more cleanup

2005-07-19 18:40:31 +00:00 · 2005-07-19 18:40:31 +00:00 · 2ec4c9d38f
parent 8b0bbdda34
commit 2ec4c9d38f
5 changed files with 273 additions and 132 deletions
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',`
 	allow $1 noxattrfs:filesystem associate;
 ')
 ########################################
 ## <summary>
 ##	Execute files on a filesystem that does
 ##	not support extended attributes.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`fs_exec_noxattr',`
 	gen_require(`
 		attribute noxattrfs;
 	')
 	can_exec($1,noxattrfs)
 ')
 ########################################
 ## <summary>
 ##	Mount a persistent filesystem which
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
 ')
 ########################################
-## <desc>
+## <summary>
 ##	Read the process state (/proc/pid) of all domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',`
 	dontaudit $1 domain:process ptrace;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to read the process
 ##	state (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
 interface(`domain_dontaudit_read_all_domains_state',`
 	gen_require(`
 		attribute domain;
 		class dir r_dir_perms;
 		class lnk_file r_file_perms;
 		class file r_file_perms;
 		class process { getattr ptrace };
 	')
 	dontaudit $1 domain:dir r_dir_perms;
 	dontaudit $1 domain:lnk_file r_file_perms;
 	dontaudit $1 domain:file r_file_perms;
 	dontaudit $1 domain:process getattr;
 	# We need to suppress this denial because procps tries to access
 	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
 	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
 	# running in a privileged domain.
 	dontaudit $1 domain:process ptrace;
 ')
 ########################################
 ## <desc>
 ##	Do not audit attempts to read the process state
@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
 ')
 ########################################
-## <desc>
+## <summary>
 ##	Get the session ID of all domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',`
 	allow $1 domain:process getsession;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the
 ##	session ID of all domains.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
 interface(`domain_dontaudit_getsession_all_domains',`
 	gen_require(`
 		attribute domain;
 		class process getsession;
 	')
 	allow $1 domain:process getsession;
 ')
 ########################################
 ## <summary>
 ##	Get the attributes of all domains
 ##	sockets, for all socket types.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	Get the attributes of all domains
 ##	sockets, for all socket types.
 ##	</p>
 ##	<p>
 ##	This is commonly used for domains
 ##	that can use lsof on all domains.
 ##	</p>
 ## </desc>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`domain_getattr_all_sockets',`
 	gen_require(`
 		gen_require_set(getattr,socket_class_set)
 	')
 	allow $1 domain:socket_class_set getattr;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -1,13 +1,13 @@
 ## <summary>Miscelaneous files.</summary>
 ########################################
-##     <desc>
+## <summary>
-##             Allow process to create files and dirs in /var/cache/man
+##	Allow process to create files and dirs in /var/cache/man
-##             and /var/catman/
+##	and /var/catman/
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             Type type of the process performing this action.
+##	Type type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`miscfiles_rw_man_cache',`
 	gen_require(`
@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',`
 ')
 ########################################
-##     <desc>
+## <summary>
-##             Allow process to read fonts files
+##	Read fonts
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             Type type of the process performing this action.
+##	Type type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`miscfiles_read_fonts',`
 	gen_require(`
@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',`
 ')
 ########################################
-##     <desc>
+## <summary>
-##             Allow process to read localization info
+##	Allow process to read localization info
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             Type type of the process performing this action.
+##	Type type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`miscfiles_read_localization',`
 	gen_require(`
@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',`
 ')
 ########################################
-##     <desc>
+## <summary>
-##             Allow process to read legacy time localization info
+##	Allow process to read legacy time localization info
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             Type type of the process performing this action.
+##	Type type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`miscfiles_legacy_read_localization',`
 	gen_require(`
@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
 ')
 ########################################
-##     <desc>
+## <summary>
-##             Allow process to read manpages
+##	Allow process to read man pages
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             Type type of the process performing this action.
+##	Type type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Read TeX data
 ## </summary>
 ## <param name="domain">
 ##	Type type of the process performing this action.
 ## </param>
 #
 interface(`miscfiles_read_tetex_data',`
 	gen_require(`
 		type tetex_data_t;
 		class dir r_dir_perms;
 		class file r_file_perms;
 		class lnk_file r_file_perms;
 	')
 	files_search_var($1)
 	files_search_var_lib($1)
 	# cjp: TeX data can be in either of the above dirs
 	allow $1 tetex_data_t:dir r_dir_perms;
 	allow $1 tetex_data_t:file r_file_perms;
 	allow $1 tetex_data_t:lnk_file r_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Execute TeX data programs in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	Type type of the process performing this action.
