selinux-refpolicy/policy/modules/system/selinuxutil.te

698 lines
18 KiB
Plaintext
Raw Normal View History

policy_module(selinuxutil, 1.28.1)
gen_require(` #selint-disable:S-001
bool secure_mode;
2005-10-18 18:25:33 +00:00
')
########################################
2005-04-14 20:18:17 +00:00
#
# Declarations
2005-04-14 20:18:17 +00:00
#
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
attribute_role newrole_roles;
attribute_role run_init_roles;
role system_r types run_init_t;
attribute_role semanage_roles;
roleattribute system_r semanage_roles;
2005-11-29 21:27:15 +00:00
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
# cjp: this is out of order due to rules
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
files_type(selinux_config_t)
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
2007-07-19 18:57:48 +00:00
application_domain(checkpolicy_t, checkpolicy_exec_t)
role system_r types checkpolicy_t;
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
2011-08-25 11:43:36 +00:00
files_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
files_type(file_context_t)
type load_policy_t;
type load_policy_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(load_policy_t, load_policy_exec_t)
2007-07-19 18:57:48 +00:00
role system_r types load_policy_t;
2005-09-26 20:26:32 +00:00
type newrole_t;
2007-07-19 18:57:48 +00:00
type newrole_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(newrole_t, newrole_exec_t)
2006-02-02 21:08:12 +00:00
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
2006-02-20 21:33:25 +00:00
domain_interactive_fd(newrole_t)
2012-02-27 15:18:00 +00:00
role newrole_roles types newrole_t;
2005-04-14 20:18:17 +00:00
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t;
files_security_file(policy_config_t)
2005-04-14 20:18:17 +00:00
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
2005-04-14 20:18:17 +00:00
#
# policy_src_t is the type of the policy source
# files.
#
type policy_src_t;
files_type(policy_src_t)
2005-04-14 20:18:17 +00:00
type restorecond_t;
type restorecond_exec_t;
2009-06-26 14:40:13 +00:00
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
role system_r types restorecond_t;
2016-08-06 23:14:18 +00:00
type restorecond_unit_t;
init_unit_file(restorecond_unit_t)
type restorecond_run_t;
typealias restorecond_run_t alias restorecond_var_run_t;
files_runtime_file(restorecond_run_t)
type run_init_t;
type run_init_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(run_init_t, run_init_exec_t)
2006-02-02 21:08:12 +00:00
domain_system_change_exemption(run_init_t)
2012-02-27 15:18:00 +00:00
role run_init_roles types run_init_t;
type semanage_t;
type semanage_exec_t;
2009-06-26 14:40:13 +00:00
application_domain(semanage_t, semanage_exec_t)
2007-08-20 15:15:03 +00:00
domain_interactive_fd(semanage_t)
role semanage_roles types semanage_t;
type semanage_store_t alias semanage_var_lib_t;
files_type(semanage_store_t)
type semanage_read_lock_t;
files_type(semanage_read_lock_t)
2011-08-25 11:43:36 +00:00
type semanage_tmp_t;
files_tmp_file(semanage_tmp_t)
2011-08-25 11:43:36 +00:00
type semanage_trans_lock_t;
files_type(semanage_trans_lock_t)
2007-05-11 17:10:43 +00:00
type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
type setfiles_exec_t alias restorecon_exec_t;
2009-06-26 14:40:13 +00:00
init_system_domain(setfiles_t, setfiles_exec_t)
2006-02-02 21:08:12 +00:00
domain_obj_id_change_exemption(setfiles_t)
########################################
2005-04-14 20:18:17 +00:00
#
# Checkpolicy local policy
2005-04-14 20:18:17 +00:00
#
allow checkpolicy_t self:capability dac_override;
2005-04-14 20:18:17 +00:00
# able to create and modify binary policy files
2009-06-26 14:40:13 +00:00
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
2005-05-09 18:50:20 +00:00
# allow test policies to be created in src directories
2009-06-26 14:40:13 +00:00
filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
2005-05-09 18:50:20 +00:00
# only allow read of policy source files
2009-06-26 14:40:13 +00:00
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
2006-12-12 20:08:08 +00:00
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
2006-02-20 21:33:25 +00:00
domain_use_interactive_fds(checkpolicy_t)
2005-05-18 21:00:56 +00:00
2005-09-22 21:59:50 +00:00
files_list_usr(checkpolicy_t)
# directory search permissions for path to source and binary policy files
2005-06-13 17:35:46 +00:00
files_search_etc(checkpolicy_t)
2007-11-16 15:39:09 +00:00
fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(checkpolicy_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(checkpolicy_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(checkpolicy_t)
2005-05-18 21:00:56 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(checkpolicy_t)
')
')
########################################
#
# Load_policy local policy
#
allow load_policy_t self:capability dac_override;
# only allow read of policy config files
2011-08-25 11:43:36 +00:00
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow load_policy_t policy_config_t:file map;
2017-04-29 15:25:13 +00:00
dev_read_urand(load_policy_t)
domain_use_interactive_fds(load_policy_t)
# for mcs.conf
files_read_etc_files(load_policy_t)
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_all_booleans(load_policy_t)
2005-06-10 01:01:13 +00:00
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
2006-02-20 21:33:25 +00:00
init_use_script_fds(load_policy_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(load_policy_t)
