trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.

2007-11-16 14:58:17 +00:00 · 2007-11-16 14:58:17 +00:00 · eeef8dc451
commit eeef8dc451
parent 226c06969c
5 changed files with 99 additions and 27 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Add interface for libselinux constructor, for libselinux-linked
+  SELinux-enabled programs.
 - Patch to restructure user role templates to create restricted user roles
  from Dan Walsh.
 - Russian man page translations from Andrey Markelov.
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -7,11 +7,11 @@

 ########################################
 ## <summary>
-##	Gets the caller the mountpoint of the selinuxfs filesystem.
+##	Get the mountpoint of the selinuxfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type requesting the selinuxfs mountpoint.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -30,6 +30,32 @@ interface(`selinux_get_fs_mount',`
 	kernel_read_system_state($1)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to get the mountpoint
+##	of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_get_fs_mount',`
+	gen_require(`
+		type security_t;
+	')
+
+	# starting in libselinux 2.0.5, init_selinuxmnt() will
+	# attempt to short circuit by checking if SELINUXMNT
+	# (/selinux) is already a selinuxfs
+	dontaudit $1 security_t:filesystem getattr;
+
+	# read /proc/filesystems to see if selinuxfs is supported
+	# then read /proc/self/mount to see where selinuxfs is mounted
+	kernel_dontaudit_read_system_state($1)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the selinuxfs filesystem
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@ -1,5 +1,5 @@

-policy_module(selinux,1.4.0)
+policy_module(selinux,1.4.1)

 ########################################
 #
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@ -1058,3 +1058,57 @@ interface(`seutil_get_semanage_trans_lock',`
 	files_search_etc($1)
 	rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
 ')
+
+########################################
+## <summary>
+##	SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will allow access required for
+##	the libselinux constructor to function.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_libselinux_linked',`
+	selinux_get_fs_mount($1)
+	seutil_read_config($1)
+')
+
+########################################
+## <summary>
+##	Do not audit SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will dontaudit access required for
+##	the libselinux constructor to function.
+##	</p>
+##	<p>
+##	Generally this should not be used on anything
+##	but simple SELinux-enabled programs that do not
+##	rely on data initialized by the libselinux
+##	constructor.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_libselinux_linked',`
+	selinux_dontaudit_get_fs_mount($1)
+	seutil_dontaudit_read_config($1)
+')
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -1,5 +1,5 @@

-policy_module(selinuxutil,1.7.1)
+policy_module(selinuxutil,1.7.2)

 gen_require(`
 	bool secure_mode;
@ -160,9 +160,6 @@ allow load_policy_t self:capability dac_override;
 # only allow read of policy config files
 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)

-read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-
 domain_use_interactive_fds(load_policy_t)

 # for mcs.conf
@ -173,7 +170,6 @@ fs_getattr_xattr_fs(load_policy_t)

 mls_file_read_all_levels(load_policy_t)

-selinux_get_fs_mount(load_policy_t)
 selinux_load_policy(load_policy_t)
 selinux_set_boolean(load_policy_t)

@ -188,6 +184,8 @@ libs_use_shared_libs(load_policy_t)

 miscfiles_read_localization(load_policy_t)

+seutil_libselinux_linked(load_policy_t)
+
 userdom_use_all_users_fds(load_policy_t)

 ifdef(`hide_broken_symptoms',`
@ -217,9 +215,6 @@ allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

-read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-
 read_files_pattern(newrole_t,default_context_t,default_context_t)
 read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)

@ -238,7 +233,6 @@ mls_file_downgrade(newrole_t)
 mls_process_set_level(newrole_t)
 mls_fd_share_all_levels(newrole_t)

-selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
 selinux_compute_access_vector(newrole_t)
 selinux_compute_create_context(newrole_t)
@ -277,6 +271,8 @@ logging_send_syslog_msg(newrole_t)

 miscfiles_read_localization(newrole_t)

+seutil_libselinux_linked(newrole_t)
+
 userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
@ -309,7 +305,6 @@ optional_policy(`

 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
-allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;

 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
 files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
@ -323,7 +318,6 @@ fs_dontaudit_list_nfs(restorecond_t)
 fs_getattr_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)

-selinux_get_fs_mount(restorecond_t)
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
 selinux_compute_create_context(restorecond_t)
@ -343,14 +337,10 @@ logging_send_syslog_msg(restorecond_t)

 miscfiles_read_localization(restorecond_t)

-optional_policy(`
-	rpm_use_script_fds(restorecond_t)
-')
+seutil_libselinux_linked(restorecond_t)

 optional_policy(`
-	# restorecond watches for users logging in, 
-	# so it getspwnam when a user logs in to find his homedir
-	nis_use_ypbind(restorecond_t)
+	rpm_use_script_fds(restorecond_t)
 ')

 #################################
@ -385,7 +375,6 @@ domain_use_interactive_fds(run_init_t)
 files_read_etc_files(run_init_t)
 files_dontaudit_search_all_dirs(run_init_t)

-selinux_get_fs_mount(run_init_t)
 selinux_validate_context(run_init_t)
 selinux_compute_access_vector(run_init_t)
 selinux_compute_create_context(run_init_t)
@ -401,7 +390,7 @@ init_rw_utmp(run_init_t)
 libs_use_ld_so(run_init_t)
 libs_use_shared_libs(run_init_t)

-seutil_read_config(run_init_t)
+seutil_libselinux_linked(run_init_t)
 seutil_read_default_contexts(run_init_t)

 miscfiles_read_localization(run_init_t)
@ -476,11 +465,11 @@ logging_send_syslog_msg(semanage_t)

 miscfiles_read_localization(semanage_t)

+seutil_libselinux_linked(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
 seutil_domtrans_setfiles(semanage_t)
 seutil_domtrans_loadpolicy(semanage_t)
-seutil_read_config(semanage_t)
 seutil_manage_bin_policy(semanage_t)
 seutil_use_newrole_fds(semanage_t)
 seutil_manage_module_store(semanage_t)
@ -517,9 +506,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner };
 dontaudit setfiles_t self:capability sys_tty_config;
 allow setfiles_t self:fifo_file rw_file_perms;

-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };

 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
@ -545,7 +534,6 @@ mls_file_write_all_levels(setfiles_t)
 mls_file_upgrade(setfiles_t)
 mls_file_downgrade(setfiles_t)

-selinux_get_fs_mount(setfiles_t)
 selinux_validate_context(setfiles_t)
 selinux_compute_access_vector(setfiles_t)
 selinux_compute_create_context(setfiles_t)
@ -579,6 +567,8 @@ logging_send_syslog_msg(setfiles_t)

 miscfiles_read_localization(setfiles_t)

+seutil_libselinux_linked(setfiles_t)
+
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_all_users_home_content_files(setfiles_t)