Files patch from Dan Walsh.

Redhat does want /usr/local/src labeled src_t or /usr/src for that matter Fix labels on chroot environments
2010-06-09 09:09:34 -04:00 · 2010-06-09 09:09:34 -04:00 · 48e0aa86c9
parent 135b1b4c54
commit 48e0aa86c9
3 changed files with 285 additions and 13 deletions
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@ -48,11 +48,13 @@ ifdef(`distro_suse',`
 /etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/cmtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
 /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)
@ -205,19 +207,21 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/local/lost\+found/.*	<<none>>

-/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
-
 /usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>

 /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)

-/usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
-/usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
-
 /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /usr/tmp/.*			<<none>>

+ifndef(`distro_redhat',`
+/usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
+
+/usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+/usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+')
+
 #
 # /var
 #
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -1426,6 +1426,24 @@ interface(`files_search_all_mountpoints',`
 	allow $1 mountpoint:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	Do not audit searching of all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List the contents of the root directory.
@ -1550,6 +1568,24 @@ interface(`files_dontaudit_rw_root_chr_files',`
 	dontaudit $1 root_t:chr_file { read write };
 ')

+########################################
+## <summary>
+##	Delete files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Remove entries from the root directory.
@ -1695,6 +1731,25 @@ interface(`files_create_boot_dirs',`
 	allow $1 boot_t:dir { create rw_dir_perms };
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete
+##	directories in /boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create a private type object in boot
@ -1740,7 +1795,7 @@ interface(`files_read_boot_files',`
 		type boot_t;
 	')

-	manage_files_pattern($1, boot_t, boot_t)
+	read_files_pattern($1, boot_t, boot_t)
 ')

 ########################################
@ -2191,6 +2246,24 @@ interface(`files_list_etc',`
 	allow $1 etc_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write to /etc dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Add and remove entries from /etc directories.
@ -2787,6 +2860,120 @@ interface(`files_delete_isid_type_files',`
 	delete_files_pattern($1, file_t, file_t)
 ')

+########################################
+## <summary>
+##	Delete symbolic links on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_symlinks',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_lnk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete named pipes on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_fifo_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_fifo_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete named sockets on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_sock_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_sock_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete block files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_blk_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_blk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write to character
+##	files that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_isid_chr_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	dontaudit $1 file_t:chr_file write;
+')
+
+########################################
+## <summary>
+##	Delete chr files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_chr_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_chr_files_pattern($1, file_t, file_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@ -2937,6 +3124,7 @@ interface(`files_search_home',`
 	')

 	allow $1 home_root_t:dir search_dir_perms;
+	allow $1 home_root_t:lnk_file read_lnk_file_perms;
 ')

 ########################################
@ -2956,6 +3144,7 @@ interface(`files_dontaudit_search_home',`
 	')

 	dontaudit $1 home_root_t:dir search_dir_perms;
+	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
 ')

 ########################################
@ -2975,6 +3164,7 @@ interface(`files_dontaudit_list_home',`
 	')

 	dontaudit $1 home_root_t:dir list_dir_perms;
+	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
 ')

 ########################################
@ -2993,6 +3183,7 @@ interface(`files_list_home',`
 	')

 	allow $1 home_root_t:dir list_dir_perms;
+	allow $1 home_root_t:lnk_file read_lnk_file_perms;
 ')

 ########################################
@ -3920,6 +4111,24 @@ interface(`files_purge_tmp',`
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
 ')

+########################################
+## <summary>
+##	Set the attributes of the /usr directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the content of /etc.
@ -3957,6 +4166,24 @@ interface(`files_list_usr',`
 	allow $1 usr_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Do not audit write of /usr dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Add and remove entries from /usr directories.
@ -3977,7 +4204,8 @@ interface(`files_rw_usr_dirs',`

 ########################################
 ## <summary>
-##	dontaudit Add and remove entries from /usr directories.
+##	Do not audit attempts to add and remove
+##	entries from /usr directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -4026,7 +4254,7 @@ interface(`files_delete_usr_files',`
 		type usr_t;
 	')

-	allow $1 usr_t:file delete_file_perms;
+	delete_files_pattern($1, usr_t, usr_t)
 ')

 ########################################
@ -5033,6 +5261,24 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 	dontaudit $1 var_run_t:dir getattr;
 ')

+########################################
+## <summary>
+##	Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:dir setattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of runtime process
@ -5109,6 +5355,24 @@ interface(`files_read_generic_pids',`
 	read_files_pattern($1, var_run_t, var_run_t)
 ')

+########################################
+## <summary>
+##	Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_generic_pid_pipes',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	allow $1 var_run_t:fifo_file write;
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the process ID directory, with a private type.
@ -5514,12 +5778,15 @@ interface(`files_polyinstantiate_all',`
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)

+	fs_mount_tmpfs($1)
+	fs_unmount_tmpfs($1)
+
 	ifdef(`distro_redhat',`
 		# namespace.init
+		files_search_tmp($1)
 		files_search_home($1)
 		corecmd_exec_bin($1)
 		seutil_domtrans_setfiles($1)
-		mount_domtrans($1)
 	')
 ')

--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,5 +1,5 @@

-policy_module(files, 1.13.0)
+policy_module(files, 1.13.1)

 ########################################
 #
@ -194,6 +194,7 @@ fs_associate(file_type)
 fs_associate_noxattr(file_type)
 fs_associate_tmpfs(file_type)
 fs_associate_ramfs(file_type)
+fs_associate_hugetlbfs(file_type)

 ########################################
 #