miscfiles_read_localization(load_policy_t)
seutil_libselinux_linked(load_policy_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(load_policy_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(load_policy_t)
2005-05-18 21:00:56 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(load_policy_t)
')
')
2006-01-06 22:51:40 +00:00
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
2007-11-16 15:39:09 +00:00
optional_policy(`
2006-02-02 21:08:12 +00:00
unconfined_dontaudit_read_pipes(load_policy_t)
2006-01-06 22:51:40 +00:00
')
')
optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
########################################
#
# Newrole local policy
#
allow newrole_t self:capability { dac_override fowner setgid setuid };
dontaudit newrole_t self:capability net_admin;
allow newrole_t self:process { setcap setexec };
allow newrole_t self:fd use;
2006-12-12 20:08:08 +00:00
allow newrole_t self:fifo_file rw_fifo_file_perms;
allow newrole_t self:sock_file read_sock_file_perms;
2005-06-09 18:08:26 +00:00
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
2005-10-14 17:55:40 +00:00
allow newrole_t self:unix_dgram_socket sendto;
2005-11-10 21:37:54 +00:00
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
2006-01-06 22:51:40 +00:00
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
2009-06-26 14:40:13 +00:00
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
2007-11-16 15:39:09 +00:00
corecmd_list_bin(newrole_t)
dev_read_urand(newrole_t)
2007-11-16 15:39:09 +00:00
domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
fs_getattr_xattr_fs(newrole_t)
2005-06-27 16:30:55 +00:00
fs_search_auto_mountpoints(newrole_t)
mls_file_read_all_levels(newrole_t)
mls_file_write_all_levels(newrole_t)
2005-09-26 20:26:32 +00:00
mls_file_upgrade(newrole_t)
mls_file_downgrade(newrole_t)
mls_process_set_level(newrole_t)
mls_fd_share_all_levels(newrole_t)
2005-09-26 20:26:32 +00:00
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t)
selinux_compute_relabel_context(newrole_t)
selinux_compute_user_contexts(newrole_t)
term_use_all_ttys(newrole_t)
term_use_all_ptys(newrole_t)
term_relabel_all_ttys(newrole_t)
term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
auth_use_nsswitch(newrole_t)
auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
2005-05-04 17:01:46 +00:00
# Write to utmp.
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(newrole_t)
2005-05-09 18:50:20 +00:00
miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
# for some PAM modules and for cwd
2008-11-05 16:10:46 +00:00
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
2005-05-09 18:50:20 +00:00
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
')
')
ifdef(`init_systemd',`
optional_policy(`
systemd_use_logind_fds(newrole_t)
systemd_dbus_chat_logind(newrole_t)
')
')
optional_policy(`
auth_use_pam_systemd(newrole_t)
')
optional_policy(`
dbus_system_bus_client(newrole_t)
')
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
userdom_spec_domtrans_unpriv_users(newrole_t)
} else {
userdom_spec_domtrans_all_users(newrole_t)
}
2005-06-21 17:01:45 +00:00
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
')
optional_policy(`
systemd_use_logind_fds(newrole_t)
')
########################################
#
# Restorecond local policy
#
allow restorecond_t self:capability { dac_override dac_read_search fowner };
2006-12-12 20:08:08 +00:00
allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_run_t:file manage_file_perms;
files_runtime_filetrans(restorecond_t, restorecond_run_t, file)
kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_use_fds(restorecond_t)
kernel_list_unlabeled(restorecond_t)
kernel_relabelfrom_unlabeled_dirs(restorecond_t)
kernel_relabelfrom_unlabeled_files(restorecond_t)
kernel_relabelfrom_unlabeled_symlinks(restorecond_t)
kernel_relabelfrom_unlabeled_pipes(restorecond_t)
kernel_relabelfrom_unlabeled_sockets(restorecond_t)
kernel_relabelfrom_unlabeled_blk_devs(restorecond_t)
kernel_relabelfrom_unlabeled_chr_devs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_all_xattr_fs(restorecond_t)
selinuxutil: allow restorecond to try counting the number of files in cgroup fs When restorecond calls selinux_restorecon(), libselinux scans /proc/mounts in a function named exclude_non_seclabel_mounts with the following comment (https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230): /* * This is called once when selinux_restorecon() is first called. * Searches /proc/mounts for all file systems that do not support extended * attributes and adds them to the exclude directory table. File systems * that support security labels have the seclabel option, return * approximate total file count. */ The "approximate total file count" is computed using statvfs(), which results in a system call to statfs(). The cgroup filesystem supports security label (/proc/mounts shows "seclabel") so restorecond uses statfs to try counting the number of its inodes. This result in the following denial: type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for pid=314 comm="restorecond" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137 success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55 a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond" subj=system_u:system_r:restorecond_t key=(null) type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond" Allow this, like commit 5125b8eb2d58 ("last misc stuff") did for setfiles_t.
