add rolemap/per-userdomain infrastructure

This commit is contained in:
Chris PeBenito 2006-01-26 18:04:57 +00:00
parent 5e4cbc7557
commit 4ace0fa5d6
12 changed files with 75 additions and 24 deletions

View File

@ -1,3 +1,7 @@
- Separate per-userdomain template expansion from the userdomain
module and add infrastructure to expand templates in the modules
that own the template.
- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been
removed from these programs.
- Add ctags Make target from Thomas Bleher.

View File

@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans
MOD_CONF := $(POLDIR)/modules.conf
TUNABLES := $(POLDIR)/tunables.conf
BOOLEANS := $(POLDIR)/booleans.conf
ROLEMAP := $(POLDIR)/rolemap
# install paths
TOPDIR = $(DESTDIR)/etc/selinux
@ -181,6 +182,24 @@ BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 ==
MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null))
OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null))
########################################
#
# Functions
#
# parse-rolemap modulename,outputfile
define parse-rolemap
$(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \
awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# peruser-expansion modulename,outputfile
define peruser-expansion
$(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(QUIET) echo "')" >> $2
endef
########################################
#
# Load appropriate rules

View File

@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp
#
tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(call peruser-expansion,$(basename $(@F)),$@.role)
$(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(M4SUPPORT) %.fc
@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES)
# define all available object classes
$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
# per-userdomain templates
$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \
$(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@
$(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
done
@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),)
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
$(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
@test -d tmp || mkdir -p tmp

View File

@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES)
tmp/generated_definitions.conf: $(ALL_TE_FILES)
# per-userdomain templates:
@test -d tmp || mkdir -p tmp
$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
$(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@
$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
>> $@ ;\
@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),)
endif
@test -d tmp || mkdir -p tmp
$(QUIET) cat $^ > $@
$(call parse-rolemap,base,$@)
tmp/post_te_files.conf: $(POST_TE_FILES)
@test -d tmp || mkdir -p tmp

View File

@ -47,6 +47,9 @@ template(`irc_per_userdomain_template',`
type $1_irc_home_t;
userdom_home_file($1,$1_irc_home_t)
type $1_irc_tmp_t;
userdom_home_file($1,$1_irc_tmp_t)
########################################
#
@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',`
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
# access files under /tmp
allow $1_irc_t $1_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_tmp_t:file create_file_perms;
allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t)

View File

@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',`
#
interface(`dev_getattr_agp_dev',`
gen_require(`
type device_t, dri_device_t;
type device_t, agp_device_t;
')
allow $1 device_t:dir r_dir_perms;

View File

@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',`
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
type $1_crontab_t, $1_crond_t;
')
# Allow our crontab domain to unlink a user cron spool file.

View File

@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',`
## </param>
#
template(`mta_admin_template',`
gen_require(`
type $1_mail_t;
')
ifdef(`strict_policy',`
# allow the sysadmin to do "mail someone < /home/user/whatever"
userdom_read_unpriv_user_home_files($1_mail_t)

View File

@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',`
allow system_chkpwd_t $2:process sigchld;
',`
gen_require(`
type chkpwd_exec_t;
type $1_chkpwd_t, chkpwd_exec_t;
')
corecmd_search_bin($2)

View File

@ -142,13 +142,6 @@ template(`base_user_template',`
allow $1_t unpriv_userdomain:fd use;
# Instantiate derived domains for a number of programs.
# These derived domains encode both information about the calling
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
per_userdomain_templates($1,$1_t,$1_r)
kernel_read_kernel_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_file($1_t)
@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',`
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmp_t;
type $1_tmpfs_t;
')
fs_search_tmpfs($2)

View File

@ -1,8 +1,12 @@
policy_module(userdomain,1.2.3)
policy_module(userdomain,1.2.4)
gen_require(`
role sysadm_r, staff_r, user_r, secadm_r;
role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
')
')
########################################
@ -111,7 +115,6 @@ ifdef(`targeted_policy',`
')
',`
admin_user_template(sysadm)
admin_user_template(secadm)
unpriv_user_template(staff)
unpriv_user_template(user)
@ -122,7 +125,11 @@ ifdef(`targeted_policy',`
# only staff_r can change to sysadm_r
role_change(staff, sysadm)
role_change(staff, secadm)
ifdef(`enable_mls',`
admin_user_template(secadm)
role_change(staff, secadm)
')
# this should be tunable_policy, but
# currently type_change and RBAC allow

17
refpolicy/policy/rolemap Normal file
View File

@ -0,0 +1,17 @@
#
# This file contains the mappings
# used for per-userdomain template
# infrastructure
#
# Each line has: role prefix user_domain
#
ifdef(`strict_policy',`
user_r user user_t
staff_r staff staff_t
sysadm_r sysadm sysadm_t
ifdef(`enable_mls',`
secadm_r secadm secadm_t
')
')