Create non_auth_file_type attribute and interfaces
Reduce the binary policy size by eliminating some set expressions related to file accesses and make Repolicy easier to convert into CIL. - Moved the auth_file_type attribute. - Created a new type attribute called non_auth_file_type. - Created new interfaces to allow file accesses on non_auth_file_type files. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
parent
9b0b33ac4c
commit
709fd365b8
@ -78,10 +78,10 @@
|
||||
#
|
||||
interface(`files_type',`
|
||||
gen_require(`
|
||||
attribute file_type, non_security_file_type;
|
||||
attribute file_type, non_security_file_type, non_auth_file_type;
|
||||
')
|
||||
|
||||
typeattribute $1 file_type, non_security_file_type;
|
||||
typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -99,10 +99,10 @@ interface(`files_type',`
|
||||
#
|
||||
interface(`files_security_file',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
attribute file_type, security_file_type, non_auth_file_type;
|
||||
')
|
||||
|
||||
typeattribute $1 file_type, security_file_type;
|
||||
typeattribute $1 file_type, security_file_type, non_auth_file_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1275,6 +1275,161 @@ interface(`files_unmount_all_file_type_fs',`
|
||||
allow $1 file_type:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mark the specified type as a file
|
||||
## that is related to authentication.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## <summary>
|
||||
## Type of the authentication-related
|
||||
## file.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_auth_file',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type, auth_file_type;
|
||||
')
|
||||
|
||||
typeattribute $1 file_type, security_file_type, auth_file_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all non-authentication related
|
||||
## directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_non_auth_dirs',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
allow $1 non_auth_file_type:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all non-authentication related
|
||||
## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_non_auth_files',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
read_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all non-authentication related
|
||||
## symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_non_auth_symlinks',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel all non-authentication related
|
||||
## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`files_relabel_non_auth_files',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
allow $1 non_auth_file_type:dir list_dir_perms;
|
||||
relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
# this is only relabelfrom since there should be no
|
||||
# device nodes with file types.
|
||||
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
|
||||
# satisfy the assertions:
|
||||
seutil_relabelto_bin_policy($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## rw non-authentication related files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_rw_non_auth_files',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage non-authentication related
|
||||
## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`files_manage_non_auth_files',`
|
||||
gen_require(`
|
||||
attribute non_auth_file_type;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
|
||||
|
||||
# satisfy the assertions:
|
||||
seutil_create_bin_policy($1)
|
||||
files_manage_kernel_modules($1)
|
||||
')
|
||||
|
||||
#############################################
|
||||
## <summary>
|
||||
## Manage all configuration directories on filesystem
|
||||
|
@ -29,6 +29,12 @@ attribute security_file_type;
|
||||
# and its opposite
|
||||
attribute non_security_file_type;
|
||||
|
||||
# sensitive authentication files whose accesses should
|
||||
# not be dontaudited for uses
|
||||
attribute auth_file_type;
|
||||
# and its opposite
|
||||
attribute non_auth_file_type;
|
||||
|
||||
attribute tmpfile;
|
||||
attribute tmpfsfile;
|
||||
|
||||
|
@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute auth_file_type;
|
||||
attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
@ -51,7 +50,7 @@ type pam_var_run_t;
|
||||
files_pid_file(pam_var_run_t)
|
||||
|
||||
type shadow_t;
|
||||
auth_file(shadow_t)
|
||||
files_auth_file(shadow_t)
|
||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||
|
Loading…
Reference in New Issue
Block a user