2019-01-05 22:36:18 +00:00
fs_getattr_cgroup(restorecond_t)
fs_getattr_pstore_dirs(restorecond_t)
fs_getattr_tracefs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
2017-04-29 15:25:13 +00:00
fs_getattr_pstorefs(restorecond_t)
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_dontaudit_read_all_symlinks(restorecond_t)
auth_use_nsswitch(restorecond_t)
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
seutil_read_default_contexts(restorecond_t)
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
')
')
optional_policy(`
locallogin_dontaudit_use_fds(restorecond_t)
')
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
#################################
#
# Run_init local policy
#
allow run_init_roles system_r;
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_fifo_file_perms;
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
2007-11-16 15:39:09 +00:00
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
2007-11-16 15:39:09 +00:00
fs_getattr_xattr_fs(run_init_t)
mls_rangetrans_source(run_init_t)
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
auth_use_nsswitch(run_init_t)
auth_run_chk_passwd(run_init_t, run_init_roles)
auth_run_upd_passwd(run_init_t, run_init_roles)
2007-11-16 15:39:09 +00:00
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
2007-11-16 15:39:09 +00:00
logging_send_syslog_msg(run_init_t)
miscfiles_read_localization(run_init_t)
2007-11-16 15:39:09 +00:00
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
2008-11-05 16:10:46 +00:00
userdom_use_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
init_script_file_entry_type(run_init_t)
init_exec_rc(run_init_t)
')
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
')
')
optional_policy(`
daemontools_domtrans_start(run_init_t)
')
########################################
#
# semodule local policy
#
allow semanage_t self:capability { audit_write dac_override };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t self:fifo_file rw_fifo_file_perms;
allow semanage_t policy_config_t:file rw_file_perms;
allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
2006-12-12 20:08:08 +00:00
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_exec_file_perms };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
2017-04-29 15:25:13 +00:00
corecmd_exec_shell(semanage_t)
dev_read_urand(semanage_t)
2006-08-23 19:36:04 +00:00
domain_use_interactive_fds(semanage_t)
files_read_etc_files(semanage_t)
files_read_etc_runtime_files(semanage_t)
files_map_usr_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_runtime(semanage_t)
mls_file_write_all_levels(semanage_t)
mls_file_read_all_levels(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
selinux_getattr_fs(semanage_t)
# for setsebool:
selinux_set_all_booleans(semanage_t)
term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
2007-11-16 15:39:09 +00:00
seutil_manage_config(semanage_t)
seutil_manage_config_dirs(semanage_t)
seutil_run_setfiles(semanage_t, semanage_roles)
seutil_run_loadpolicy(semanage_t, semanage_roles)
seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
2006-08-18 14:01:48 +00:00
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
semanage_t able to read from user homedirs. Make semanage_t able to read from user homedirs or /tmp. Otherwise it would fail to upgrade a .pp installed in there with below error messages. BTW, semanage_t should be able to upgrade existing pp no matter if the MLS is enabled or not. root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir semodule: Failed on selinuxutil.pp! root@qemu-host:/root> setenforce 0 type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295 root@qemu-host:/root> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-04 09:25:50 +00:00
# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
userdom_map_user_home_content_files(semanage_t)
semanage_t able to read from user homedirs. Make semanage_t able to read from user homedirs or /tmp. Otherwise it would fail to upgrade a .pp installed in there with below error messages. BTW, semanage_t should be able to upgrade existing pp no matter if the MLS is enabled or not. root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir semodule: Failed on selinuxutil.pp! root@qemu-host:/root> setenforce 0 type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295 root@qemu-host:/root> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-04 09:25:50 +00:00
userdom_read_user_tmp_files(semanage_t)
userdom_map_user_tmp_files(semanage_t)
