From 2ec4c9d38fe11946e55ac3f86e792f78660ca1b6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 19 Jul 2005 18:40:31 +0000 Subject: [PATCH] more cleanup --- refpolicy/policy/modules/kernel/filesystem.if | 17 ++ refpolicy/policy/modules/system/domain.if | 83 +++++++- refpolicy/policy/modules/system/miscfiles.if | 108 ++++++++--- refpolicy/policy/modules/system/pcmcia.if | 20 ++ refpolicy/policy/modules/system/userdomain.if | 177 ++++++++---------- 5 files changed, 273 insertions(+), 132 deletions(-) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 254ad4881..825818ccd 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',` allow $1 noxattrfs:filesystem associate; ') +######################################## +## +## Execute files on a filesystem that does +## not support extended attributes. +## +## +## Domain allowed access. +## +# +interface(`fs_exec_noxattr',` + gen_require(` + attribute noxattrfs; + ') + + can_exec($1,noxattrfs) +') + ######################################## ## ## Mount a persistent filesystem which diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 4106bdd02..13cafe0ac 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',` ') ######################################## -## +## ## Read the process state (/proc/pid) of all domains. -## +## ## ## The type of the process performing this action. ## @@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',` dontaudit $1 domain:process ptrace; ') +######################################## +## +## Do not audit attempts to read the process +## state (/proc/pid) of all domains. +## +## +## The type of the process performing this action. +## +# +interface(`domain_dontaudit_read_all_domains_state',` + gen_require(` + attribute domain; + class dir r_dir_perms; + class lnk_file r_file_perms; + class file r_file_perms; + class process { getattr ptrace }; + ') + + dontaudit $1 domain:dir r_dir_perms; + dontaudit $1 domain:lnk_file r_file_perms; + dontaudit $1 domain:file r_file_perms; + dontaudit $1 domain:process getattr; + + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $1 domain:process ptrace; +') + ######################################## ## ## Do not audit attempts to read the process state @@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',` ') ######################################## -## +## ## Get the session ID of all domains. -## +## ## ## The type of the process performing this action. ## @@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',` allow $1 domain:process getsession; ') +######################################## +## +## Do not audit attempts to get the +## session ID of all domains. +## +## +## The type of the process performing this action. +## +# +interface(`domain_dontaudit_getsession_all_domains',` + gen_require(` + attribute domain; + class process getsession; + ') + + allow $1 domain:process getsession; +') + +######################################## +## +## Get the attributes of all domains +## sockets, for all socket types. +## +## +##

