_type:dir list_dir_perms; files_search_tmp($1) ') +######################################## +## +## Read user temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + allow $1 user_tmp_t:file append_inherited_file_perms; +') + ######################################## ## ## Do not audit attempts to read users @@ -2414,7 +3305,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') - dontaudit $1 user_tmp_t:file read_file_perms; + dontaudit $1 user_tmp_t:file read_inherited_file_perms; ') ######################################## @@ -2455,6 +3346,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') +######################################## +## +## Read and write user temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_user_tmp_sock_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; + files_search_tmp($1) +') ######################################## ## @@ -2538,7 +3448,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user -## temporary symbolic links. +## temporary files. ## ## ## @@ -2546,19 +3456,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # -interface(`userdom_manage_user_tmp_symlinks',` +interface(`userdom_filetrans_named_user_tmp_files',` gen_require(` type user_tmp_t; ') - manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user -## temporary named pipes. +## temporary symbolic links. ## ## ## @@ -2566,19 +3476,60 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # -interface(`userdom_manage_user_tmp_pipes',` +interface(`userdom_manage_user_tmp_symlinks',` gen_require(` type user_tmp_t; ') - manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') ######################################## ## ## Create, read, write, and delete user -## temporary named sockets. +## temporary named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp($1) +') + + +######################################## +## +## Create, read, write, and delete user +## temporary named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + + manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user +## temporary named sockets. ## ## ## @@ -2661,6 +3612,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') +####################################### +## +## Getattr user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_getattr_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) +') + ######################################## ## ## Read user tmpfs files. @@ -2672,18 +3638,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') + userdom_read_user_tmp_files($1) ') ######################################## ## -## Read user tmpfs files. +## Read/Write user tmpfs files. ## ## ## @@ -2692,19 +3653,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - - rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') + userdom_rw_user_tmp_files($1) ') ######################################## ## -## Create, read, write, and delete user tmpfs files. +## Manage user tmpfs files. ## ## ## @@ -2713,13 +3668,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.') + userdom_manage_user_tmp_files($1) +') + +######################################## +## +## Read/Write inherited user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_inherited_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') + userdom_rw_inherited_user_tmp_files($1) +') + +######################################## +## +## Execute user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_execute_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') + userdom_execute_user_tmp_files($1) +') + +######################################## +## +## Execute user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_execute_user_tmp_files',` gen_require(` - type user_tmpfs_t; + type user_tmp_t; ') - manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmp_t:file execute; ') ######################################## @@ -2812,6 +3810,24 @@ interface(`userdom_use_user_ttys',` allow $1 user_tty_device_t:chr_file rw_term_perms; ') +######################################## +## +## Read and write a inherited user domain tty. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_use_inherited_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; +') + ######################################## ## ## Read and write a user domain pty. @@ -2832,22 +3848,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## -## Read and write a user TTYs and PTYs. +## Read and write a inherited user domain pty. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_use_inherited_user_ptys',` + gen_require(` + type user_devpts_t; + ') + + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + +######################################## +## +## Read and write a inherited user TTYs and PTYs. ## ## ##

      -## Allow the specified domain to read and write user +## Allow the specified domain to read and write inherited user ## TTYs and PTYs. This will allow the domain to ## interact with the user via the terminal. Typically ## all interactive applications will require this ## access. ##

      -##

      -## However, this also allows the applications to spy -## on user sessions or inject information into the -## user session. Thus, this access should likely -## not be allowed for non-interactive domains. -##

