more cleanup

2005-07-19 18:40:31 +00:00 · 2005-07-19 18:40:31 +00:00 · 2ec4c9d38f
parent 8b0bbdda34
commit 2ec4c9d38f
5 changed files with 273 additions and 132 deletions
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',`
 	allow $1 noxattrfs:filesystem associate;
 ')

+########################################
+## <summary>
+##	Execute files on a filesystem that does
+##	not support extended attributes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_exec_noxattr',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	can_exec($1,noxattrfs)
+')
+
 ########################################
 ## <summary>
 ##	Mount a persistent filesystem which
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Read the process state (/proc/pid) of all domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',`
 	dontaudit $1 domain:process ptrace;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read the process
+##	state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+	gen_require(`
+		attribute domain;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+		class file r_file_perms;
+		class process { getattr ptrace };
+	')
+
+	dontaudit $1 domain:dir r_dir_perms;
+	dontaudit $1 domain:lnk_file r_file_perms;
+	dontaudit $1 domain:file r_file_perms;
+	dontaudit $1 domain:process getattr;
+
+	# We need to suppress this denial because procps tries to access
+	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+	# running in a privileged domain.
+	dontaudit $1 domain:process ptrace;
+')
+
 ########################################
 ## <desc>
 ##	Do not audit attempts to read the process state
@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
 ')

 ########################################
-## <desc>
+## <summary>
 ##	Get the session ID of all domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',`
 	allow $1 domain:process getsession;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	session ID of all domains.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+	gen_require(`
+		attribute domain;
+		class process getsession;
+	')
+
+	allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+## </summary>
+## <desc>
+##	<p>
+##	Get the attributes of all domains
+##	sockets, for all socket types.
+##	</p>
+##	<p>
+##	This is commonly used for domains
+##	that can use lsof on all domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+	gen_require(`
+		gen_require_set(getattr,socket_class_set)
+	')
+
+	allow $1 domain:socket_class_set getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -1,13 +1,13 @@
 ## <summary>Miscelaneous files.</summary>

 ########################################
-##     <desc>
-##             Allow process to create files and dirs in /var/cache/man
-##             and /var/catman/
-##     </desc>
-##     <param name="domain">
-##             Type type of the process performing this action.
-##     </param>
+## <summary>
+##	Allow process to create files and dirs in /var/cache/man
+##	and /var/catman/
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
 #
 interface(`miscfiles_rw_man_cache',`
 	gen_require(`
@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',`
 ')

 ########################################
-##     <desc>
-##             Allow process to read fonts files
-##     </desc>
-##     <param name="domain">
-##             Type type of the process performing this action.
-##     </param>
+## <summary>
+##	Read fonts
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
 #
 interface(`miscfiles_read_fonts',`
 	gen_require(`
@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',`
 ')

 ########################################
-##     <desc>
-##             Allow process to read localization info
-##     </desc>
-##     <param name="domain">
-##             Type type of the process performing this action.
-##     </param>
+## <summary>
+##	Allow process to read localization info
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
 #
 interface(`miscfiles_read_localization',`
 	gen_require(`
@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',`
 ')

 ########################################
-##     <desc>
-##             Allow process to read legacy time localization info
-##     </desc>
-##     <param name="domain">
-##             Type type of the process performing this action.
-##     </param>
+## <summary>
+##	Allow process to read legacy time localization info
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
 #
 interface(`miscfiles_legacy_read_localization',`
 	gen_require(`
@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
 ')

 ########################################
-##     <desc>
-##             Allow process to read manpages
-##     </desc>
-##     <param name="domain">
-##             Type type of the process performing this action.
-##     </param>
+## <summary>
+##	Allow process to read man pages
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')

+########################################
+## <summary>
+##	Read TeX data
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
+#
+interface(`miscfiles_read_tetex_data',`
+	gen_require(`
+		type tetex_data_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+
+	# cjp: TeX data can be in either of the above dirs
+	allow $1 tetex_data_t:dir r_dir_perms;
+	allow $1 tetex_data_t:file r_file_perms;
+	allow $1 tetex_data_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute TeX data programs in the caller domain.
+## </summary>
+## <param name="domain">
+##	Type type of the process performing this action.
+## </param>
+#
+interface(`miscfiles_exec_tetex_data',`
+	gen_require(`
+		type fonts_t;
+		class dir r_dir_perms;
+	')
+
+	files_search_var($1)
+	files_search_var_lib($1)
+
+	# cjp: TeX data can be in either of the above dirs
+	allow $1 tetex_data_t:dir r_dir_perms;
+	can_exec($1,tetex_data_t)
+')
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',`
 	allow cardmgr_t $3:chr_file rw_term_perms;
 ')

