Commit Graph

45 Commits

Author SHA1 Message Date
Stephen Smalley
09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
cgzones
d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Guido Trentalancia
d932d7349d Add module_load permission to class system
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-13 08:26:30 -04:00
Laurent Bigonville
fd9bfbbfba Add the validate_trans access vector to the security class
This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-02 08:41:07 -04:00
Chris PeBenito
0be4f9ba0f Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00
Chris PeBenito
d326c3878c Add systemd access vectors. 2015-10-20 15:01:27 -04:00
Stephen Smalley
58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Laurent Bigonville
946d0237d2 Add "binder" security class and access vectors 2015-05-08 08:17:48 -04:00
Laurent Bigonville
cbb1f36ef5 Add new audit_read access vector in capability2 class
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Artyom Smirnov
e1804807ba Renamed db_type to db_datatype, to avoid confusion with SELinux "type" 2014-06-25 16:24:33 +04:00
Artyom Smirnov
fb0bedcbf8 Fixes for db_domain and db_exception
Rename db_domain to db_type
Add "use" permission to db_domain and db_type
2014-06-25 12:47:15 +04:00
Artyom Smirnov
019b439a48 New database object classes
Pair of objects which supported by Interbase/Firebird/Red Database:

db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
2014-06-24 15:25:22 +04:00
Paul Moore
965e098af8 flask: add the attach_queue permission to the tun_socket object class
New permission added to Linux 3.8 via the new multiqueue TUN device.

Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-01-22 12:46:06 -05:00
Chris PeBenito
e3c57d3156 Rename epollwakeup capability2 permission to block_suspend to match the
corresponding kernel capability rename.
2012-07-25 09:01:55 -04:00
Chris PeBenito
425adc3b2d Update capability2 object class for new wake_alarm and epollwakeup capabilities. 2012-06-06 13:34:45 -04:00
Chris PeBenito
c5114fef5e SEPostgresql changes from Kohei KaiGai.
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
2012-05-18 09:28:18 -04:00
Chris PeBenito
6f76afe44e Update access vectors. 2011-03-28 11:45:46 -04:00
Chris PeBenito
640df09275 Add syslog capability. 2011-01-19 14:11:00 -05:00
KaiGai Kohei
82c32d5cf4 New database object classes
The attached patch adds a few database object classes, as follows:

* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html

In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.

Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.

* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createview.html

* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html

* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.

In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
  http://developer.postgresql.org/pgdocs/postgres/sql-do.html

P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

 policy/flask/access_vectors           |   29 ++++++++
 policy/flask/security_classes         |    6 ++
 policy/mcs                            |   16 ++++-
 policy/mls                            |   58 ++++++++++++++-
 policy/modules/kernel/kernel.if       |    8 ++
 policy/modules/services/postgresql.if |  125 +++++++++++++++++++++++++++++++--
 policy/modules/services/postgresql.te |  116 +++++++++++++++++++++++++++++-
 7 files changed, 342 insertions(+), 16 deletions(-)
2011-01-14 10:02:50 -05:00
Chris PeBenito
deb527262a Add module_request permission, from Dan Walsh. 2009-11-19 08:52:06 -05:00
Eamon Walsh
e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito
bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore
333494fd59 refpol: Add the "tun_socket" object class flask definitions
Add the new "tun_socket" class to the flask definitions.  The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:00 -04:00
Chris PeBenito
4254cec711 Add missing x_device rules for XI2 functions, from Eamon Walsh.
> Whats the difference between add/remove and create/destroy?
>
> The devices are in a kind of hierarchy.  You can now create one or more
> "master devices" (mouse cursor and keyboard focus).  The physical input
> devices are "slave devices" that attach to master devices.
>
> Add/remove controls the ability to add/remove slave devices from a
> master device.  Create/destroy controls the ability to create new master
> devices.
2009-08-14 13:18:16 -04:00
Chris PeBenito
95ea7d6986 trunk: Add x_device permissions for XI2 functions, from Eamon Walsh. 2009-06-18 13:07:23 +00:00
Chris PeBenito
350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito
d3cdc3d07c trunk: add open perm to sock_file. 2009-03-11 14:58:03 +00:00
Chris PeBenito
b4ad699e57 trunk: add nlmsg_tty_audit permission. 2009-03-05 14:11:24 +00:00
Chris PeBenito
466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito
347a701119 trunk: Add kernel_service access vectors, from Stephen Smalley. 2009-01-05 21:44:33 +00:00
Chris PeBenito
d923d54c08 trunk: X application data class from Eamon Walsh and Ted Toth. 2008-05-06 14:37:05 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito
210607be61 trunk: Definitions for open permisson on file and similar objects from Eric Paris. 2008-03-04 20:19:29 +00:00
Chris PeBenito
f03433313a trunk: labeled networking permission update from paul moore. 2008-02-12 14:46:29 +00:00
Chris PeBenito
8b9ffed517 trunk: add capability2 class, from Stephen Smalley. 2008-02-07 17:51:59 +00:00
Chris PeBenito
d4623f3d24 trunk: add setfcap capabiltiy, from Serge Hallyn. 2008-01-11 14:08:02 +00:00
Chris PeBenito
f3da31d339 trunk: Labeled networking peer object class updates. 2008-01-03 16:20:01 +00:00
Chris PeBenito
9760cbec2d trunk: Database userspace object manager classes from KaiGai Kohei. 2007-08-09 13:15:07 +00:00
Chris PeBenito
924f3cc2cb trunk: add getserv and shmemserv nscd permissions. 2007-07-24 19:52:18 +00:00
Chris PeBenito
41337aa8b9 Memprotect support patch from Stephen Smalley. 2007-06-19 13:02:26 +00:00
Chris PeBenito
a715dc0995 add dccp_socket object class 2007-02-26 15:39:59 +00:00
Chris PeBenito
c6a60bb28d On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
2006-11-14 13:38:52 +00:00
Chris PeBenito
a8671ae5b2 enhanced setransd support from darrel goeddel 2006-10-20 14:44:23 +00:00
Chris PeBenito
9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
Chris PeBenito
17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00