      ##
      ## ## @@ -2856,14 +3884,33 @@ interface(`userdom_use_user_ptys',` ## ## # -interface(`userdom_use_user_terminals',` +interface(`userdom_use_inherited_user_terminals',` gen_require(` type user_tty_device_t, user_devpts_t; ') - allow $1 user_tty_device_t:chr_file rw_term_perms; - allow $1 user_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + +####################################### +## +## Allow attempts to read and write +## a user domain tty and pty. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; ') ######################################## @@ -2882,8 +3929,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; - dontaudit $1 user_devpts_t:chr_file rw_term_perms; + dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + + +######################################## +## +## Get attributes of user domain tty and pty. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_getattr_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ') ######################################## @@ -2955,6 +4021,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') +##################################### +## +## Allow domain dyntrans to unpriv userdomain. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dyntransition_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:process dyntransition; +') + +#################################### +## +## Allow domain dyntrans to admin userdomain. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dyntransition_admin_users',` + gen_require(` + attribute admindomain; + ') + + allow $1 admindomain:process dyntransition; +') + ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This @@ -2978,24 +4080,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') -####################################### -## -## Read and write unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_rw_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem rw_sem_perms; -') - ######################################## ## ## Manage unpriviledged user SysV sempaphores. @@ -3014,9 +4098,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') -####################################### +######################################## ## -## Read and write unpriviledged user SysV shared +## Manage unpriviledged user SysV shared ## memory segments. ## ## @@ -3025,17 +4109,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # -interface(`userdom_rw_unpriv_user_shared_mem',` +interface(`userdom_manage_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') - allow $1 unpriv_userdomain:shm rw_shm_perms; + allow $1 unpriv_userdomain:shm create_shm_perms; ') ######################################## ## -## Manage unpriviledged user SysV shared +## Destroy unpriviledged user SysV shared ## memory segments. ## ## @@ -3044,12 +4128,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # -interface(`userdom_manage_unpriv_user_shared_mem',` +interface(`userdom_destroy_unpriv_user_shared_mem',` gen_require(` attribute unpriv_userdomain; ') - allow $1 unpriv_userdomain:shm create_shm_perms; + allow $1 unpriv_userdomain:shm destroy; ') ######################################## @@ -3094,7 +4178,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; allow unpriv_userdomain $1:process sigchld; ') @@ -3110,29 +4194,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; ') files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; -') - -######################################## -## -## Send signull to unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# -interface(`userdom_signull_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:process signull; + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') ######################################## @@ -3214,7 +4282,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; +') + +######################################## +## +## Do not audit attempts to open user ptys. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_open_user_ptys',` + gen_require(` + type user_devpts_t; + ') + + dontaudit $1 user_devpts_t:chr_file open; ') ######################################## @@ -3269,12 +4355,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) ') ######################################## ## -## Do not audit attempts to use user ttys. +## Do not audit attempts to write users +## temporary files. ## ## ## @@ -3282,54 +4369,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # -interface(`userdom_dontaudit_use_user_ttys',` +interface(`userdom_dontaudit_write_user_tmp_files',` gen_require(` - type user_tty_device_t; + type user_tmp_t; ') - dontaudit $1 user_tty_device_t:chr_file rw_file_perms; + dontaudit $1 user_tmp_t:file write; ') ######################################## ## -## Read the process state of all user domains. +## Do not audit attempts to delete users +## temporary files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_read_all_users_state',` +interface(`userdom_dontaudit_delete_user_tmp_files',` gen_require(` - attribute userdomain; + type user_tmp_t; ') - read_files_pattern($1, userdomain, userdomain) - kernel_search_proc($1) + dontaudit $1 user_tmp_t:file delete_file_perms; ') ######################################## ## -## Get the attributes of all user domains. +## Do not audit attempts to read/write users +## temporary fifo files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`userdom_getattr_all_users',` +interface(`userdom_dontaudit_rw_user_tmp_pipes',` gen_require(` - attribute userdomain; + type user_tmp_t; ') - allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## -## Inherit the file descriptors from all user domains +## Allow domain to read/write inherited users +## fifo files. ## ## ## @@ -3337,7 +4426,81 @@ interface(`userdom_getattr_all_users',` ## ## # -interface(`userdom_use_all_users_fds',` +interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to use user ttys. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + + dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; +') + +######################################## +## +## Read the process state of all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_state',` + gen_require(` + attribute userdomain; + ') + + read_files_pattern($1, userdomain, userdomain) + read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) +') + +######################################## +## +## Get the attributes of all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process getattr; +') + +######################################## +## +## Inherit the file descriptors from all user domains +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_use_all_users_fds',` gen_require(` attribute userdomain; ') @@ -3382,6 +4545,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') +####################################### +## +## Send signull to all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_signull_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process signull; +') + +######################################## +## +## Send kill signals to all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_kill_all_users',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process sigkill; +') + ######################################## ## ## Send a SIGCHLD signal to all user domains. @@ -3400,6 +4599,60 @@ interface(`userdom_sigchld_all_users',` allow $1 userdomain:process sigchld; ') +######################################## +## +## Read keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key read; +') + +######################################## +## +## Write keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key write; +') + +######################################## +## +## Read and write keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key { read view write }; +') + ######################################## ## ## Create keys for all user domains. @@ -3435,4 +4688,1820 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; + ps_process_pattern($1, userdomain) +') + +######################################## +## +## Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_set_rlimitnh',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process rlimitinh; +') + +######################################## +## +## Define this type as a Allow apps to set rlimits on userdomain +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_unpriv_usertype',` + gen_require(` + attribute unpriv_userdomain, userdomain; + attribute $1_usertype; + ') + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; + + auth_use_nsswitch($2) + ubac_constrained($2) +') + +####################################### +## +## Define this type as a Allow apps to set rlimits on userdomain +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_unpriv_type',` + gen_require(` + attribute unpriv_userdomain, userdomain; + ') + typeattribute $1 unpriv_userdomain; + typeattribute $1 userdomain; + + auth_use_nsswitch($1) + ubac_constrained($1) +') + +######################################## +## +## Connect to users over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_stream_connect',` + gen_require(` + type user_tmp_t; + attribute userdomain; + ') + + stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) +') + +######################################## +## +## Ptrace user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_ptrace_all_users',` + gen_require(` + attribute userdomain; + ') + + tunable_policy(`deny_ptrace',`',` + allow $1 userdomain:process ptrace; + ') +') + +######################################## +## +## dontaudit Search /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## dontaudit list /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## +## Allow domain to list /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## +## Allow Search /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## +## dontaudit create dirs /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_create_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir create_dir_perms; +') + + +######################################## +## +## allow manage dirs /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_manage_admin_dirs',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir manage_dir_perms; +') + +######################################## +## +## allow manage files /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_manage_admin_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:file manage_file_perms; +') + +######################################## +## +## dontaudit manage dirs /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_manage_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir manage_dir_perms; +') + +######################################## +## +## dontaudit manage files /root +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_manage_admin_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:file manage_file_perms; +') + +######################################## +## +## RW unpriviledged user SysV sempaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') + +######################################## +## +## Send a message to unpriv users over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dgram_send',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:unix_dgram_socket sendto; +') + +###################################### +## +## Send a message to users over a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_users_dgram_send',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:unix_dgram_socket sendto; +') + +####################################### +## +## Allow execmod on files in homedirectory +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_execmod_user_home_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file execmod; +') + +######################################## +## +## Read admin home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## +## Delete admin home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_delete_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:file delete_file_perms; +') + +######################################## +## +## Execute admin home files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_exec_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + exec_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## +## Append files inherited +## in the /root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:file { getattr append }; +') + + +####################################### +## +## Manage all files/directories in the homedir +## +## +## +## The user domain +## +## +## +# +interface(`userdom_manage_user_home_content',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; + ') + + files_list_home($1) + manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + +') + +###################################### +## +## Manage