Merge file_t into unlabeled_t, as they are security equivalent.

2025-03-31 07:46:41 +00:00 · 2014-01-16 11:19:00 -05:00 · 2014-01-16 11:19:00 -05:00 · d66aeb8436
commit d66aeb8436
parent bf6d35851e
4 changed files with 288 additions and 134 deletions
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -3132,7 +3132,7 @@ interface(`files_etc_filetrans_etc_runtime',`
 ########################################
 ## <summary>
 ##	Getattr of directories on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3141,17 +3141,14 @@ interface(`files_etc_filetrans_etc_runtime',`
 ## </param>
 #
 interface(`files_getattr_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:dir getattr;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_getattr_unlabeled_dirs() instead.')
+	kernel_getattr_unlabeled_dirs($1)
 ')

 ########################################
 ## <summary>
 ##	Do not audit attempts to search directories on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3160,17 +3157,14 @@ interface(`files_getattr_isid_type_dirs',`
 ## </param>
 #
 interface(`files_dontaudit_search_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	dontaudit $1 file_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_search_unlabeled() instead.')
+	kernel_dontaudit_search_unlabeled($1)
 ')

 ########################################
 ## <summary>
 ##	List the contents of directories on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3179,17 +3173,14 @@ interface(`files_dontaudit_search_isid_type_dirs',`
 ## </param>
 #
 interface(`files_list_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:dir list_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_list_unlabeled() instead.')
+	kernel_list_unlabeled($1)
 ')

 ########################################
 ## <summary>
 ##	Read and write directories on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3198,17 +3189,14 @@ interface(`files_list_isid_type_dirs',`
 ## </param>
 #
 interface(`files_rw_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:dir rw_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_dirs() instead.')
+	kernel_rw_unlabeled_dirs($1)
 ')

 ########################################
 ## <summary>
 ##	Delete directories on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3217,17 +3205,14 @@ interface(`files_rw_isid_type_dirs',`
 ## </param>
 #
 interface(`files_delete_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_dirs_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_dirs() instead.')
+	kernel_delete_unlabeled_dirs($1)
 ')

 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
-##	on new filesystems that have not yet been labeled.
+##	on new filesystems that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3236,17 +3221,14 @@ interface(`files_delete_isid_type_dirs',`
 ## </param>
 #
 interface(`files_manage_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:dir manage_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_dirs() instead.')
+	kernel_manage_unlabeled_dirs($1)
 ')

 ########################################
 ## <summary>
 ##	Mount a filesystem on a directory on new filesystems
-##	that has not yet been labeled.
+##	that has not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3255,17 +3237,14 @@ interface(`files_manage_isid_type_dirs',`
 ## </param>
 #
 interface(`files_mounton_isid_type_dirs',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:dir { search_dir_perms mounton };
+	refpolicywarn(`$0($*) has been deprecated, use kernel_mounton_unlabeled_dirs() instead.')
+	kernel_mounton_unlabeled_dirs($1)
 ')

 ########################################
 ## <summary>
 ##	Read files on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3274,17 +3253,14 @@ interface(`files_mounton_isid_type_dirs',`
 ## </param>
 #
 interface(`files_read_isid_type_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:file read_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_read_unlabeled_files() instead.')
+	kernel_read_unlabeled_files($1)
 ')

 ########################################
 ## <summary>
 ##	Delete files on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3293,17 +3269,14 @@ interface(`files_read_isid_type_files',`
 ## </param>
 #
 interface(`files_delete_isid_type_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_files() instead.')
+	kernel_delete_unlabeled_files($1)
 ')

 ########################################
 ## <summary>
 ##	Delete symbolic links on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3312,17 +3285,14 @@ interface(`files_delete_isid_type_files',`
 ## </param>
 #
 interface(`files_delete_isid_type_symlinks',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_lnk_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_symlinks() instead.')
+	kernel_delete_unlabeled_symlinks($1)
 ')

 ########################################
 ## <summary>
 ##	Delete named pipes on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3331,17 +3301,14 @@ interface(`files_delete_isid_type_symlinks',`
 ## </param>
 #
 interface(`files_delete_isid_type_fifo_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_fifo_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_pipes() instead.')
+	kernel_delete_unlabeled_pipes($1)
 ')

 ########################################
 ## <summary>
 ##	Delete named sockets on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3350,17 +3317,14 @@ interface(`files_delete_isid_type_fifo_files',`
 ## </param>
 #
 interface(`files_delete_isid_type_sock_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_sock_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_sockets() instead.')
+	kernel_delete_unlabeled_sockets($1)
 ')

 ########################################
 ## <summary>
 ##	Delete block files on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3369,17 +3333,14 @@ interface(`files_delete_isid_type_sock_files',`
 ## </param>
 #
 interface(`files_delete_isid_type_blk_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_blk_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_blk_files() instead.')
+	kernel_delete_unlabeled_blk_files($1)
 ')

 ########################################
 ## <summary>
 ##	Do not audit attempts to write to character
-##	files that have not yet been labeled.
+##	files that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3388,17 +3349,14 @@ interface(`files_delete_isid_type_blk_files',`
 ## </param>
 #
 interface(`files_dontaudit_write_isid_chr_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	dontaudit $1 file_t:chr_file write;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_write_unlabeled_chr_files() instead.')
+	kernel_dontaudit_write_unlabeled_chr_files($1)
 ')