 ## </param>
 #
 interface(`miscfiles_exec_tetex_data',`
 	gen_require(`
 		type fonts_t;
 		class dir r_dir_perms;
 	')
 	files_search_var($1)
 	files_search_var_lib($1)
 	# cjp: TeX data can be in either of the above dirs
 	allow $1 tetex_data_t:dir r_dir_perms;
 	can_exec($1,tetex_data_t)
 ')
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',`
 	allow cardmgr_t $3:chr_file rw_term_perms;
 ')
 ########################################
 ## <summary>
 ##	Read cardmgr pid files.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
 interface(`pcmcia_read_pid',`
 	gen_require(`
 		type cardmgr_var_run_t;
 		class dir r_dir_perms;
 		class file r_file_perms;
 	')
 	files_search_pids($1)
 	allow $1 cardmgr_var_run_t:dir r_dir_perms;
 	allow $1 cardmgr_var_run_t:file r_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -156,6 +156,7 @@ template(`base_user_template',`
 	fs_get_all_fs_quotas($1_t)
 	fs_getattr_all_fs($1_t)
 	fs_search_auto_mountpoints($1_t)
 	fs_exec_noxattr($1_t)
 	# for eject
 	storage_getattr_fixed_disk($1_t)
@ -171,6 +172,10 @@ template(`base_user_template',`
 	domain_exec_all_entry_files($1_t)
 	domain_use_wide_inherit_fd($1_t)
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
 	domain_dontaudit_read_all_domains_state($1_t)
 	domain_dontaudit_getsession_all_domains($1_t)
 	files_exec_etc_files($1_t)
 	files_read_usr_src_files($1_t)
@ -188,6 +193,9 @@ template(`base_user_template',`
 	miscfiles_read_localization($1_t)
 	miscfiles_rw_man_cache($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@ -198,6 +206,14 @@ template(`base_user_template',`
 		allow $1_t self:process execmem;
 	')
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
 		files_read_default_files($1_t)
 		files_read_default_symlinks($1_t)
 		files_read_default_sockets($1_t)
 		files_read_default_pipes($1_t)
 	')
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_t)
 		fs_manage_nfs_files($1_t)
@ -236,6 +252,11 @@ template(`base_user_template',`
 		nscd_use_socket($1_t)
 	')
 	optional_policy(`pcmcia.te',`
 		# to allow monitoring of pcmcia status
 		pcmcia_read_pid($1_t)
 	')
 	optional_policy(`rpm.te',`
 		files_getattr_var_lib_dir($1_t)
 		files_search_var_lib($1_t)
@ -248,11 +269,6 @@ template(`base_user_template',`
 	ifdef(`TODO',`
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
 	dontaudit $1_t domain:dir r_dir_perms;
 	dontaudit $1_t domain:notdevfile_class_set r_file_perms;
 	dontaudit $1_t domain:process { getattr getsession };
 	#
 	# Cups daemon running as user tries to write /etc/printcap
 	#
@ -271,11 +287,6 @@ template(`base_user_template',`
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;
 	tunable_policy(`read_default_t',`
 		allow $1_t default_t:dir r_dir_perms;
 		allow $1_t default_t:notdevfile_class_set r_file_perms;
 	')
 	#
 	# Running ifconfig as a user generates the following
 	#
@ -303,11 +314,8 @@ template(`base_user_template',`
 	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
 	dontaudit $1_t proc_fs:dir { read search };
 	can_exec($1_t, { removable_t noexattrfile } )
 	tunable_policy(`user_rw_noexattrfile',`
 		create_dir_file($1_t, noexattrfile)
 		create_dir_file($1_t, removable_t)
 		# Write floppies 
 		storage_raw_read_removable_device($1_t)
 		storage_raw_write_removable_device($1_t)
@ -321,12 +329,6 @@ template(`base_user_template',`
 	allow $1_t usbtty_device_t:chr_file read;
 	can_exec($1_t, noexattrfile)
 	# for running TeX programs
 	r_dir_file($1_t, tetex_data_t)
 	can_exec($1_t, tetex_data_t)
 	can_resmgrd_connect($1_t)
 	# Grant permissions to access the system DBus
@ -350,22 +352,19 @@ template(`base_user_template',`
 		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
 	')