all dirs in the homedir +## +## +## +## The user domain +## +## +# +interface(`userdom_manage_all_user_home_type_dirs',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; + ') + + files_list_home($1) + manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) +') + +###################################### +## +## Manage all files in the homedir +## +## +## +## The user domain +## +## +# +interface(`userdom_manage_all_user_home_type_files',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; + ') + + files_list_home($1) + manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) +') + +######################################## +## +## Create objects in a user home directory +## with an automatic type transition to +## the user home file type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +# +interface(`userdom_user_home_dir_filetrans_pattern',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + type_transition $1 user_home_dir_t:$2 user_home_t; +') + +######################################## +## +## Create objects in the /root directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_admin_home_dir_filetrans',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, admin_home_t, $2, $3, $4) +') + +######################################## +## +## Send signull to unprivileged user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_signull_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:process signull; +') + +######################################## +## +## Write all users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + + write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## +## Manage keys for all user domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_users_keys',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:key manage_key_perms; +') + + +######################################## +## +## Do not audit attempts to read and write +## userdomain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_stream',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Read and write userdomain stream. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_stream',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Do not audit attempts to read and write +## unserdomain datagram socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_dgram_socket',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_dgram_socket { read write }; +') + +######################################## +## +## Append files +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + append_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) +') + +######################################## +## +## Read files inherited +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_inherited_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file { getattr read }; +') + +######################################## +## +## Dontaudit Read files inherited from the admin home dir. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_inherited_admin_home_files',` + gen_require(` + attribute admin_home_t; + ') + + dontaudit $1 admin_home_t:file read_inherited_file_perms; +') + +######################################## +## +## Dontaudit append files inherited from the admin home dir. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_append_inherited_admin_home_file',` + gen_require(` + attribute admin_home_t; + ') + + dontaudit $1 admin_home_t:file append_inherited_file_perms; +') + +######################################## +## +## Read/Write files inherited +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_inherited_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:file rw_inherited_file_perms; +') + +######################################## +## +## Append files inherited +## in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_user_home_content_files',` + gen_require(` + type user_home_t; + ') + + allow $1 user_home_t:file { getattr append }; +') + +######################################## +## +## Append files inherited +## in a user tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_inherit_append_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file { getattr append }; +') + +###################################### +## +## Read audio files in the users homedir. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_home_audio_files',` + gen_require(` + type audio_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 audio_home_t:dir list_dir_perms; + read_files_pattern($1, audio_home_t, audio_home_t) + read_lnk_files_pattern($1, audio_home_t, audio_home_t) +') + +###################################### +## +## Manage texlive content in the users homedir. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_manage_home_texlive',` + gen_require(` + type texlive_home_t; + ') + + userdom_search_user_home_dirs($1) + userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012") + userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013") + userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014") + manage_dirs_pattern($1, texlive_home_t, texlive_home_t) + manage_files_pattern($1, texlive_home_t, texlive_home_t) + manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) + allow $1 texlive_home_t:file relabelfrom; +') + +######################################## +## +## Do not audit attempts to write all user home content files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_all_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + dontaudit $1 user_home_type:file write_inherited_file_perms; +') + +######################################## +## +## Do not audit attempts to write all user tmp content files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_all_user_tmp_content_files',` + gen_require(` + attribute user_tmp_type; + ') + + dontaudit $1 user_tmp_type:file write_inherited_file_perms; +') + +######################################## +## +## Manage all user temporary content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_user_tmp_content',` + gen_require(` + attribute user_tmp_type; + ') + + manage_dirs_pattern($1, user_tmp_type, user_tmp_type) + manage_files_pattern($1, user_tmp_type, user_tmp_type) + manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) + manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) + manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) + files_search_tmp($1) +') + +######################################## +## +## List all user temporary content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_all_user_tmp_content',` + gen_require(` + attribute user_tmp_type; + ') + + list_dirs_pattern($1, user_tmp_type, user_tmp_type) + getattr_files_pattern($1, user_tmp_type, user_tmp_type) + read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) + getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) + getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) + files_search_var($1) + files_search_tmp($1) +') + +######################################## +## +## Manage all user tmpfs content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_all_user_tmpfs_content',` + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') + userdom_manage_all_user_tmp_content($1) +') + +######################################## +## +## Delete all user temporary content. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_all_user_tmp_content',` + gen_require(` + attribute user_tmp_type; + ') + + delete_dirs_pattern($1, user_tmp_type, user_tmp_type) + delete_files_pattern($1, user_tmp_type, user_tmp_type) + delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) + delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) + delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) + # /var/tmp + files_search_var($1) + files_delete_tmp_dir_entry($1) +') + +######################################## +## +## Read system SSL certificates in the users homedir. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_home_certs',` + gen_require(` + attribute userdom_home_reader_certs_type; + ') + + typeattribute $1 userdom_home_reader_certs_type; +') + +######################################## +## +## mmap system SSL certificates in the users homedir. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_map_home_certs',` + gen_require(` + type home_cert_t; + ') + + allow $1 home_cert_t:file map; +') + +######################################## +## +## Manage system SSL certificates in the users homedir. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_home_certs',` + gen_require(` + type home_cert_t; + ') + + allow $1 home_cert_t:dir list_dir_perms; + manage_dirs_pattern($1, home_cert_t, home_cert_t) + manage_files_pattern($1, home_cert_t, home_cert_t) + manage_lnk_files_pattern($1, home_cert_t, home_cert_t) + + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert") +') + +####################################### +## +## Dontaudit Write system SSL certificates in the users homedir. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_home_certs',` + gen_require(` + type home_cert_t; + ') + + dontaudit $1 home_cert_t:file write; +') + +######################################## +## +## dontaudit Search getatrr /root files +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_getattr_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:file getattr; +') + +######################################## +## +## dontaudit read /root lnk files +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_admin_home_lnk_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:lnk_file read; +') + +######################################## +## +## dontaudit read /root files +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:file read_file_perms; +') + +######################################## +## +## Create, read, write, and delete user +## temporary chr files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmp_chr_files',` + gen_require(` + type user_tmp_t; + ') + + manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user +## temporary blk files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_tmp_blk_files',` + gen_require(` + type user_tmp_t; + ') + + manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Dontaudit attempt to set attributes on user temporary directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_setattr_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:dir setattr; +') + +######################################## +## +## Dontaudit attempt to set attributes on user temporary file system files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_setattr_user_tmpfs',` + refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') + userdom_dontaudit_setattr_user_tmp($1) +') + +######################################## +## +## Read all inherited users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_read_inherited_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file read_inherited_file_perms; +') + +######################################## +## +## Read/write/mmap all inherited users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_mmap_rw_inherited_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file mmap_rw_inherited_file_perms; +') + +######################################## +## +## Read/write all inherited users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_inherited_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## +## Write all inherited users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_inherited_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file write; +') + +######################################## +## +## Write all inherited users home files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_inherited_user_home_sock_files',` + gen_require(` + attribute user_home_type; + ') + + allow $1 user_home_type:sock_file write; +') + +######################################## +## +## Delete all users files in /tmp +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + allow $1 user_tmp_t:file delete_file_perms; +') + +######################################## +## +## Delete user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_delete_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.') + userdom_delete_user_tmpfs_files($1) +') + +######################################## +## +## Read/Write unpriviledged user SysV shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_unpriv_user_shared_mem',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:shm rw_shm_perms; +') + +######################################## +## +## Do not audit attempts to search user +## temporary directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:dir search_dir_perms; +') + +######################################## +## +## Execute a file in a user home directory +## in the specified domain. +## +## +##