+########################################
+## <summary>
+##	Read cardmgr pid files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`pcmcia_read_pid',`
+	gen_require(`
+		type cardmgr_var_run_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
+
+	files_search_pids($1)
+	allow $1 cardmgr_var_run_t:dir r_dir_perms;
+	allow $1 cardmgr_var_run_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -156,6 +156,7 @@ template(`base_user_template',`
 	fs_get_all_fs_quotas($1_t)
 	fs_getattr_all_fs($1_t)
 	fs_search_auto_mountpoints($1_t)
+	fs_exec_noxattr($1_t)

 	# for eject
 	storage_getattr_fixed_disk($1_t)
@ -171,6 +172,10 @@ template(`base_user_template',`

 	domain_exec_all_entry_files($1_t)
 	domain_use_wide_inherit_fd($1_t)
+	# When the user domain runs ps, there will be a number of access
+	# denials when ps tries to search /proc.  Do not audit these denials.
+	domain_dontaudit_read_all_domains_state($1_t)
+	domain_dontaudit_getsession_all_domains($1_t)

 	files_exec_etc_files($1_t)
 	files_read_usr_src_files($1_t)
@ -188,6 +193,9 @@ template(`base_user_template',`

 	miscfiles_read_localization($1_t)
 	miscfiles_rw_man_cache($1_t)
+	# for running TeX programs
+	miscfiles_read_tetex_data($1_t)
+	miscfiles_exec_tetex_data($1_t)

 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })

@ -198,6 +206,14 @@ template(`base_user_template',`
 		allow $1_t self:process execmem;
 	')

+	tunable_policy(`read_default_t',`
+		files_list_default($1_t)
+		files_read_default_files($1_t)
+		files_read_default_symlinks($1_t)
+		files_read_default_sockets($1_t)
+		files_read_default_pipes($1_t)
+	')
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_t)
 		fs_manage_nfs_files($1_t)
@ -236,6 +252,11 @@ template(`base_user_template',`
 		nscd_use_socket($1_t)
 	')

+	optional_policy(`pcmcia.te',`
+		# to allow monitoring of pcmcia status
+		pcmcia_read_pid($1_t)
+	')
+
 	optional_policy(`rpm.te',`
 		files_getattr_var_lib_dir($1_t)
 		files_search_var_lib($1_t)
@ -248,11 +269,6 @@ template(`base_user_template',`

 	ifdef(`TODO',`

-	# When the user domain runs ps, there will be a number of access
-	# denials when ps tries to search /proc.  Do not audit these denials.
-	dontaudit $1_t domain:dir r_dir_perms;
-	dontaudit $1_t domain:notdevfile_class_set r_file_perms;
-	dontaudit $1_t domain:process { getattr getsession };
 	#
 	# Cups daemon running as user tries to write /etc/printcap
 	#
@ -271,11 +287,6 @@ template(`base_user_template',`
 	# /initrd is left mounted, various programs try to look at it
 	dontaudit $1_t ramfs_t:dir getattr;

-	tunable_policy(`read_default_t',`
-		allow $1_t default_t:dir r_dir_perms;
-		allow $1_t default_t:notdevfile_class_set r_file_perms;
-	')
-
 	#
 	# Running ifconfig as a user generates the following
 	#
@ -303,11 +314,8 @@ template(`base_user_template',`
 	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
 	dontaudit $1_t proc_fs:dir { read search };

-	can_exec($1_t, { removable_t noexattrfile } )
-
 	tunable_policy(`user_rw_noexattrfile',`
 		create_dir_file($1_t, noexattrfile)
-		create_dir_file($1_t, removable_t)
 		# Write floppies 
 		storage_raw_read_removable_device($1_t)
 		storage_raw_write_removable_device($1_t)
@ -321,12 +329,6 @@ template(`base_user_template',`

 	allow $1_t usbtty_device_t:chr_file read;

-	can_exec($1_t, noexattrfile)
-
-	# for running TeX programs
-	r_dir_file($1_t, tetex_data_t)
-	can_exec($1_t, tetex_data_t)
-
 	can_resmgrd_connect($1_t)