+## Get the attributes of all domains +## sockets, for all socket types. +##

+##

+## This is commonly used for domains +## that can use lsof on all domains. +##

+## +## +## Domain allowed access. +## +# +interface(`domain_getattr_all_sockets',` + gen_require(` + gen_require_set(getattr,socket_class_set) + ') + + allow $1 domain:socket_class_set getattr; +') + ######################################## ## ## Do not audit attempts to get the attributes diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index a439efd60..399d502f2 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -1,13 +1,13 @@ ## Miscelaneous files. ######################################## -## -## Allow process to create files and dirs in /var/cache/man -## and /var/catman/ -## -## -## Type type of the process performing this action. -## +## +## Allow process to create files and dirs in /var/cache/man +## and /var/catman/ +## +## +## Type type of the process performing this action. +## # interface(`miscfiles_rw_man_cache',` gen_require(` @@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',` ') ######################################## -## -## Allow process to read fonts files -## -## -## Type type of the process performing this action. -## +## +## Read fonts +## +## +## Type type of the process performing this action. +## # interface(`miscfiles_read_fonts',` gen_require(` @@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',` ') ######################################## -## -## Allow process to read localization info -## -## -## Type type of the process performing this action. -## +## +## Allow process to read localization info +## +## +## Type type of the process performing this action. +## # interface(`miscfiles_read_localization',` gen_require(` @@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',` ') ######################################## -## -## Allow process to read legacy time localization info -## -## -## Type type of the process performing this action. -## +## +## Allow process to read legacy time localization info +## +## +## Type type of the process performing this action. +## # interface(`miscfiles_legacy_read_localization',` gen_require(` @@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',` ') ######################################## -## -## Allow process to read manpages -## -## -## Type type of the process performing this action. -## +## +## Allow process to read man pages +## +## +## Type type of the process performing this action. +## # interface(`miscfiles_read_man_pages',` gen_require(` @@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',` allow $1 man_t:lnk_file r_file_perms; ') +######################################## +## +## Read TeX data +## +## +## Type type of the process performing this action. +## +# +interface(`miscfiles_read_tetex_data',` + gen_require(` + type tetex_data_t; + class dir r_dir_perms; + class file r_file_perms; + class lnk_file r_file_perms; + ') + + files_search_var($1) + files_search_var_lib($1) + + # cjp: TeX data can be in either of the above dirs + allow $1 tetex_data_t:dir r_dir_perms; + allow $1 tetex_data_t:file r_file_perms; + allow $1 tetex_data_t:lnk_file r_file_perms; +') + +######################################## +## +## Execute TeX data programs in the caller domain. +## +## +## Type type of the process performing this action. +## +# +interface(`miscfiles_exec_tetex_data',` + gen_require(` + type fonts_t; + class dir r_dir_perms; + ') + + files_search_var($1) + files_search_var_lib($1) + + # cjp: TeX data can be in either of the above dirs + allow $1 tetex_data_t:dir r_dir_perms; + can_exec($1,tetex_data_t) +') diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if index 389ba9bf4..96cddbf88 100644 --- a/refpolicy/policy/modules/system/pcmcia.if +++ b/refpolicy/policy/modules/system/pcmcia.if @@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',` allow cardmgr_t $3:chr_file rw_term_perms; ') +######################################## +## +## Read cardmgr pid files. +## +## +## Domain allowed access. +## +# +interface(`pcmcia_read_pid',` + gen_require(` + type cardmgr_var_run_t; + class dir r_dir_perms; + class file r_file_perms; + ') + + files_search_pids($1) + allow $1 cardmgr_var_run_t:dir r_dir_perms; + allow $1 cardmgr_var_run_t:file r_file_perms; +') + ######################################## ## ## Create, read, write, and delete diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 5a25579a8..3e386edcf 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -156,6 +156,7 @@ template(`base_user_template',` fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) + fs_exec_noxattr($1_t) # for eject storage_getattr_fixed_disk($1_t) @@ -171,6 +172,10 @@ template(`base_user_template',` domain_exec_all_entry_files($1_t) domain_use_wide_inherit_fd($1_t) + # When the user