      +## Execute a file in a user home directory +## in the specified domain. +##

      +##

      +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`userdom_domtrans_user_home',` + gen_require(` + type user_home_t; + ') + + read_lnk_files_pattern($1, user_home_t, user_home_t) + domain_transition_pattern($1, user_home_t, $2) + type_transition $1 user_home_t:process $2; +') + +######################################## +## +## Execute a file in a user tmp directory +## in the specified domain. +## +## +##

      +## Execute a file in a user tmp directory +## in the specified domain. +##

      +##

      +## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`userdom_domtrans_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + files_search_tmp($1) + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + domain_transition_pattern($1, user_tmp_t, $2) + type_transition $1 user_tmp_t:process $2; +') + +######################################## +## +## Do not audit attempts to read all user home content files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_all_user_home_content_files',` + gen_require(` + attribute user_home_type; + ') + + dontaudit $1 user_home_type:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to read all user tmp content files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_read_all_user_tmp_content_files',` + gen_require(` + attribute user_tmp_type; + ') + + dontaudit $1 user_tmp_type:file read_file_perms; +') + +####################################### +## +## Read and write unpriviledged user SysV sempaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_rw_unpriv_user_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; +') + +######################################## +## +## Transition to userdom named content +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_filetrans_home_content',` + gen_require(` + attribute userdom_filetrans_type; + ') + + typeattribute $1 userdom_filetrans_type; +') + +######################################## +## +## Make the specified type able to read content in user home dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_home_reader',` + gen_require(` + attribute userdom_home_reader_type; + ') + + typeattribute $1 userdom_home_reader_type; +') + + +######################################## +## +## Make the specified type able to manage content in user home dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_home_manager',` + gen_require(` + attribute userdom_home_manager_type; + ') + + typeattribute $1 userdom_home_manager_type; +') + +######################################## +## +## Create objects in the temporary filesystem directory +## with an automatic type transition to +## the user temporary filesystem type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_tmpfs_filetrans',` + gen_require(` + type user_tmpfs_t; + ') + + fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) +') + + +####################################### +## +## Create objects in the temporary filesystem directory +## with an automatic type transition to +## the user temporary filesystem type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_tmpfs_filetrans_to',` + gen_require(` + type user_tmpfs_t; + ') + + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) +') + +###################################### +## +## File name transition for generic home content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_filetrans_generic_home_content',` + gen_require(` + type home_bin_t; + type audio_home_t; + type home_cert_t; + type user_tmp_t; + ') + + userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") + userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") + userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") + userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") + userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") + + optional_policy(` + gnome_data_filetrans($1, home_cert_t, dir, "certificates") + ') +') + +######################################## +## +## Allow caller to transition to any userdomain +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_transition',` + gen_require(` + attribute userdomain; + ') + + allow $1 userdomain:process transition; +') + +######################################## +## +## Do not audit attempts to check the +## access on user content files +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_access_check_user_content',` + gen_require(` + attribute user_home_type; + ') + + dontaudit $1 user_home_type:dir_file_class_set audit_access; +') + +####################################### +## +## The template containing the most basic rules common to confined admin. +## +## +##