 	# Grant permissions to access the system DBus
@ -350,22 +352,19 @@ template(`base_user_template',`
 		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
 	')

-	# Connect to inetd.
 	ifdef(`inetd.te', `
+		# Connect to inetd.
 		can_tcp_connect($1_t, inetd_t)
 		can_udp_send($1_t, inetd_t)
 		can_udp_send(inetd_t, $1_t)
+		# Inherit and use sockets from inetd
+		allow $1_t inetd_t:fd use;
+		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
 	')

 	# Connect to portmap.
 	ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')

-	# Inherit and use sockets from inetd
-	ifdef(`inetd.te', `
-		allow $1_t inetd_t:fd use;
-		allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-	')
-
 	ifdef(`xserver.te', `
 		# for /tmp/.ICE-unix
 		file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@ -398,11 +397,6 @@ template(`base_user_template',`
 		create_dir_file($1_t, nfsd_rw_t)
 	')

-	ifdef(`cardmgr.te', `
-		# to allow monitoring of pcmcia status
-		allow $1_t cardmgr_var_run_t:file r_file_perms;
-	')
-
 	#
 	# Allow graphical boot to check battery lifespan
 	#
@ -417,7 +411,7 @@ template(`base_user_template',`

 	') dnl endif TODO

-')dnl end base_user_domain macro
+')

 #######################################
 ## <summary>
@ -496,6 +490,14 @@ template(`unpriv_user_template', `
 	files_read_etc_files($1_t)
 	files_list_home($1_t)
 	files_read_usr_files($1_t)
+	files_exec_usr_files($1_t)
+	# Read directories and files with the readable_t type.
+	# This type is a general type for "world"-readable files.
+	files_list_world_readable($1_t)
+	files_read_world_readable_files($1_t)
+	files_read_world_readable_symlinks($1_t)
+	files_read_world_readable_pipes($1_t)
+	files_read_world_readable_sockets($1_t)

 	init_read_script_pid($1_t)
 	# The library functions always try to open read-write first,
@ -567,18 +569,6 @@ template(`unpriv_user_template', `
 		')
 	')

-	tunable_policy(`read_default_t',`
-		allow $1 default_t:dir r_dir_perms;
-		allow $1 default_t:notdevfile_class_set r_file_perms;
-	')
-
-	can_exec($1_t, usr_t)
-
-	# Read directories and files with the readable_t type.
-	# This type is a general type for "world"-readable files.
-	allow $1_t readable_t:dir r_dir_perms;
-	allow $1_t readable_t:notdevfile_class_set r_file_perms;
-
 	# Stat lost+found.
 	allow $1_t lost_found_t:dir getattr;

@ -644,8 +634,7 @@ template(`unpriv_user_template', `
 ##	rules for the user's tty, pty, home directories,
 ##	tmp, and tmpfs files.
 ##	</p>
-## </desc>
-## <secdesc>
+##	<p>
 ##	The privileges given to administrative users are:
 ##	<ul>
 ##		<li>Raw disk access</li>
@ -658,7 +647,8 @@ template(`unpriv_user_template', `
 ##		<li>Manage source and binary format SELinux policy</li>
 ##		<li>Run insmod</li>
 ##	</ul>
-## </secdesc>
+##	</p>
+## </desc>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., sysadm
 ##	is the prefix for sysadm_t).
@ -724,13 +714,26 @@ template(`admin_user_template',`
 	kernel_read_ring_buffer($1_t)
 	kernel_get_sysvipc_info($1_t)
 	kernel_rw_all_sysctl($1_t)
-
 	# signal unlabeled processes:
 	kernel_kill_unlabeled($1_t)
 	kernel_signal_unlabeled($1_t)
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
+	# for the administrator to run TCP servers directly
+	kernel_tcp_recvfrom($1_t)
+
+	corenet_tcp_bind_generic_port($1_t)
+	# allow setting up tunnels
+	corenet_use_tun_tap_device($1_t)
+
+	dev_getattr_generic_blk_file($1_t)
+	dev_getattr_generic_chr_file($1_t)
+	dev_getattr_all_blk_files($1_t)
+	dev_getattr_all_chr_files($1_t)
+
+	fs_getattr_all_fs($1_t)
+	fs_set_all_quotas($1_t)

 	selinux_set_enforce_mode($1_t)
 	selinux_set_boolean($1_t)
@ -743,16 +746,6 @@ template(`admin_user_template',`
 	selinux_compute_relabel_context($1_t)
 	selinux_compute_user_contexts($1_t)

