start adding secure_file_type implementation

refpolicy/policy/modules/services/bind.te

@@ -7,8 +7,8 @@ policy_module(bind,1.0)
 #
 
 # for DNSSEC key files
-type dnssec_t; #, secure_file_type;
+type dnssec_t;
-files_type(dnssec_t)
+files_security_file(dnssec_t)
 
 type named_t;
 type named_exec_t;

refpolicy/policy/modules/services/kerberos.te

@@ -23,8 +23,8 @@ type krb5_conf_t;
 files_type(krb5_conf_t)
 
 # types for general configuration files in /etc
-type krb5_keytab_t; #, secure_file_type;
+type krb5_keytab_t;
-files_type(krb5_keytab_t)
+files_security_file(krb5_keytab_t)
 
 # types for KDC configs and principal file(s)
 type krb5kdc_conf_t;

refpolicy/policy/modules/system/files.if

@@ -151,6 +151,26 @@ interface(`files_poly_member_tmp',`
 	type_member $1 tmp_t:dir $2;
 ')
 
+########################################
+## <summary>
+##	Make the specified type a file that
+##	should not be dontaudited from
+##	browsing from user domains.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	member directory.
+## </param>
+#
+interface(`files_security_file',`
+	gen_require(`
+		attribute security_file_type;
+	')
+
+	files_type($1)
+	typeattribute $1 security_file_type;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type a file
@@ -245,6 +265,23 @@ interface(`files_list_all_dirs',`
 	allow $1 file_type:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list all
+##	non security directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@@ -276,12 +313,28 @@ interface(`files_getattr_all_files',`
 interface(`files_dontaudit_getattr_all_files',`
 	gen_require(`
 		attribute file_type;
-		class file getattr;
 	')
 
 	dontaudit $1 file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all files.
@@ -342,6 +395,57 @@ interface(`files_dontaudit_getattr_all_symlinks',`
 	dontaudit $1 file_type:lnk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security block devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_dev',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security character devices.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_dev',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read all symbolic links.
@@ -398,6 +502,23 @@ interface(`files_dontaudit_getattr_all_pipes',`
 	dontaudit $1 file_type:fifo_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named pipes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all named sockets.
@@ -435,6 +556,23 @@ interface(`files_dontaudit_getattr_all_sockets',`
 	dontaudit $1 file_type:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of non security named sockets.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except

refpolicy/policy/modules/system/files.te

@@ -22,6 +22,10 @@ attribute polyparent;
 # And labeling for the member directories
 attribute polymember;
 
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+
 attribute tmpfile;
 attribute tmpfsfile;
 

refpolicy/policy/modules/system/logging.te

@@ -13,11 +13,11 @@ type auditctl_exec_t;
 init_system_domain(auditctl_t,auditctl_exec_t)
 role system_r types auditctl_t;
 
-type auditd_etc_t; #, secure_file_type;
+type auditd_etc_t;
-files_type(auditd_etc_t)
+files_security_file(auditd_etc_t)
 
-type auditd_log_t; # secure_file_type;
+type auditd_log_t;
-files_type(auditd_log_t)
+files_security_file(auditd_log_t)
 
 type auditd_t;
 type auditd_exec_t;

refpolicy/policy/modules/system/userdomain.if

@@ -212,6 +212,14 @@ template(`base_user_template',`
 	files_exec_etc_files($1_t)
 	files_read_usr_src_files($1_t)
 	files_search_locks($1_t)
+	# old broswer_domain():
+	files_dontaudit_list_non_security($1_t)
+	files_dontaudit_getattr_non_security_files($1_t)
+	files_dontaudit_getattr_non_security_symlinks($1_t)
+	files_dontaudit_getattr_non_security_pipes($1_t)
+	files_dontaudit_getattr_non_security_sockets($1_t)
+	files_dontaudit_getattr_non_security_blk_dev($1_t)
+	files_dontaudit_getattr_non_security_chr_dev($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_pty($1_t)
@@ -385,9 +393,7 @@ template(`base_user_template',`
 
 	allow $1_t fs_type:dir getattr;
 
-	dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr; 
+	# old browser_domain():
-	dontaudit $1 file_type - secure_file_type:dir search;
-	dontaudit $1 file_type - secure_file_type:dir read;
 	dontaudit $1 unlabeled_t:dir_file_class_set getattr;
 	dontaudit $1 unlabeled_t:dir search;
 	dontaudit $1 unlabeled_t:dir read;