      +## The template containing the most basic rules common to all users. +##

      +##

      +## This template creates a user domain, types, and +## rules for the user's tty and pty. +##

      +##
      +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +# +template(`userdom_confined_admin_template',` + + gen_require(` + attribute confined_admindomain; + attribute userdomain; + type user_devpts_t, user_tty_device_t; + class context contains; + ') + + type $1_t, userdomain, confined_admindomain; + role $1_r; + role $1_r types $1_t; + domain_type($1_t) + domain_user_exemption_target($1_t) + ubac_constrained($1_t) + + auth_use_nsswitch($1_t) + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) + + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_t) + userdom_exec_user_home_content_files($1_t) + ') + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_t) + ') + + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_t) + ') + ') +') + +######################################## +## +## Allow user to run as a secadm +## +## +##

      +## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. +##

      +##

      +## This is a templated interface, and should only +## be called from a per-userdomain template. +##

      +##
      +## +## +## Domain allowed access. +## +## +## +## +## The role of the object to create. +## +## +# +template(`userdom_security_admin_template',` + allow $1 self:capability { audit_control dac_read_search dac_override }; + + allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; + + corecmd_exec_shell($1) + + domain_obj_id_change_exemption($1) + + dev_relabel_all_dev_nodes($1) + + files_create_boot_flag($1) + files_create_default_dir($1) + files_root_filetrans_default($1, dir) + + # Necessary for managing /boot/efi + fs_manage_dos_files($1) + + mls_process_read_up($1) + mls_file_read_all_levels($1) + mls_file_upgrade($1) + mls_file_downgrade($1) + + selinux_set_enforce_mode($1) + selinux_set_all_booleans($1) + selinux_set_parameters($1) + selinux_read_policy($1) + + files_relabel_all_files($1) + + auth_relabel_shadow($1) + + init_exec($1) + + logging_send_syslog_msg($1) + logging_read_audit_log($1) + logging_read_generic_logs($1) + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) + seutil_manage_default_contexts($1) + seutil_manage_file_contexts($1) + seutil_manage_module_store($1) + seutil_manage_config($1) + seutil_manage_login_config($1) + seutil_run_checkpolicy($1,$2) + seutil_run_loadpolicy($1,$2) + seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) + seutil_run_setfiles($1, $2) + + optional_policy(` + aide_run($1,$2) + ') + + optional_policy(` + consoletype_exec($1) + ') + + optional_policy(` + ipsec_run_setkey($1,$2) + ') + + optional_policy(` + netlabel_run_mgmt($1,$2) + ') + + optional_policy(` + samhain_run($1, $2) + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index f4ac38dc7..cceb511fc 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) ## ##

      -## Allow users to connect to mysql +## Allow users to connect to the local mysql server ##

      ##
      -gen_tunable(allow_user_mysql_connect, false) +gen_tunable(selinuxuser_mysql_connect_enabled, false) ## ##

      ## Allow users to connect to PostgreSQL ##

      ##
      -gen_tunable(allow_user_postgresql_connect, false) +gen_tunable(selinuxuser_postgresql_connect_enabled, false) ## ##

      -## Allow regular users direct mouse access -##

      -##
      -gen_tunable(user_direct_mouse, false) - -## -##

      -## Allow users to read system messages. +## Allow user to r/w files on filesystems +## that do not have extended attributes (FAT, CDROM, FLOPPY) ##

      ##
      -gen_tunable(user_dmesg, false) +gen_tunable(selinuxuser_rw_noexattrfile, false) ## ##

      -## Allow user to r/w files on filesystems -## that do not have extended attributes (FAT, CDROM, FLOPPY) +## Allow user music sharing ##