 ########################################
 ## <summary>
 ##	Delete chr files on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3407,17 +3365,14 @@ interface(`files_dontaudit_write_isid_chr_files',`
 ## </param>
 #
 interface(`files_delete_isid_type_chr_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	delete_chr_files_pattern($1, file_t, file_t)
+	refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_chr_files() instead.')
+	kernel_delete_unlabeled_chr_files($1)
 ')

 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
-##	on new filesystems that have not yet been labeled.
+##	on new filesystems that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3426,17 +3381,14 @@ interface(`files_delete_isid_type_chr_files',`
 ## </param>
 #
 interface(`files_manage_isid_type_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:file manage_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_files() instead.')
+	kernel_manage_unlabeled_files($1)
 ')

 ########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
-##	on new filesystems that have not yet been labeled.
+##	on new filesystems that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3445,17 +3397,14 @@ interface(`files_manage_isid_type_files',`
 ## </param>
 #
 interface(`files_manage_isid_type_symlinks',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:lnk_file manage_lnk_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_symlinks() instead.')
+	kernel_manage_unlabeled_symlinks($1)
 ')

 ########################################
 ## <summary>
 ##	Read and write block device nodes on new filesystems
-##	that have not yet been labeled.
+##	that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3464,17 +3413,14 @@ interface(`files_manage_isid_type_symlinks',`
 ## </param>
 #
 interface(`files_rw_isid_type_blk_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:blk_file rw_blk_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_blk_files() instead.')
+	kernel_rw_unlabeled_blk_files($1)
 ')

 ########################################
 ## <summary>
 ##	Create, read, write, and delete block device nodes
-##	on new filesystems that have not yet been labeled.
+##	on new filesystems that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3483,17 +3429,14 @@ interface(`files_rw_isid_type_blk_files',`
 ## </param>
 #
 interface(`files_manage_isid_type_blk_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:blk_file manage_blk_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_blk_files() instead.')
+	kernel_manage_unlabeled_blk_files($1)
 ')

 ########################################
 ## <summary>
 ##	Create, read, write, and delete character device nodes
-##	on new filesystems that have not yet been labeled.
+##	on new filesystems that have not yet been labeled.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -3502,11 +3445,8 @@ interface(`files_manage_isid_type_blk_files',`
 ## </param>
 #
 interface(`files_manage_isid_type_chr_files',`
-	gen_require(`
-		type file_t;
-	')
-
-	allow $1 file_t:chr_file manage_chr_file_perms;
+	refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_chr_files() instead.')
+	kernel_manage_unlabeled_chr_files($1)
 ')

 ########################################
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,4 +1,4 @@
-policy_module(files, 1.18.1)
+policy_module(files, 1.18.2)

 ########################################
 #
@ -74,16 +74,6 @@ files_type(etc_runtime_t)
 #Temporarily in policy until FC5 dissappears
 typealias etc_runtime_t alias firstboot_rw_t;

-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t;
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
 #
 # home_root_t is the type for the directory where user home directories
 # are created
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -2262,6 +2262,42 @@ interface(`kernel_sigchld_unlabeled',`
 	allow $1 unlabeled_t:process sigchld;
 ')

+########################################
+## <summary>
+##	Get the attributes of unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List unlabeled directories.
@ -2336,6 +2372,78 @@ interface(`kernel_rw_unlabeled_dirs',`
 	allow $1 unlabeled_t:dir rw_dir_perms;
 ')

+########################################
+## <summary>
+##	Delete unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on an unlabeled directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mounton_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+##	Read unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write unlabeled files.
@ -2354,6 +2462,42 @@ interface(`kernel_rw_unlabeled_files',`
 	allow $1 unlabeled_t:file rw_file_perms;
 ')

+########################################
+## <summary>
+##	Delete unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete unlabeled files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get the
@ -2392,6 +2536,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
 	dontaudit $1 unlabeled_t:file { getattr read };
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to get the
@ -2483,7 +2645,25 @@ interface(`kernel_rw_unlabeled_blk_files',`
 		type unlabeled_t;
 	')

-	allow $1 unlabeled_t:blk_file getattr;
+	allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_blk_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:blk_file manage_blk_file_perms;
 ')

 ########################################
@ -2505,6 +2685,43 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 	dontaudit $1 unlabeled_t:chr_file getattr;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to
+##	write unlabeled character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_unlabeled_chr_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:file write;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete unlabeled character device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_chr_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to relabel unlabeled directories.
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.2)
+policy_module(kernel, 1.17.3)

 ########################################
 #
@ -162,8 +162,15 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 # Objects that have no known labeling information or that
 # have labels that are no longer valid are treated as having this type.
 #
-type unlabeled_t;
+# Mountpoint permissions are for the case when a file has been assigned
+# an extended attribute for the first time (old file_t).  Directories
+# where filesystems are mounted may never get relabeled.
+#
+type unlabeled_t alias file_t;
+kernel_rootfs_mountpoint(unlabeled_t)
+files_mountpoint(unlabeled_t)
 fs_associate(unlabeled_t)
+sid file gen_context(system_u:object_r:unlabeled_t,s0)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)

 # These initial sids are no longer used, and can be removed: