From 5f38a65aabc9962c9c169466f90a218eb21ec8f1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 15 Aug 2005 19:31:37 +0000 Subject: [PATCH] try to knock out more of the distro_debian bootloader stuff --- refpolicy/policy/modules/kernel/bootloader.te | 26 +++++++++----- refpolicy/policy/modules/kernel/terminal.if | 20 ++++++++++- refpolicy/policy/modules/system/files.if | 17 +++++++++ refpolicy/policy/modules/system/fstools.if | 35 +++++++++++++++++++ refpolicy/policy/modules/system/init.if | 18 ++++++++++ refpolicy/policy/modules/system/libraries.if | 17 +++++++++ 6 files changed, 124 insertions(+), 9 deletions(-) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index eddbb0d39..57ab907d2 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) term_getattr_all_user_ttys(bootloader_t) +term_dontaudit_manage_pty_dir(bootloader_t) corecmd_exec_bin(bootloader_t) corecmd_exec_sbin(bootloader_t) @@ -149,8 +150,18 @@ ifdef(`distro_debian',` allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; + fs_list_tmpfs(bootloader_t) + + files_relabelto_usr_files(bootloader_t) + files_search_var_lib(bootloader_t) + files_list_script_pids(bootloader_t) # for /usr/share/initrd-tools/scripts files_exec_usr_files(bootloader_t) + + fstools_manage_entry_files(bootloader_t) + fstools_relabelto_entry_files(bootloader_t) + + libs_relabelto_lib_files(bootloader_t) ') ifdef(`distro_redhat',` @@ -204,16 +215,15 @@ optional_policy(`userdomain.te',` ') ifdef(`TODO',` -dontaudit bootloader_t devpts_t:dir create_dir_perms; ifdef(`distro_debian', ` - allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; - allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; - allow bootloader_t tmpfs_t:dir r_dir_perms; - allow bootloader_t initrc_var_run_t:dir r_dir_perms; - allow bootloader_t var_lib_t:dir search; + # cjp: there is no setfscreate or type_transition, and + # bootloader_t cannot rw a usr_t or lib_t directory, so + # how can this work? This is probably rw_file_perms, + # possibly with unlink. Files are probably "created" + # by the above relabeling permissions. + allow bootloader_t { usr_t lib_t }:file create_file_perms; + allow bootloader_t dpkg_var_lib_t:dir r_dir_perms; allow bootloader_t dpkg_var_lib_t:file { getattr read }; - ') - ') dnl end TODO diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 36c118427..15eb72eb8 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -233,7 +233,7 @@ interface(`term_list_ptys',` ######################################## ## ## Do not audit attempts to read the -## /dev/pts directory to. +## /dev/pts directory. ## ## ## The type of the process to not audit. @@ -248,6 +248,24 @@ interface(`term_dontaudit_list_ptys',` dontaudit $1 devpts_t:dir { getattr search read }; ') +######################################## +## +## Do not audit attempts to create, read, +## write, or delete the /dev/pts directory. +## +## +## The type of the process to not audit. +## +# +interface(`term_dontaudit_manage_pty_dir',` + gen_require(` + type devpts_t; + class dir create_dir_perms; + ') + + dontaudit $1 devpts_t:dir create_dir_perms; +') + ######################################## ## ## Read and write the generic pty diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 576dfde43..6acc26ca9 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1591,6 +1591,23 @@ interface(`files_read_usr_files',` allow $1 usr_t:{ file lnk_file } r_file_perms; ') +######################################## +## +## Relabel a file to the type used in /usr. +## +## +## Domain allowed access. +## +# +interface(`files_relabelto_usr_files',` + gen_require(` + type usr_t; + class file relabelto; + ') + + allow $1 usr_t:file relabelto; +') + ######################################## ## ## Read symbolic links in /usr. diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if index bb2f5fa5a..f6a52b937 100644 --- a/refpolicy/policy/modules/system/fstools.if +++ b/refpolicy/policy/modules/system/fstools.if @@ -65,3 +65,38 @@ interface(`fstools_exec',` can_exec($1,fsadm_exec_t) ') + +######################################## +## +## Relabel a file to the type used by the +## filesystem tools programs. +## +## +## The type of the process performing this action. +## +# +interface(`fstools_relabelto_entry_files',` + gen_require(` + type fsadm_exec_t; + ') + + allow $1 fsadm_exec_t:file relabelto; +') + +######################################## +## +## Create, read, write, and delete a file used by the +## filesystem tools programs. +## +## +## The type of the process performing this action. +## +# +interface(`fstools_manage_entry_files',` + gen_require(` + type fsadm_exec_t; + class file create_file_perms; + ') + + allow $1 fsadm_exec_t:file create_file_perms; +') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index d9c14e969..ad9cce665 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -484,6 +484,24 @@ interface(`init_rw_script_tmp_files',` allow $1 initrc_tmp_t:file rw_file_perms; ') +######################################## +## +## List the contents of an init script +## process id directory. +## +## +## Domain allowed access. +## +interface(`init_list_script_pids',` + gen_require(` + type initrc_var_run_t; + class dir r_dir_perms; + ') + + files_search_pids($1) + allow $1 initrc_var_run_t:dir r_dir_perms; +') + ######################################## # # init_read_script_pid(domain) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index d3e8a700e..a651e4d9a 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -195,6 +195,23 @@ interface(`libs_exec_lib_files',` can_exec($1,lib_t) ') +######################################## +## +## Relabel files to the type used in library directories. +## +## +## The type of the process performing this action. +## +# +interface(`libs_relabelto_lib_files',` + gen_require(` + type lib_t; + class file relabelto; + ') + + allow $1 lib_t:file relabelto; +') + ######################################## ## ## Load and execute functions from shared libraries.