      ##
      -gen_tunable(user_rw_noexattrfile, false) +gen_tunable(selinuxuser_share_music, false) ## ##

      -## Allow w to display everyone +## Allow user to use ssh chroot environment. ##

      ##
      -gen_tunable(user_ttyfile_stat, false) +gen_tunable(selinuxuser_use_ssh_chroot, false) attribute admindomain; +attribute login_userdomain; +attribute confined_admindomain; # all user domains attribute userdomain; @@ -58,6 +53,24 @@ attribute unpriv_userdomain; attribute user_home_content_type; +attribute userdom_home_reader_certs_type; +attribute userdom_home_reader_type; +attribute userdom_home_manager_type; +attribute userdom_filetrans_type; + +# unprivileged user domains +attribute user_home_type; +attribute user_tmp_type; +attribute user_tmpfs_type; + +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) +files_poly_member(admin_home_t) +files_poly_parent(admin_home_t) + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) @@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +typeattribute user_home_t user_home_type; userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) +files_poly_member(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +ubac_constrained(user_home_t) type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t) ubac_constrained(user_devpts_t) -type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; +type user_tmp_t, user_tmp_type, user_tmpfs_type; +typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; +typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; +typealias user_tmp_t alias xdm_tmp_t; +typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; files_tmp_file(user_tmp_t) +files_tmpfs_file(user_tmp_t) userdom_user_home_content(user_tmp_t) - -type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -files_tmpfs_file(user_tmpfs_t) -userdom_user_home_content(user_tmpfs_t) +files_poly_parent(user_tmp_t) +files_mountpoint(user_tmp_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +type audio_home_t; +userdom_user_home_content(audio_home_t) +ubac_constrained(audio_home_t) + +type texlive_home_t; +userdom_user_home_content(texlive_home_t) +ubac_constrained(texlive_home_t) + +type home_bin_t; +userdom_user_home_content(home_bin_t) +ubac_constrained(home_bin_t) + +type home_cert_t; +miscfiles_cert_type(home_cert_t) +userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + +tunable_policy(`login_console_enabled',` + term_use_console(userdomain) +') + +allow userdomain userdomain:process signull; +allow userdomain userdomain:fifo_file { map rw_inherited_fifo_file_perms }; +dontaudit unpriv_userdomain self:rawip_socket create_socket_perms; + +# Nautilus causes this avc +domain_dontaudit_access_check(unpriv_userdomain) +dontaudit unpriv_userdomain self:dir setattr; +allow unpriv_userdomain self:key manage_key_perms; + +mount_dontaudit_write_mount_pid(unpriv_userdomain) +mount_entry_type(unpriv_userdomain) + +optional_policy(` + alsa_read_rw_config(unpriv_userdomain) + alsa_manage_home_files(unpriv_userdomain) + alsa_relabel_home_files(unpriv_userdomain) +') + +optional_policy(` + gssproxy_stream_connect(userdomain) +') + +optional_policy(` + gnome_filetrans_home_content(userdomain) +') + +optional_policy(` + locallogin_filetrans_home_content(userdomain) +') + +optional_policy(` + pcscd_stream_connect(userdomain) +') + +optional_policy(` + ssh_filetrans_home_content(userdomain) + ssh_rw_tcp_sockets(userdomain) +') + +optional_policy(` + telepathy_filetrans_home_content(userdomain) +') + +optional_policy(` + xserver_filetrans_home_content(userdomain) +') + +# rules for types which can read home certs +allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; +read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +userdom_search_user_home_content(userdom_home_reader_certs_type) +allow userdom_home_reader_certs_type home_cert_t:file map; + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_certs_type) + fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(userdom_home_reader_type) + fs_read_nfs_files(userdom_home_reader_type) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(userdom_home_reader_type) +') + +tunable_policy(`use_fusefs_home_dirs',` + fs_read_fusefs_files(userdom_home_reader_type) +') + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_type) + fs_read_ecryptfs_symlinks(userdom_home_reader_type) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(userdom_home_manager_type) + fs_manage_nfs_dirs(userdom_home_manager_type) + fs_manage_nfs_files(userdom_home_manager_type) + fs_manage_nfs_symlinks(userdom_home_manager_type) + fs_mmap_nfs_files(userdom_home_manager_type) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(userdom_home_manager_type) + fs_manage_cifs_files(userdom_home_manager_type) + fs_manage_cifs_symlinks(userdom_home_manager_type) + fs_map_cifs_files(userdom_home_manager_type) +') + +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(userdom_home_manager_type) + fs_manage_fusefs_files(userdom_home_manager_type) + fs_manage_fusefs_symlinks(userdom_home_manager_type) + fs_mmap_fusefs_files(userdom_home_manager_type) +') + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_dirs(userdom_home_manager_type) + fs_manage_ecryptfs_files(userdom_home_manager_type) + fs_manage_ecryptfs_symlinks(userdom_home_manager_type) +') + +# vi /etc/mtab can cause an avc trying to relabel to self. +dontaudit userdomain self:file relabelto; + +userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") +userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Audio") +userdom_user_home_dir_filetrans(userdom_filetrans_type, audio_home_t, dir, "Music") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013") +userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014") +userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp") +userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") + +optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") + #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") +') + +optional_policy(` + alsa_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + apache_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + auth_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + cvs_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + gnome_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + gpg_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + irc_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + kerberos_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + mozilla_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + mta_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + pulseaudio_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + spamassassin_filetrans_home_content(userdom_filetrans_type) + spamassassin_filetrans_admin_home_content(userdom_filetrans_type) +') + +optional_policy(` + ssh_filetrans_admin_home_content(userdom_filetrans_type) + ssh_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + