Create non_auth_file_type attribute and interfaces

Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2012-04-25 10:25:42 -04:00 committed by Chris PeBenito
parent 9b0b33ac4c
commit 709fd365b8
3 changed files with 166 additions and 6 deletions

View File

@ -78,10 +78,10 @@
#
interface(`files_type',`
gen_require(`
attribute file_type, non_security_file_type;
attribute file_type, non_security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, non_security_file_type;
typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
')
########################################
@ -99,10 +99,10 @@ interface(`files_type',`
#
interface(`files_security_file',`
gen_require(`
attribute file_type, security_file_type;
attribute file_type, security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, security_file_type;
typeattribute $1 file_type, security_file_type, non_auth_file_type;
')
########################################
@ -1275,6 +1275,161 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
########################################
## <summary>
## Mark the specified type as a file
## that is related to authentication.
## </summary>
## <param name="file_type">
## <summary>
## Type of the authentication-related
## file.
## </summary>
## </param>
#
interface(`files_auth_file',`
gen_require(`
attribute file_type, security_file_type, auth_file_type;
')
typeattribute $1 file_type, security_file_type, auth_file_type;
')
########################################
## <summary>
## Read all non-authentication related
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_non_auth_dirs',`
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
')
########################################
## <summary>
## Read all non-authentication related
## files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
read_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
## <summary>
## Read all non-authentication related
## symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_non_auth_symlinks',`
gen_require(`
attribute non_auth_file_type;
')
read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
## <summary>
## Relabel all non-authentication related
## files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_relabel_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
')
########################################
## <summary>
## rw non-authentication related files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_rw_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
')
########################################
## <summary>
## Manage non-authentication related
## files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_manage_non_auth_files',`
gen_require(`
attribute non_auth_file_type;
')
manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
')
#############################################
## <summary>
## Manage all configuration directories on filesystem

View File

@ -29,6 +29,12 @@ attribute security_file_type;
# and its opposite
attribute non_security_file_type;
# sensitive authentication files whose accesses should
# not be dontaudited for uses
attribute auth_file_type;
# and its opposite
attribute non_auth_file_type;
attribute tmpfile;
attribute tmpfsfile;

View File

@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
# Declarations
#
attribute auth_file_type;
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
@ -51,7 +50,7 @@ type pam_var_run_t;
files_pid_file(pam_var_run_t)
type shadow_t;
auth_file(shadow_t)
files_auth_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;