Create non_auth_file_type attribute and interfaces
Reduce the binary policy size by eliminating some set expressions related to file accesses and make Repolicy easier to convert into CIL. - Moved the auth_file_type attribute. - Created a new type attribute called non_auth_file_type. - Created new interfaces to allow file accesses on non_auth_file_type files. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
parent
9b0b33ac4c
commit
709fd365b8
|
@ -78,10 +78,10 @@
|
||||||
#
|
#
|
||||||
interface(`files_type',`
|
interface(`files_type',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute file_type, non_security_file_type;
|
attribute file_type, non_security_file_type, non_auth_file_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 file_type, non_security_file_type;
|
typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -99,10 +99,10 @@ interface(`files_type',`
|
||||||
#
|
#
|
||||||
interface(`files_security_file',`
|
interface(`files_security_file',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute file_type, security_file_type;
|
attribute file_type, security_file_type, non_auth_file_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $1 file_type, security_file_type;
|
typeattribute $1 file_type, security_file_type, non_auth_file_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1275,6 +1275,161 @@ interface(`files_unmount_all_file_type_fs',`
|
||||||
allow $1 file_type:filesystem unmount;
|
allow $1 file_type:filesystem unmount;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Mark the specified type as a file
|
||||||
|
## that is related to authentication.
|
||||||
|
## </summary>
|
||||||
|
## <param name="file_type">
|
||||||
|
## <summary>
|
||||||
|
## Type of the authentication-related
|
||||||
|
## file.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_auth_file',`
|
||||||
|
gen_require(`
|
||||||
|
attribute file_type, security_file_type, auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 file_type, security_file_type, auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all non-authentication related
|
||||||
|
## directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_list_non_auth_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 non_auth_file_type:dir list_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all non-authentication related
|
||||||
|
## files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_non_auth_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read all non-authentication related
|
||||||
|
## symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_read_non_auth_symlinks',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel all non-authentication related
|
||||||
|
## files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`files_relabel_non_auth_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 non_auth_file_type:dir list_dir_perms;
|
||||||
|
relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
# this is only relabelfrom since there should be no
|
||||||
|
# device nodes with file types.
|
||||||
|
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
|
||||||
|
# satisfy the assertions:
|
||||||
|
seutil_relabelto_bin_policy($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## rw non-authentication related files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_rw_non_auth_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage non-authentication related
|
||||||
|
## files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`files_manage_non_auth_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||||
|
|
||||||
|
# satisfy the assertions:
|
||||||
|
seutil_create_bin_policy($1)
|
||||||
|
files_manage_kernel_modules($1)
|
||||||
|
')
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Manage all configuration directories on filesystem
|
## Manage all configuration directories on filesystem
|
||||||
|
|
|
@ -29,6 +29,12 @@ attribute security_file_type;
|
||||||
# and its opposite
|
# and its opposite
|
||||||
attribute non_security_file_type;
|
attribute non_security_file_type;
|
||||||
|
|
||||||
|
# sensitive authentication files whose accesses should
|
||||||
|
# not be dontaudited for uses
|
||||||
|
attribute auth_file_type;
|
||||||
|
# and its opposite
|
||||||
|
attribute non_auth_file_type;
|
||||||
|
|
||||||
attribute tmpfile;
|
attribute tmpfile;
|
||||||
attribute tmpfsfile;
|
attribute tmpfsfile;
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
attribute auth_file_type;
|
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
attribute can_write_shadow_passwords;
|
attribute can_write_shadow_passwords;
|
||||||
attribute can_relabelto_shadow_passwords;
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
@ -51,7 +50,7 @@ type pam_var_run_t;
|
||||||
files_pid_file(pam_var_run_t)
|
files_pid_file(pam_var_run_t)
|
||||||
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
auth_file(shadow_t)
|
files_auth_file(shadow_t)
|
||||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||||
|
|
Loading…
Reference in New Issue