RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #499 from 0xC0ncord/udica-templates 

Add udica templates
This commit is contained in:
Chris PeBenito 2022-05-07 14:16:21 -04:00 committed by GitHub
parent 8f4ca1fb90 082fbdfcb8
commit ed9e2c99ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 307 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/tests.yml vendored
View File

@ -151,4 +151,5 @@ jobs:
make install-headers
make install-src
make install-docs
make install-udica-templates
make install-appconfig

15
Makefile
View File

@ -133,6 +133,9 @@ htmldir := $(LOCAL_ROOT)/doc/html
doctmpdir := $(LOCAL_ROOT)/doc/tmp
endif
# udica templates path
udicatemplates := udica-templates
# config file paths
globaltun := $(poldir)/global_tunables
globalbool := $(poldir)/global_booleans
@ -167,6 +170,7 @@ sharedir := $(prefix)/share/selinux
modpkgdir := $(sharedir)/$(strip $(NAME))
headerdir := $(modpkgdir)/include
docsdir := $(prefix)/share/doc/$(PKGNAME)
udicatemplatesdir := $(prefix)/share/udica/templates
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
@ -590,6 +594,15 @@ install-src:
mkdir -p $(srcpath)/policy
cp -R . $(srcpath)/policy
########################################
#
# Install udica templates
#
install-udica-templates:
@mkdir -p $(udicatemplatesdir)
@echo "Installing udica templates"
$(verbose) $(INSTALL) -m 644 $(wildcard $(udicatemplates)/*) $(udicatemplatesdir)
########################################
#
# Generate tags file
@ -671,4 +684,4 @@ ifneq ($(generated_fc),)
endif
endif
.PHONY: install-src install-appconfig install-headers build-interface-db generate xml conf html bare tags
.PHONY: install-src install-appconfig install-headers install-udica-templates build-interface-db generate xml conf html bare tags

77
udica-templates/base_container.cil Normal file
View File

@ -0,0 +1,77 @@
;;
;; Permission sets definitions
;;
(classpermission search_dir_perms)
(classpermissionset search_dir_perms (dir (getattr search)))
(classpermission list_dir_perms)
(classpermissionset list_dir_perms (dir (getattr search open read lock ioctl)))
(classpermission rw_dir_perms)
(classpermissionset rw_dir_perms (dir (open read getattr lock search ioctl add_name remove_name write)))
(classpermission manage_dir_perms)
(classpermissionset manage_dir_perms (dir (create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl)))
(classpermission rw_chr_file_perms)
(classpermissionset rw_chr_file_perms (chr_file (getattr open read write append ioctl lock)))
(classpermission read_file_perms)
(classpermissionset read_file_perms (file (getattr open read lock ioctl)))
(classpermission rw_file_perms)
(classpermissionset rw_file_perms (file (open getattr read write append ioctl lock)))
(classpermission manage_file_perms)
(classpermissionset manage_file_perms (file (create open getattr setattr read write append rename link unlink ioctl lock)))
(classpermission exec_file_perms)
(classpermissionset exec_file_perms (file (getattr open map read execute ioctl execute_no_trans)))
(classpermission read_lnk_file_perms)
(classpermissionset read_lnk_file_perms (lnk_file (getattr read)))
(classpermission rw_lnk_file_perms)
(classpermissionset rw_lnk_file_perms (lnk_file (getattr read write lock ioctl)))
(classpermission manage_lnk_file_perms)
(classpermissionset manage_lnk_file_perms (lnk_file (create read write getattr setattr link unlink rename ioctl lock)))
(classpermission write_sock_file_perms)
(classpermissionset write_sock_file_perms (sock_file (getattr write open append)))
(classpermission manage_sock_file_perms)
(classpermissionset manage_sock_file_perms (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))
(classpermission create_tcp_socket_perms)
(classpermissionset create_tcp_socket_perms (tcp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept)))
(classpermission create_udp_socket_perms)
(classpermissionset create_udp_socket_perms (udp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))
(classpermission create_sctp_socket_perms)
(classpermissionset create_sctp_socket_perms (sctp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))
(classpermission rw_shm_perms)
(classpermissionset rw_shm_perms (shm (lock associate getattr read unix_read unix_write write)))
;;
;; Base container policy
;;
(block container
(blockabstract container)
(type process)
(type socket)
(roletype system_r process)
(typeattributeset domain (process))
(typeattributeset container_domain (process))
(typeattributeset mcs_constrained_type (process))
(typeattributeset file_type (socket))
(allow process socket manage_sock_file_perms)
(allow container_engine_domain process (key (create search setattr view)))
)

33
udica-templates/config_container.cil Normal file
View File

@ -0,0 +1,33 @@
(block config_container
(blockabstract config_container)
(optional config_container_optional
(allow process configfile list_dir_perms)
(allow process configfile read_file_perms)
(allow process configfile read_lnk_file_perms)
)
)
(block config_rw_container
(blockabstract config_rw_container)
(blockinherit config_container)
(optional config_rw_container_optional
(allow process configfile rw_dir_perms)
(allow process configfile rw_file_perms)
(allow process configfile rw_lnk_file_perms)
)
)
(block config_manage_container
(blockabstract config_manage_container)
(blockinherit config_rw_container)
(optional config_manage_container_optional
(allow process configfile manage_dir_perms)
(allow process configfile manage_file_perms)
(allow process configfile manage_lnk_file_perms)
)
)

