diff --git a/refpolicy/Changelog b/refpolicy/Changelog index fa257c832..5b9a9b7dc 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,7 @@ +- Separate per-userdomain template expansion from the userdomain + module and add infrastructure to expand templates in the modules + that own the template. +- Enable secadm only for MLS policies. - Remove role change rules in su and sudo since this functionality has been removed from these programs. - Add ctags Make target from Thomas Bleher. diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 10f513bbe..ae8f7a52f 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -71,6 +71,7 @@ GLOBALBOOL := $(POLDIR)/global_booleans MOD_CONF := $(POLDIR)/modules.conf TUNABLES := $(POLDIR)/tunables.conf BOOLEANS := $(POLDIR)/booleans.conf +ROLEMAP := $(POLDIR)/rolemap # install paths TOPDIR = $(DESTDIR)/etc/selinux @@ -181,6 +182,24 @@ BASE_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == MOD_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null)) OFF_MODS := $(addsuffix .te,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null)) +######################################## +# +# Functions +# + +# parse-rolemap modulename,outputfile +define parse-rolemap + $(QUIET) m4 $(M4PARAM) $(ROLEMAP) | \ + awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# peruser-expansion modulename,outputfile +define peruser-expansion + $(QUIET) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2 + $(call parse-rolemap,$1,$2) + $(QUIET) echo "')" >> $2 +endef + ######################################## # # Load appropriate rules diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index 8721f5484..f4bb9b011 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -64,7 +64,8 @@ $(MODPKGDIR)/%.pp: %.pp # tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" - $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(call peruser-expansion,$(basename $(@F)),$@.role) + $(QUIET) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ tmp/%.mod.fc: $(M4SUPPORT) %.fc @@ -109,8 +110,8 @@ tmp/generated_definitions.conf: $(BASE_TE_FILES) # define all available object classes $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ # per-userdomain templates - $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@ - $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS) $(MOD_MODS)); do \ + $(QUIET) echo "define(\`base_per_userdomain_template',\`" >> $@ + $(QUIET) for i in $(patsubst %.te,%,$(BASE_MODS)); do \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ >> $@ ;\ done @@ -134,6 +135,7 @@ ifeq ($(BASE_TE_FILES),) endif @test -d tmp || mkdir -p tmp $(QUIET) cat $^ > $@ + $(call parse-rolemap,base,$@) tmp/post_te_files.conf: $(BASE_POST_TE_FILES) @test -d tmp || mkdir -p tmp diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic index 174bdded9..7051ec037 100644 --- a/refpolicy/Rules.monolithic +++ b/refpolicy/Rules.monolithic @@ -102,7 +102,7 @@ tmp/pre_te_files.conf: $(PRE_TE_FILES) tmp/generated_definitions.conf: $(ALL_TE_FILES) # per-userdomain templates: @test -d tmp || mkdir -p tmp - $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ + $(QUIET) echo "define(\`base_per_userdomain_template',\`" > $@ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ >> $@ ;\ @@ -127,6 +127,7 @@ ifeq ($(ALL_TE_FILES),) endif @test -d tmp || mkdir -p tmp $(QUIET) cat $^ > $@ + $(call parse-rolemap,base,$@) tmp/post_te_files.conf: $(POST_TE_FILES) @test -d tmp || mkdir -p tmp diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index af67fcb86..5ad066133 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -47,6 +47,9 @@ template(`irc_per_userdomain_template',` type $1_irc_home_t; userdom_home_file($1,$1_irc_home_t) + + type $1_irc_tmp_t; + userdom_home_file($1,$1_irc_tmp_t) ######################################## # @@ -65,12 +68,12 @@ template(`irc_per_userdomain_template',` userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t) # access files under /tmp - allow $1_irc_t $1_tmp_t:dir create_dir_perms; - allow $1_irc_t $1_tmp_t:file create_file_perms; - allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms; - allow $1_irc_t $1_tmp_t:sock_file create_file_perms; - allow $1_irc_t $1_tmp_t:fifo_file create_file_perms; - files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file }) + allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms; + allow $1_irc_t $1_irc_tmp_t:file create_file_perms; + allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms; + allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms; + allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms; + files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domain_auto_trans($2,irc_exec_t,$1_irc_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 5a954dc57..95a559ebc 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -680,7 +680,7 @@ interface(`dev_manage_all_chr_files',` # interface(`dev_getattr_agp_dev',` gen_require(` - type device_t, dri_device_t; + type device_t, agp_device_t; ') allow $1 device_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index e42a60e1a..477327cb4 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -274,6 +274,7 @@ template(`cron_per_userdomain_template',` template(`cron_admin_template',` gen_require(` attribute cron_spool_type; + type $1_crontab_t, $1_crond_t; ') # Allow our crontab domain to unlink a user cron spool file. diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 358ae9c42..3ed30bd45 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -262,6 +262,10 @@ template(`mta_per_userdomain_template',` ## # template(`mta_admin_template',` + gen_require(` + type $1_mail_t; + ') + ifdef(`strict_policy',` # allow the sysadmin to do "mail someone < /home/user/whatever" userdom_read_unpriv_user_home_files($1_mail_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 21032db07..583b3c9e0 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -167,7 +167,7 @@ template(`auth_domtrans_user_chk_passwd',` allow system_chkpwd_t $2:process sigchld; ',` gen_require(` - type chkpwd_exec_t; + type $1_chkpwd_t, chkpwd_exec_t; ') corecmd_search_bin($2) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index a070ebf70..10ea2a7dd 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -142,13 +142,6 @@ template(`base_user_template',` allow $1_t unpriv_userdomain:fd use; - # Instantiate derived domains for a number of programs. - # These derived domains encode both information about the calling - # user domain and the program, and allow us to maintain separation - # between different instances of the program being run by different - # user domains. - per_userdomain_templates($1,$1_t,$1_r) - kernel_read_kernel_sysctl($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_file($1_t) @@ -2049,7 +2042,7 @@ template(`userdom_manage_user_tmp_sockets',` # template(`userdom_rw_user_tmpfs_files',` gen_require(` - type $1_tmp_t; + type $1_tmpfs_t; ') fs_search_tmpfs($2) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 374a6b75c..3cd7f1d5a 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,8 +1,12 @@ -policy_module(userdomain,1.2.3) +policy_module(userdomain,1.2.4) gen_require(` - role sysadm_r, staff_r, user_r, secadm_r; + role sysadm_r, staff_r, user_r; + + ifdef(`enable_mls',` + role secadm_r; + ') ') ######################################## @@ -111,7 +115,6 @@ ifdef(`targeted_policy',` ') ',` admin_user_template(sysadm) - admin_user_template(secadm) unpriv_user_template(staff) unpriv_user_template(user) @@ -122,7 +125,11 @@ ifdef(`targeted_policy',` # only staff_r can change to sysadm_r role_change(staff, sysadm) - role_change(staff, secadm) + + ifdef(`enable_mls',` + admin_user_template(secadm) + role_change(staff, secadm) + ') # this should be tunable_policy, but # currently type_change and RBAC allow diff --git a/refpolicy/policy/rolemap b/refpolicy/policy/rolemap new file mode 100644 index 000000000..012da6cae --- /dev/null +++ b/refpolicy/policy/rolemap @@ -0,0 +1,17 @@ +# +# This file contains the mappings +# used for per-userdomain template +# infrastructure +# +# Each line has: role prefix user_domain +# + +ifdef(`strict_policy',` + user_r user user_t + staff_r staff staff_t + sysadm_r sysadm sysadm_t + + ifdef(`enable_mls',` + secadm_r secadm secadm_t + ') +')