-	corenet_tcp_bind_generic_port($1_t)
-
-	dev_getattr_generic_blk_file($1_t)
-	dev_getattr_generic_chr_file($1_t)
-	dev_getattr_all_blk_files($1_t)
-	dev_getattr_all_chr_files($1_t)
-
-	fs_getattr_all_fs($1_t)
-	fs_set_all_quotas($1_t)
-
 	storage_raw_read_removable_device($1_t)
 	storage_raw_write_removable_device($1_t)

@ -761,6 +754,7 @@ template(`admin_user_template',`
 	term_use_all_user_ptys($1_t)
 	term_use_all_user_ttys($1_t)

+	auth_getattr_shadow($1_t)
 	# Manage almost all files
 	auth_manage_all_files_except_shadow($1_t)
 	# Relabel almost all files
@ -775,6 +769,8 @@ template(`admin_user_template',`
 	domain_sigstop_all_domains($1_t)
 	domain_sigstop_all_domains($1_t)
 	domain_sigchld_all_domains($1_t)
+	# for lsof
+	domain_getattr_all_sockets($1_t)

 	files_exec_usr_files($1_t)

@ -799,44 +795,45 @@ template(`admin_user_template',`

 	ifdef(`TODO',`

-	# Let admin stat the shadow file.
-	allow $1_t shadow_t:file getattr;
-
 	# for lsof
 	allow $1_t mtrr_device_t:file getattr;

+	# for lsof
+	allow $1_t eventpollfs_t:file getattr;
+
 	allow $1_t serial_device:chr_file setattr;

-	# allow setting up tunnels
-	allow $1_t tun_tap_device_t:chr_file rw_file_perms;
-
 	allow $1_t ptyfile:chr_file getattr;

-	# Run programs from staff home directories.
-	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-	can_exec($1_t, staff_home_t)
-
 	# Run admin programs that require different permissions in their own domain.
 	# These rules were moved into the appropriate program domain file.

-	ifdef(`startx.te', `
-		ifdef(`xserver.te', `
-			# Create files in /tmp/.X11-unix with our X servers derived
-			# tmp type rather than user_xserver_tmp_t.
-			file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-		')
+	ifdef(`xserver.te', `
+		# Create files in /tmp/.X11-unix with our X servers derived
+		# tmp type rather than user_xserver_tmp_t.
+		file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
 	')

+
 	ifdef(`xdm.te', `
-		ifdef(`xauth.te', `
-			tunable_policy(`xdm_sysadm_login',`
-				allow xdm_t $1_home_t:lnk_file read;
-				allow xdm_t $1_home_t:dir search;
-			')
-			allow $1_t xdm_t:fifo_file rw_file_perms;
+		tunable_policy(`xdm_sysadm_login',`
+			allow xdm_t $1_home_t:lnk_file read;
+			allow xdm_t $1_home_t:dir search;
 		')
+		allow $1_t xdm_t:fifo_file rw_file_perms;
 	')

+	# Connect data port to ftpd.
+	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+
+	# Connect second port to rshd.
+	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+
+	# Allow MAKEDEV to work
+	allow $1_t device_t:dir rw_dir_perms;
+	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+	allow $1_t device_t:lnk_file { create read };
+
 	#
 	# A user who is authorized for sysadm_t may nonetheless have
 	# a home directory labeled with user_home_t if the user is expected
@ -850,23 +847,9 @@ template(`admin_user_template',`
 		allow $1_gph_t user_home_type:file create_file_perms;
 	')

-	# for the administrator to run TCP servers directly
-	allow $1_t kernel_t:tcp_socket recvfrom;
-
-	# Connect data port to ftpd.
-	ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
-	# Connect second port to rshd.
-	ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
-	# Allow MAKEDEV to work
-	allow $1_t device_t:dir rw_dir_perms;
-	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-	allow $1_t device_t:lnk_file { create read };
-
-	# for lsof
-	allow $1_t domain:socket_class_set getattr;
-	allow $1_t eventpollfs_t:file getattr;
+	# Run programs from staff home directories.
+	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+	can_exec($1_t, staff_home_t)
 	') dnl endif TODO
 ')