 	# Connect to inetd.
 	ifdef(`inetd.te', `
 		# Connect to inetd.
 		can_tcp_connect($1_t, inetd_t)
 		can_udp_send($1_t, inetd_t)
 		can_udp_send(inetd_t, $1_t)
 		# Inherit and use sockets from inetd
 		allow $1_t inetd_t:fd use;
 		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
 	')
 	# Connect to portmap.
 	ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
 	# Inherit and use sockets from inetd
 	ifdef(`inetd.te', `
 		allow $1_t inetd_t:fd use;
 		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
 	')
 	ifdef(`xserver.te', `
 		# for /tmp/.ICE-unix
 		file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@ -398,11 +397,6 @@ template(`base_user_template',`
 		create_dir_file($1_t, nfsd_rw_t)
 	')
 	ifdef(`cardmgr.te', `
 		# to allow monitoring of pcmcia status
 		allow $1_t cardmgr_var_run_t:file r_file_perms;
 	')
 	#
 	# Allow graphical boot to check battery lifespan
 	#
@ -417,7 +411,7 @@ template(`base_user_template',`
 	') dnl endif TODO
-')dnl end base_user_domain macro
+')
 #######################################
 ## <summary>
@ -496,6 +490,14 @@ template(`unpriv_user_template', `
 	files_read_etc_files($1_t)
 	files_list_home($1_t)
 	files_read_usr_files($1_t)
 	files_exec_usr_files($1_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	files_list_world_readable($1_t)
 	files_read_world_readable_files($1_t)
 	files_read_world_readable_symlinks($1_t)
 	files_read_world_readable_pipes($1_t)
 	files_read_world_readable_sockets($1_t)
 	init_read_script_pid($1_t)
 	# The library functions always try to open read-write first,
@ -567,18 +569,6 @@ template(`unpriv_user_template', `
 		')
 	')
 	tunable_policy(`read_default_t',`
 		allow $1 default_t:dir r_dir_perms;
 		allow $1 default_t:notdevfile_class_set r_file_perms;
 	')
 	can_exec($1_t, usr_t)
 	# Read directories and files with the readable_t type.
 	# This type is a general type for "world"-readable files.
 	allow $1_t readable_t:dir r_dir_perms;
 	allow $1_t readable_t:notdevfile_class_set r_file_perms;
 	# Stat lost+found.
 	allow $1_t lost_found_t:dir getattr;