telepathy_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + thumb_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + tvtime_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + virt_filetrans_home_content(userdom_filetrans_type) +') + +optional_policy(` + xserver_filetrans_home_content(userdom_filetrans_type) + xserver_filetrans_admin_home_content(userdom_filetrans_type) +') + +############################################################ +# Local Policy Confined Admin +# +gen_require(` + class context contains; + class passwd { passwd chfn chsh rootok }; +') + +allow confined_admindomain self:capability ~{ sys_module audit_control audit_write }; +allow confined_admindomain self:capability2 { block_suspend syslog }; +allow confined_admindomain self:process { setexec setfscreate }; +allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv; +allow confined_admindomain self:tun_socket create_socket_perms; +allow confined_admindomain self:packet_socket create_socket_perms; + +# Set password information for other users. +allow confined_admindomain self:passwd { passwd chfn chsh }; +# Skip authentication when pam_rootok is specified. +allow confined_admindomain self:passwd rootok; + +corecmd_shell_entry_type(confined_admindomain) +corecmd_bin_entry_type(confined_admindomain) + +term_user_pty(confined_admindomain, user_devpts_t) +term_user_tty(confined_admindomain, user_tty_device_t) +term_dontaudit_getattr_generic_ptys(confined_admindomain) + +allow confined_admindomain self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; +tunable_policy(`deny_ptrace',`',` + allow confined_admindomain self:process ptrace; +') +allow confined_admindomain self:fd use; +allow confined_admindomain self:key manage_key_perms; + +allow confined_admindomain self:fifo_file rw_fifo_file_perms; +allow confined_admindomain self:unix_dgram_socket { create_socket_perms sendto }; +allow confined_admindomain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow confined_admindomain self:shm create_shm_perms; +allow confined_admindomain self:sem create_sem_perms; +allow confined_admindomain self:msgq create_msgq_perms; +allow confined_admindomain self:msg { send receive }; +allow confined_admindomain self:context contains; +dontaudit confined_admindomain self:socket create; + +allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; +term_create_pty(confined_admindomain, user_devpts_t) +# avoid annoying messages on terminal hangup on role change +dontaudit confined_admindomain user_devpts_t:chr_file ioctl; + +allow confined_admindomain user_tty_device_t:chr_file { setattr rw_chr_file_perms }; +# avoid annoying messages on terminal hangup on role change +dontaudit confined_admindomain user_tty_device_t:chr_file ioctl; + +application_exec_all(confined_admindomain) + +kernel_read_kernel_sysctls(confined_admindomain) +kernel_read_all_sysctls(confined_admindomain) +kernel_dontaudit_list_unlabeled(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_files(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_symlinks(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_pipes(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_sockets(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_blk_files(confined_admindomain) +kernel_dontaudit_getattr_unlabeled_chr_files(confined_admindomain) +kernel_dontaudit_list_proc(confined_admindomain) + +dev_dontaudit_getattr_all_blk_files(confined_admindomain) +dev_dontaudit_getattr_all_chr_files(confined_admindomain) +dev_getattr_mtrr_dev(confined_admindomain) + +# When the user domain runs ps, there will be a number of access +# denials when ps tries to search /proc. Do not audit these denials. +domain_dontaudit_read_all_domains_state(confined_admindomain) +domain_dontaudit_getattr_all_domains(confined_admindomain) +domain_dontaudit_getsession_all_domains(confined_admindomain) +dev_dontaudit_all_access_check(confined_admindomain) + +files_read_etc_files(confined_admindomain) +files_list_mnt(confined_admindomain) +files_list_var(confined_admindomain) +files_read_mnt_files(confined_admindomain) +files_dontaudit_all_access_check(confined_admindomain) +files_read_etc_runtime_files(confined_admindomain) +files_read_usr_files(confined_admindomain) +files_read_usr_src_files(confined_admindomain) +# Read directories and files with the readable_t type. +# This type is a general type for "world"-readable files. +files_list_world_readable(confined_admindomain) +files_read_world_readable_files(confined_admindomain) +files_read_world_readable_symlinks(confined_admindomain) +files_read_world_readable_pipes(confined_admindomain) +files_read_world_readable_sockets(confined_admindomain) +# old broswer_domain(): +files_dontaudit_getattr_all_dirs(confined_admindomain) +files_dontaudit_list_non_security(confined_admindomain) +files_dontaudit_getattr_all_files(confined_admindomain) +files_dontaudit_getattr_non_security_symlinks(confined_admindomain) +files_dontaudit_getattr_non_security_pipes(confined_admindomain) +files_dontaudit_getattr_non_security_sockets(confined_admindomain) +files_dontaudit_setattr_etc_runtime_files(confined_admindomain) + +files_exec_usr_files(confined_admindomain) + +fs_list_cgroup_dirs(confined_admindomain) +fs_dontaudit_rw_cgroup_files(confined_admindomain) + +storage_rw_fuse(confined_admindomain) + +init_stream_connect(confined_admindomain) +# The library functions always try to open read-write first, +# then fall back to read-only if it fails. +init_dontaudit_rw_utmp(confined_admindomain) + +libs_exec_ld_so(confined_admindomain) + +miscfiles_read_generic_certs(confined_admindomain) + +miscfiles_read_all_certs(confined_admindomain) +miscfiles_read_public_files(confined_admindomain) + +systemd_dbus_chat_logind(confined_admindomain) +systemd_read_logind_sessions_files(confined_admindomain) +systemd_write_inhibit_pipes(confined_admindomain) +systemd_write_inherited_logind_sessions_pipes(confined_admindomain) +systemd_login_read_pid_files(confined_admindomain) +tunable_policy(`deny_execmem',`', ` + # Allow loading DSOs that require executable stack. + allow confined_admindomain self:process execmem; +') + +tunable_policy(`selinuxuser_execstack',` + # Allow making the stack executable via mprotect. + allow confined_admindomain self:process execstack; +') + +optional_policy(` + fs_list_cgroup_dirs(confined_admindomain) +') + +optional_policy(` + ssh_rw_stream_sockets(confined_admindomain) + ssh_delete_tmp(confined_admindomain) + ssh_signal(confined_admindomain) +') diff --git a/policy/policy_capabilities b/policy/policy_capabilities index db3cbca45..2e47100cf 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -31,3 +31,65 @@ policycap network_peer_controls; # blk_file: open # policycap open_perms; + + +# Enable fine-grained labeling of cgroup and cgroup2 filesystems. +# Requires Linux v4.11 and later. +# +# Added checks: +# (none) +policycap