domain runs ps, there will be a number of access + # denials when ps tries to search /proc. Do not audit these denials. + domain_dontaudit_read_all_domains_state($1_t) + domain_dontaudit_getsession_all_domains($1_t) files_exec_etc_files($1_t) files_read_usr_src_files($1_t) @@ -188,6 +193,9 @@ template(`base_user_template',` miscfiles_read_localization($1_t) miscfiles_rw_man_cache($1_t) + # for running TeX programs + miscfiles_read_tetex_data($1_t) + miscfiles_exec_tetex_data($1_t) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) @@ -198,6 +206,14 @@ template(`base_user_template',` allow $1_t self:process execmem; ') + tunable_policy(`read_default_t',` + files_list_default($1_t) + files_read_default_files($1_t) + files_read_default_symlinks($1_t) + files_read_default_sockets($1_t) + files_read_default_pipes($1_t) + ') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_t) fs_manage_nfs_files($1_t) @@ -236,6 +252,11 @@ template(`base_user_template',` nscd_use_socket($1_t) ') + optional_policy(`pcmcia.te',` + # to allow monitoring of pcmcia status + pcmcia_read_pid($1_t) + ') + optional_policy(`rpm.te',` files_getattr_var_lib_dir($1_t) files_search_var_lib($1_t) @@ -248,11 +269,6 @@ template(`base_user_template',` ifdef(`TODO',` - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. - dontaudit $1_t domain:dir r_dir_perms; - dontaudit $1_t domain:notdevfile_class_set r_file_perms; - dontaudit $1_t domain:process { getattr getsession }; # # Cups daemon running as user tries to write /etc/printcap # @@ -271,11 +287,6 @@ template(`base_user_template',` # /initrd is left mounted, various programs try to look at it dontaudit $1_t ramfs_t:dir getattr; - tunable_policy(`read_default_t',` - allow $1_t default_t:dir r_dir_perms; - allow $1_t default_t:notdevfile_class_set r_file_perms; - ') - # # Running ifconfig as a user generates the following # @@ -303,11 +314,8 @@ template(`base_user_template',` dontaudit $1_t sysctl_t:dir_file_class_set getattr; dontaudit $1_t proc_fs:dir { read search }; - can_exec($1_t, { removable_t noexattrfile } ) - tunable_policy(`user_rw_noexattrfile',` create_dir_file($1_t, noexattrfile) - create_dir_file($1_t, removable_t) # Write floppies storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) @@ -321,12 +329,6 @@ template(`base_user_template',` allow $1_t usbtty_device_t:chr_file read; - can_exec($1_t, noexattrfile) - - # for running TeX programs - r_dir_file($1_t, tetex_data_t) - can_exec($1_t, tetex_data_t) - can_resmgrd_connect($1_t) # Grant permissions to access the system DBus @@ -350,22 +352,19 @@ template(`base_user_template',` allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms; ') - # Connect to inetd. ifdef(`inetd.te', ` + # Connect to inetd. can_tcp_connect($1_t, inetd_t) can_udp_send($1_t, inetd_t) can_udp_send(inetd_t, $1_t) + # Inherit and use sockets from inetd + allow $1_t inetd_t:fd use; + allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; ') # Connect to portmap. ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)') - # Inherit and use sockets from inetd - ifdef(`inetd.te', ` - allow $1_t inetd_t:fd use; - allow $1_t inetd_t:tcp_socket rw_stream_socket_perms; - ') - ifdef(`xserver.te', ` # for /tmp/.ICE-unix file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) @@ -398,11 +397,6 @@ template(`base_user_template',` create_dir_file($1_t, nfsd_rw_t) ') - ifdef(`cardmgr.te', ` - # to allow monitoring of pcmcia status - allow $1_t cardmgr_var_run_t:file r_file_perms; - ') - # # Allow graphical boot to check battery lifespan # @@ -417,7 +411,7 @@ template(`base_user_template',` ') dnl endif TODO -')dnl end base_user_domain macro +') ####################################### ## @@ -496,6 +490,14 @@ template(`unpriv_user_template', ` files_read_etc_files($1_t) files_list_home($1_t) files_read_usr_files($1_t) + files_exec_usr_files($1_t) + # Read directories and files with the readable_t type. + # This type is a general type for "world"-readable files. + files_list_world_readable($1_t) + files_read_world_readable_files($1_t) + files_read_world_readable_symlinks($1_t) + files_read_world_readable_pipes($1_t) + files_read_world_readable_sockets($1_t) init_read_script_pid($1_t) # The library functions always try to open read-write first, @@ -567,18 +569,6 @@ template(`unpriv_user_template', ` ') ') - tunable_policy(`read_default_t',` - allow $1 default_t:dir r_dir_perms; - allow $1 default_t:notdevfile_class_set r_file_perms; - ') - - can_exec($1_t, usr_t) - - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. - allow $1_t readable_t:dir r_dir_perms; - allow $1_t readable_t:notdevfile_class_set r_file_perms; - # Stat lost+found. allow $1_t lost_found_t:dir getattr; @@ -644,8 +634,7 @@ template(`unpriv_user_template', ` ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