44
udica-templates/home_container.cil Normal file
View File

@ -0,0 +1,44 @@
(block home_container
(blockabstract home_container)
(optional home_container_optional
(allow process process (capability (dac_override)))
(allow process home_root_t list_dir_perms)
(allow process user_home_dir_t list_dir_perms)
(allow process user_home_t list_dir_perms)
(allow process user_home_dir_t read_file_perms)
(allow process user_home_t read_file_perms)
)
)
(block home_rw_container
(blockabstract home_rw_container)
(blockinherit home_container)
(optional home_rw_container_optional
(allow process home_root_t rw_dir_perms)
(allow process user_home_dir_t rw_dir_perms)
(allow process user_home_t rw_dir_perms)
(allow process user_home_dir_t rw_file_perms)
(allow process user_home_t rw_file_perms)
)
)
(block home_manage_container
(blockabstract home_manage_container)
(blockinherit home_rw_container)
(optional home_manage_container_optional
(allow process home_root_t manage_dir_perms)
(allow process user_home_dir_t manage_dir_perms)
(allow process user_home_t manage_dir_perms)
(allow process user_home_dir_t manage_file_perms)
(allow process user_home_t manage_file_perms)
)
)

40
udica-templates/log_container.cil Normal file
View File

@ -0,0 +1,40 @@
(block log_container
(blockabstract log_container)
(optional log_container_optional
(allow process var_t search_dir_perms)
(allow process logfile list_dir_perms)
(allow process logfile read_file_perms)
(allow process logfile read_lnk_file_perms)
(allow process auditd_log_t list_dir_perms)
(allow process auditd_log_t read_file_perms)
)
)
(block log_rw_container
(blockabstract log_rw_container)
(blockinherit log_container)
(optional log_rw_container_optional
(allow process logfile rw_dir_perms)
(allow process logfile rw_file_perms)
(allow process logfile rw_lnk_file_perms)
(allow process auditd_log_t rw_dir_perms)
(allow process auditd_log_t rw_file_perms)
)
)
(block log_manage_container
(blockabstract log_manage_container)
(blockinherit log_rw_container)
(optional log_manage_container_optional
(allow process logfile manage_dir_perms)
(allow process logfile manage_file_perms)
(allow process logfile manage_lnk_file_perms)
(allow process auditd_log_t manage_dir_perms)
(allow process auditd_log_t manage_file_perms)
)
)

26
udica-templates/net_container.cil Normal file
View File

@ -0,0 +1,26 @@
(block net_container
(blockabstract net_container)
(optional net_container_optional
(typeattributeset container_net_domain (process))
)
)
(block restricted_net_container
(blockabstract restricted_net_container)
(optional restricted_net_container_optional
(allow process self create_tcp_socket_perms)
(allow process self create_udp_socket_perms)
(allow process self create_sctp_socket_perms)
(call .read_lnk_files (process proc_t))
(allow process node_t (node (recvfrom sendto)))
(allow process node_t (udp_socket (node_bind)))
(allow process node_t (tcp_socket (node_bind)))
(allow process http_port_t (tcp_socket (name_connect)))
)
)

19
udica-templates/tmp_container.cil Normal file
View File

@ -0,0 +1,19 @@
(block tmp_container
(blockabstract tmp_container)
(optional tmp_container_optional
(allow process tmpfile search_dir_perms)
(allow process tmpfile read_file_perms)
)
)
(block tmp_rw_container
(blockabstract tmp_rw_container)
(blockinherit tmp_container)
(optional tmp_rw_container_optional
(allow process tmpfile rw_dir_perms)
(allow process tmpfile rw_file_perms)
)
)

10
udica-templates/tty_container.cil Normal file
View File

@ -0,0 +1,10 @@
(block tty_container
(blockabstract tty_container)
(optional tty_container_optional
(allow process device_t list_dir_perms)
(allow process device_t read_lnk_file_perms)
(allow process devtty_t rw_chr_file_perms)
)
)

16
udica-templates/virt_container.cil Normal file
View File

@ -0,0 +1,16 @@
(block virt_container
(blockabstract virt_container)
(optional virt_container_optional
(allow process var_t search_dir_perms)
(allow process var_t read_lnk_file_perms)
(allow process var_run_t search_dir_perms)
(allow process var_run_t read_lnk_file_perms)
(allow process virt_runtime_t search_dir_perms)
(allow process virt_runtime_t write_sock_file_perms)
(allow process virtd_t (unix_stream_socket (connectto)))
)
)

27
udica-templates/x_container.cil Normal file
View File

@ -0,0 +1,27 @@
(block x_container
(blockabstract x_container)
(optional x_container_optional
(allow xserver_t process rw_shm_perms)
(allow process xserver_t (unix_stream_socket (connectto)))
(allow process device_t search_dir_perms)
(allow process dri_device_t rw_chr_file_perms)
(allow process xserver_misc_device_t rw_chr_file_perms)
(allow process urandom_device_t read_chr_file_perms)
(allow process tmpfs_t search_dir_perms)
(allow process tmp_t search_dir_perms)
(allow process tmp_t read_lnk_file_perms)
(allow process xserver_tmp_t search_dir_perms)
(allow process xserver_tmp_t write_sock_file_perms)
(allow process xserver_exec_t exec_file_perms)
)
)