cgroup_seclabel; + + +# Enable NoNewPrivileges support. Requires libsepol 2.7+ +# and kernel 4.14 (estimated). +# +# Checks enabled; +# process2: nnp_transition, nosuid_transition +# +policycap nnp_nosuid_transition; + +# Enable separate security classes for +# all network address families previously +# mapped to the socket class and for +# ICMP and SCTP sockets previously mapped +# to the rawip_socket class. +# +# Classes enabled: +# sctp_socket +# icmp_socket +# ax25_socket +# ipx_socket +# netrom_socket +# bridge_socket +# atmpvc_socket +# x25_socket +# rose_socket +# decnet_socket +# atmsvc_socket +# rds_socket +# irda_socket +# pppox_socket +# llc_socket +# ib_socket +# mpls_socket +# can_socket +# tipc_socket +# bluetooth_socket +# iucv_socket +# rxrpc_socket +# isdn_socket +# phonet_socket +# ieee802154_socket +# caif_socket +# alg_socket +# nfc_socket +# vsock_socket +# kcm_socket +# qipcrtr_socket +# smc_socket +# +# Available in kernel 4.11+. +# Requires libsepol 2.7+ to build policy with this enabled. +# +policycap extended_socket_class; diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 8b785c9a3..8aa8c3610 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -99,9 +99,21 @@ define(`read_files_pattern',` allow $1 $3:file read_file_perms; ') +define(`mmap_read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_read_file_perms; +') + define(`mmap_files_pattern',` + # deprecated 20171213 + refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') allow $1 $2:dir search_dir_perms; - allow $1 $3:file mmap_file_perms; + allow $1 $3:file mmap_exec_file_perms; +') + +define(`mmap_exec_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_exec_file_perms; ') define(`exec_files_pattern',` @@ -124,6 +136,11 @@ define(`rw_files_pattern',` allow $1 $3:file rw_file_perms; ') +define(`mmap_rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_rw_file_perms; +') + define(`create_files_pattern',` allow $1 $2:dir add_entry_dir_perms; allow $1 $3:file create_file_perms; diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt index 4ca5688c3..355ff953c 100644 --- a/policy/support/misc_macros.spt +++ b/policy/support/misc_macros.spt @@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if # # can_exec(domain,executable) # -define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') +define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') ######################################## # diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d54501..d2369e17f 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -2,9 +2,9 @@ # Specified domain transition patterns # define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; + allow $1 $2:file mmap_exec_file_perms; allow $1 $3:process transition; - dontaudit $1 $3:process { noatsecure siginh rlimitinh }; +# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') # compatibility: @@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` domain_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; ') @@ -34,7 +34,7 @@ define(`domtrans_pattern',` domain_auto_transition_pattern($1,$2,$3) allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; allow $3 $1:process sigchld; ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 6e9131723..4b5b81f40 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket bridge_socket dccp_socket ib_socket mpls_socket }') # # Datagram socket classes. @@ -39,12 +38,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # # Stream socket classes. # -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }') # # Unprivileged socket classes (exclude rawip, netlink, packet). # -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') ######################################## # @@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. # -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') # # Permissions for creating and using sockets. @@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr open read lock ioctl }') -define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') -define(`append_file_perms',`{ getattr open append lock ioctl }') -define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`read_inherited_file_perms',`{ getattr read ioctl lock }') +define(`read_file_perms',`{ open read_inherited_file_perms }') +define(`mmap_file_perms',`{ getattr open map read execute ioctl }') +define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') +define(`mmap_read_file_perms',`{ getattr open map read ioctl }') +define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }') +define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`append_inherited_file_perms',`{ getattr append }') +define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') +define(`write_file_perms',`{ open write_inherited_file_perms }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ open rw_inherited_file_perms }') +define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }') +define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') @@ -179,7 +188,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -192,7 +201,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') @@ -208,8 +218,9 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_sock_file_perms',`{ getattr open read write append }') -define(`create_sock_file_perms',`{ getattr create open }') +define(`rw_inherited_sock_file_perms',`{ getattr read write append }') +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') +define(`create_sock_file_perms',`{ getattr setattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') @@ -225,7 +236,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') @@ -242,7 +254,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') @@ -259,7 +272,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # -define(`rw_term_perms', `{ getattr open read write append ioctl }') +define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }') +define(`rw_term_perms', `{ rw_inherited_term_perms open }') # # Sockets @@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') + +# +# Service +# +define(`manage_service_perms', `{ start stop status reload enable disable } ') diff --git a/policy/users b/policy/users index c4ebc7e43..30d6d7a71 100644 --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no @@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. @@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/support/Makefile.devel b/support/Makefile.devel index b96e9b3d1..ff7340fdb 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -26,7 +26,6 @@ XMLLINT := $(BINDIR)/xmllint # set default build options if missing TYPE ?= standard DIRECT_INITRC ?= n -POLY ?= n QUIET ?= y genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed index 00b94b6ad..90813480d 100644 --- a/support/comment_move_decl.sed +++ b/support/comment_move_decl.sed @@ -6,7 +6,7 @@ /optional \{/,/} # end optional/b nextline /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/