-## -## +##

## The privileges given to administrative users are: ##

    ##
  • Raw disk access
    • @@ -658,7 +647,8 @@ template(`unpriv_user_template', ` ##
  • Manage source and binary format SELinux policy
    • ##
  • Run insmod
    • ##
-## +##

+## ## ## The prefix of the user domain (e.g., sysadm ## is the prefix for sysadm_t). @@ -724,13 +714,26 @@ template(`admin_user_template',` kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctl($1_t) - # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t) kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) + # for the administrator to run TCP servers directly + kernel_tcp_recvfrom($1_t) + + corenet_tcp_bind_generic_port($1_t) + # allow setting up tunnels + corenet_use_tun_tap_device($1_t) + + dev_getattr_generic_blk_file($1_t) + dev_getattr_generic_chr_file($1_t) + dev_getattr_all_blk_files($1_t) + dev_getattr_all_chr_files($1_t) + + fs_getattr_all_fs($1_t) + fs_set_all_quotas($1_t) selinux_set_enforce_mode($1_t) selinux_set_boolean($1_t) @@ -743,16 +746,6 @@ template(`admin_user_template',` selinux_compute_relabel_context($1_t) selinux_compute_user_contexts($1_t) - corenet_tcp_bind_generic_port($1_t) - - dev_getattr_generic_blk_file($1_t) - dev_getattr_generic_chr_file($1_t) - dev_getattr_all_blk_files($1_t) - dev_getattr_all_chr_files($1_t) - - fs_getattr_all_fs($1_t) - fs_set_all_quotas($1_t) - storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) @@ -761,6 +754,7 @@ template(`admin_user_template',` term_use_all_user_ptys($1_t) term_use_all_user_ttys($1_t) + auth_getattr_shadow($1_t) # Manage almost all files auth_manage_all_files_except_shadow($1_t) # Relabel almost all files @@ -775,6 +769,8 @@ template(`admin_user_template',` domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigchld_all_domains($1_t) + # for lsof + domain_getattr_all_sockets($1_t) files_exec_usr_files($1_t) @@ -799,44 +795,45 @@ template(`admin_user_template',` ifdef(`TODO',` - # Let admin stat the shadow file. - allow $1_t shadow_t:file getattr; - # for lsof allow $1_t mtrr_device_t:file getattr; + # for lsof + allow $1_t eventpollfs_t:file getattr; + allow $1_t serial_device:chr_file setattr; - # allow setting up tunnels - allow $1_t tun_tap_device_t:chr_file rw_file_perms; - allow $1_t ptyfile:chr_file getattr; - # Run programs from staff home directories. - # Not ideal, but typical if users want to login as both sysadm_t or staff_t. - can_exec($1_t, staff_home_t) - # Run admin programs that require different permissions in their own domain. # These rules were moved into the appropriate program domain file. - ifdef(`startx.te', ` - ifdef(`xserver.te', ` - # Create files in /tmp/.X11-unix with our X servers derived - # tmp type rather than user_xserver_tmp_t. - file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) - ') + ifdef(`xserver.te', ` + # Create files in /tmp/.X11-unix with our X servers derived + # tmp type rather than user_xserver_tmp_t. + file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file) ') + ifdef(`xdm.te', ` - ifdef(`xauth.te', ` - tunable_policy(`xdm_sysadm_login',` - allow xdm_t $1_home_t:lnk_file read; - allow xdm_t $1_home_t:dir search; - ') - allow $1_t xdm_t:fifo_file rw_file_perms; + tunable_policy(`xdm_sysadm_login',` + allow xdm_t $1_home_t:lnk_file read; + allow xdm_t $1_home_t:dir search; ') + allow $1_t xdm_t:fifo_file rw_file_perms; ') + # Connect data port to ftpd. + ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') + + # Connect second port to rshd. + ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') + + # Allow MAKEDEV to work + allow $1_t device_t:dir rw_dir_perms; + allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; + allow $1_t device_t:lnk_file { create read }; + # # A user who is authorized for sysadm_t may nonetheless have # a home directory labeled with user_home_t if the user is expected @@ -850,23 +847,9 @@ template(`admin_user_template',` allow $1_gph_t user_home_type:file create_file_perms; ') - # for the administrator to run TCP servers directly - allow $1_t kernel_t:tcp_socket recvfrom; - - # Connect data port to ftpd. - ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)') - - # Connect second port to rshd. - ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)') - - # Allow MAKEDEV to work - allow $1_t device_t:dir rw_dir_perms; - allow $1_t device_type:{ blk_file chr_file } { create unlink rename }; - allow $1_t device_t:lnk_file { create read }; - - # for lsof - allow $1_t domain:socket_class_set getattr; - allow $1_t eventpollfs_t:file getattr; + # Run programs from staff home directories. + # Not ideal, but typical if users want to login as both sysadm_t or staff_t. + can_exec($1_t, staff_home_t) ') dnl endif TODO ')