## Allow making anonymous memory executable, e.g. @@ -145,6 +144,19 @@ gen_tunable(ftp_home_dir,false) ##
+## Enable reading of urandom for all domains. +##
+##+## This should be enabled when all programs +## are compiled with ProPolice/SSP +## stack smashing protection. All domains will +## be allowed to read from /dev/urandom. +##
+#### Allow httpd to use built in scripting (usually php) diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 9b8c0f376..e67dd9d9c 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -28,26 +28,7 @@ interface(`domain_base_type',` attribute domain; ') - # mark as a domain typeattribute $1 domain; - - # allow the domain to read its /proc/pid entries - allow $1 self:dir r_dir_perms; - allow $1 self:lnk_file r_file_perms; - allow $1 self:file rw_file_perms; - - # allow $1 to create child processes in this domain - allow $1 self:process { fork sigchld }; - - ifdef(`targeted_policy',` - # FIXME: - # hack until role dominance is fixed in - # the module compiler - role secadm_r types $1; - role sysadm_r types $1; - role user_r types $1; - role staff_r types $1; - ') ') ######################################## @@ -64,29 +45,24 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) - # Use trusted objects in /dev - dev_rw_null($1) - dev_rw_zero($1) - term_use_controlling_term($1) - - # read the root directory - files_list_root($1) - - # send init a sigchld and signull - init_sigchld($1) - init_signull($1) - ifdef(`targeted_policy',` unconfined_use_fds($1) unconfined_sigchld($1) ') + # send init a sigchld and signull + optional_policy(`init',` + init_sigchld($1) + init_signull($1) + ') + + # these seem questionable: + # allow any domain to connect to the LDAP server optional_policy(`ldap',` ldap_use($1) ') - # these 3 seem highly questionable: optional_policy(`rpm',` rpm_use_fds($1) rpm_read_pipes($1) diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index acc626730..ae56c65a9 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -65,3 +65,46 @@ attribute process_uncond_exempt; # add userhelperdomain to this one neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; + +######################################## +# +# Rules applied to all domains +# + +# read /proc/pid entries +allow domain self:dir r_dir_perms; +allow domain self:lnk_file r_file_perms; +allow domain self:file rw_file_perms; + +# create child processes in the domain +allow domain self:process { fork sigchld }; + +# Use trusted objects in /dev +dev_rw_null(domain) +dev_rw_zero(domain) +term_use_controlling_term(domain) + +# list the root directory +files_list_root(domain) + +ifdef(`targeted_policy',` + # RBAC is disabled in the targeted policy, + # as only one role is used, system_r. + role system_r types domain; + + # FIXME: + # workaround until role dominance is fixed in + # the module compiler + role secadm_r types domain; + role sysadm_r types domain; + role user_r types domain; + role staff_r types domain; +') + +tunable_policy(`global_ssp',` + # enable reading of urandom for all domains: + # this should be enabled when all programs + # are compiled with ProPolice/SSP + # stack smashing protection. + dev_read_urand(domain) +')