@ -644,8 +634,7 @@ template(`unpriv_user_template', `
 ##	rules for the user's tty, pty, home directories,
 ##	tmp, and tmpfs files.
 ##	</p>
-## </desc>
+##	<p>
 ## <secdesc>
 ##	The privileges given to administrative users are:
 ##	<ul>
 ##		<li>Raw disk access</li>
@ -658,7 +647,8 @@ template(`unpriv_user_template', `
 ##		<li>Manage source and binary format SELinux policy</li>
 ##		<li>Run insmod</li>
 ##	</ul>
-## </secdesc>
+##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., sysadm
 ##	is the prefix for sysadm_t).
@ -724,13 +714,26 @@ template(`admin_user_template',`
 	kernel_read_ring_buffer($1_t)
 	kernel_get_sysvipc_info($1_t)
 	kernel_rw_all_sysctl($1_t)
 	# signal unlabeled processes:
 	kernel_kill_unlabeled($1_t)
 	kernel_signal_unlabeled($1_t)
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
 	# for the administrator to run TCP servers directly
 	kernel_tcp_recvfrom($1_t)
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
 	corenet_use_tun_tap_device($1_t)
 	dev_getattr_generic_blk_file($1_t)
 	dev_getattr_generic_chr_file($1_t)
 	dev_getattr_all_blk_files($1_t)
 	dev_getattr_all_chr_files($1_t)
 	fs_getattr_all_fs($1_t)
 	fs_set_all_quotas($1_t)
 	selinux_set_enforce_mode($1_t)
 	selinux_set_boolean($1_t)
@ -743,16 +746,6 @@ template(`admin_user_template',`
 	selinux_compute_relabel_context($1_t)
 	selinux_compute_user_contexts($1_t)
 	corenet_tcp_bind_generic_port($1_t)
 	dev_getattr_generic_blk_file($1_t)
 	dev_getattr_generic_chr_file($1_t)
 	dev_getattr_all_blk_files($1_t)
 	dev_getattr_all_chr_files($1_t)
 	fs_getattr_all_fs($1_t)
 	fs_set_all_quotas($1_t)
 	storage_raw_read_removable_device($1_t)
 	storage_raw_write_removable_device($1_t)
@ -761,6 +754,7 @@ template(`admin_user_template',`
 	term_use_all_user_ptys($1_t)
 	term_use_all_user_ttys($1_t)
 	auth_getattr_shadow($1_t)
 	# Manage almost all files
 	auth_manage_all_files_except_shadow($1_t)
 	# Relabel almost all files
@ -775,6 +769,8 @@ template(`admin_user_template',`
 	domain_sigstop_all_domains($1_t)
 	domain_sigstop_all_domains($1_t)
 	domain_sigchld_all_domains($1_t)
 	# for lsof
 	domain_getattr_all_sockets($1_t)
 	files_exec_usr_files($1_t)
@ -799,44 +795,45 @@ template(`admin_user_template',`
 	ifdef(`TODO',`
 	# Let admin stat the shadow file.
 	allow $1_t shadow_t:file getattr;
 	# for lsof
 	allow $1_t mtrr_device_t:file getattr;
 	# for lsof
 	allow $1_t eventpollfs_t:file getattr;
 	allow $1_t serial_device:chr_file setattr;
 	# allow setting up tunnels
 	allow $1_t tun_tap_device_t:chr_file rw_file_perms;
 	allow $1_t ptyfile:chr_file getattr;
 	# Run programs from staff home directories.
 	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
 	can_exec($1_t, staff_home_t)
 	# Run admin programs that require different permissions in their own domain.
 	# These rules were moved into the appropriate program domain file.
-	ifdef(`startx.te', `
+	ifdef(`xserver.te', `
-		ifdef(`xserver.te', `
+		# Create files in /tmp/.X11-unix with our X servers derived
-			# Create files in /tmp/.X11-unix with our X servers derived
+		# tmp type rather than user_xserver_tmp_t.
-			# tmp type rather than user_xserver_tmp_t.
+		file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
 			file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
 		')
 	')
 	ifdef(`xdm.te', `
-		ifdef(`xauth.te', `
+		tunable_policy(`xdm_sysadm_login',`
-			tunable_policy(`xdm_sysadm_login',`
+			allow xdm_t $1_home_t:lnk_file read;
-				allow xdm_t $1_home_t:lnk_file read;
+			allow xdm_t $1_home_t:dir search;
 				allow xdm_t $1_home_t:dir search;
 			')
 			allow $1_t xdm_t:fifo_file rw_file_perms;
 		')
 		allow $1_t xdm_t:fifo_file rw_file_perms;
 	')
 	# Connect data port to ftpd.
 	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
 	# Connect second port to rshd.
 	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
 	# Allow MAKEDEV to work
 	allow $1_t device_t:dir rw_dir_perms;
 	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
 	allow $1_t device_t:lnk_file { create read };
 	#
 	# A user who is authorized for sysadm_t may nonetheless have
 	# a home directory labeled with user_home_t if the user is expected
@ -850,23 +847,9 @@ template(`admin_user_template',`
 		allow $1_gph_t user_home_type:file create_file_perms;
 	')
-	# for the administrator to run TCP servers directly
+	# Run programs from staff home directories.
-	allow $1_t kernel_t:tcp_socket recvfrom;
+	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-
+	can_exec($1_t, staff_home_t)
 	# Connect data port to ftpd.
 	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
 	# Connect second port to rshd.
 	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
 	# Allow MAKEDEV to work
 	allow $1_t device_t:dir rw_dir_perms;
 	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
 	allow $1_t device_t:lnk_file { create read };
 	# for lsof
 	allow $1_t domain:socket_class_set getattr;
 	allow $1_t eventpollfs_t:file getattr;
 	') dnl endif TODO
 ')