semanage_t able to read from user homedirs. Make semanage_t able to read from user homedirs or /tmp. Otherwise it would fail to upgrade a .pp installed in there with below error messages. BTW, semanage_t should be able to upgrade existing pp no matter if the MLS is enabled or not. root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir semodule: Failed on selinuxutil.pp! root@qemu-host:/root> setenforce 0 type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 root@qemu-host:/root> semodule -u selinuxutil.pp type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295 root@qemu-host:/root> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-04 09:25:50 +00:00
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(semanage_t)
')
')
ifdef(`init_systemd',`
optional_policy(`
init_dbus_chat(semanage_t)
dbus_system_bus_client(semanage_t)
')
')
optional_policy(`
locallogin_use_fds(semanage_t)
')
########################################
#
# Setfiles local policy
#
allow setfiles_t self:capability { dac_override dac_read_search fowner };
2007-05-11 17:10:43 +00:00
dontaudit setfiles_t self:capability sys_tty_config;
allow setfiles_t self:fifo_file rw_fifo_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow setfiles_t file_context_t:file map;
kernel_read_system_state(setfiles_t)
2006-02-03 17:57:16 +00:00
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
kernel_relabelfrom_unlabeled_pipes(setfiles_t)
kernel_relabelfrom_unlabeled_sockets(setfiles_t)
kernel_relabelfrom_unlabeled_blk_devs(setfiles_t)
kernel_relabelfrom_unlabeled_chr_devs(setfiles_t)
2007-05-11 17:10:43 +00:00
kernel_use_fds(setfiles_t)
kernel_rw_pipes(setfiles_t)
kernel_rw_unix_dgram_sockets(setfiles_t)
kernel_dontaudit_list_all_proc(setfiles_t)
kernel_dontaudit_list_all_sysctls(setfiles_t)
kernel_getattr_debugfs(setfiles_t)
2006-02-03 17:57:16 +00:00
dev_read_urand(setfiles_t)
2006-02-03 17:57:16 +00:00
dev_relabel_all_dev_nodes(setfiles_t)
# to handle when /dev/console needs to be relabeled
dev_rw_generic_chr_files(setfiles_t)
2007-11-16 15:39:09 +00:00
domain_use_interactive_fds(setfiles_t)
domain_dontaudit_search_all_domains_state(setfiles_t)
files_read_etc_runtime_files(setfiles_t)
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
2010-02-18 01:30:42 +00:00
files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
2007-11-16 15:39:09 +00:00
fs_getattr_all_xattr_fs(setfiles_t)
fs_getattr_cgroup(setfiles_t)
2017-04-29 15:25:13 +00:00
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
fs_getattr_tracefs(setfiles_t)
fs_getattr_tracefs_files(setfiles_t)
fs_list_all(setfiles_t)
2007-05-11 17:10:43 +00:00
fs_relabelfrom_noxattr_fs(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
mls_file_read_all_levels(setfiles_t)
mls_file_write_all_levels(setfiles_t)
mls_file_upgrade(setfiles_t)
mls_file_downgrade(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
selinux_compute_create_context(setfiles_t)
selinux_compute_relabel_context(setfiles_t)
selinux_compute_user_contexts(setfiles_t)
term_use_all_ttys(setfiles_t)
term_use_all_ptys(setfiles_t)
2006-02-02 21:08:12 +00:00
term_use_unallocated_ttys(setfiles_t)
2006-02-03 17:57:16 +00:00
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
init_use_fds(setfiles_t)
2006-02-20 21:33:25 +00:00
init_use_script_fds(setfiles_t)
2006-02-02 21:08:12 +00:00
init_use_script_ptys(setfiles_t)
init_exec_script_files(setfiles_t)
logging_send_audit_msgs(setfiles_t)
2005-06-13 17:35:46 +00:00
logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
seutil_libselinux_linked(setfiles_t)
seutil_read_module_store(setfiles_t)
2006-02-20 21:33:25 +00:00
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
2008-11-05 16:10:46 +00:00
userdom_read_user_home_content_files(setfiles_t)
ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
# and then relabeled afterwards; thus
# /dev/console has the tmpfs type
fs_rw_tmpfs_chr_files(setfiles_t)
')
2007-05-11 17:10:43 +00:00
ifdef(`distro_redhat', `
fs_rw_tmpfs_chr_files(setfiles_t)
fs_rw_tmpfs_blk_files(setfiles_t)
fs_relabel_tmpfs_blk_file(setfiles_t)
fs_relabel_tmpfs_chr_file(setfiles_t)
')
2008-02-05 18:24:43 +00:00
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(setfiles_t)
')
')
ifdef(`hide_broken_symptoms',`
2007-05-11 17:10:43 +00:00
optional_policy(`
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
# cjp: cover up stray file descriptors.
optional_policy(`
unconfined_dontaudit_read_pipes(setfiles_t)
2007-05-11 17:10:43 +00:00
unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
')
')
2007-05-11 17:10:43 +00:00
optional_policy(`
apt_use_fds(setfiles_t)
')