397 lines
10 KiB
Plaintext
397 lines
10 KiB
Plaintext
#
|
|
# Macros for all user login domains.
|
|
#
|
|
|
|
define(`network_home_dir', `
|
|
create_dir_file($1, $2)
|
|
can_exec($1, $2)
|
|
allow $1 $2:{ sock_file fifo_file } create_file_perms;
|
|
')
|
|
|
|
#
|
|
# base_user_domain(domain_prefix)
|
|
#
|
|
# Define derived types and rules for an ordinary user domain.
|
|
#
|
|
# The type declaration and role authorization for the domain must be
|
|
# provided separately. Likewise, domain transitions into this domain
|
|
# must be specified separately.
|
|
#
|
|
|
|
# base_user_domain() is also called by the admin_domain() macro
|
|
undefine(`base_user_domain')
|
|
define(`base_user_domain', `
|
|
|
|
allow $1_t self:capability { setgid chown fowner };
|
|
dontaudit $1_t self:capability { sys_nice fsetid };
|
|
|
|
# $1_r is authorized for $1_t for the initial login domain.
|
|
role $1_r types $1_t;
|
|
allow system_r $1_r;
|
|
|
|
r_dir_file($1_t, usercanread)
|
|
|
|
# Grant permissions within the domain.
|
|
general_domain_access($1_t)
|
|
|
|
if (allow_execmem) {
|
|
# Allow making anonymous memory executable, e.g.
|
|
# for runtime-code generation or executable stack.
|
|
allow $1_t self:process execmem;
|
|
}
|
|
|
|
if (allow_execmod) {
|
|
# Allow text relocations on system shared libraries, e.g. libGL.
|
|
allow $1_t texrel_shlib_t:file execmod;
|
|
}
|
|
|
|
#
|
|
# kdeinit wants this access
|
|
#
|
|
allow $1_t device_t:dir { getattr search };
|
|
|
|
# Find CDROM devices
|
|
r_dir_file($1_t, sysctl_dev_t)
|
|
# for eject
|
|
allow $1_t fixed_disk_device_t:blk_file getattr;
|
|
|
|
allow $1_t fs_type:dir getattr;
|
|
|
|
allow $1_t event_device_t:chr_file { getattr read ioctl };
|
|
|
|
# open office is looking for the following
|
|
allow $1_t dri_device_t:chr_file getattr;
|
|
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
|
|
|
|
file_browse_domain($1_t)
|
|
|
|
# allow ptrace
|
|
can_ptrace($1_t, $1_t)
|
|
|
|
# Create, access, and remove files in home directory.
|
|
file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
|
|
allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
|
|
can_setfscreate($1_t)
|
|
|
|
allow $1_t autofs_t:dir { search getattr };
|
|
|
|
if (use_nfs_home_dirs) {
|
|
network_home_dir($1_t, nfs_t)
|
|
}
|
|
|
|
if (use_samba_home_dirs) {
|
|
network_home_dir($1_t, cifs_t)
|
|
}
|
|
|
|
can_exec($1_t, { removable_t noexattrfile } )
|
|
if (user_rw_noexattrfile) {
|
|
create_dir_file($1_t, noexattrfile)
|
|
create_dir_file($1_t, removable_t)
|
|
# Write floppies
|
|
allow $1_t removable_device_t:blk_file rw_file_perms;
|
|
allow $1_t usbtty_device_t:chr_file write;
|
|
} else {
|
|
r_dir_file($1_t, noexattrfile)
|
|
r_dir_file($1_t, removable_t)
|
|
allow $1_t removable_device_t:blk_file r_file_perms;
|
|
}
|
|
allow $1_t usbtty_device_t:chr_file read;
|
|
|
|
# GNOME checks for usb and other devices
|
|
rw_dir_file($1_t,usbfs_t)
|
|
|
|
can_exec($1_t, noexattrfile)
|
|
# Bind to a Unix domain socket in /tmp.
|
|
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
|
|
|
|
# Access ttys.
|
|
allow $1_t privfd:fd use;
|
|
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
|
|
|
# Use the type when relabeling terminal devices.
|
|
type_change $1_t tty_device_t:chr_file $1_tty_device_t;
|
|
|
|
# read localization information
|
|
read_locale($1_t)
|
|
|
|
# Debian login is from shadow utils and does not allow resetting the perms.
|
|
# have to fix this!
|
|
type_change $1_t ttyfile:chr_file $1_tty_device_t;
|
|
|
|
# for running TeX programs
|
|
r_dir_file($1_t, tetex_data_t)
|
|
can_exec($1_t, tetex_data_t)
|
|
|
|
# Use the type when relabeling pty devices.
|
|
type_change $1_t server_pty:chr_file $1_devpts_t;
|
|
|
|
tmpfs_domain($1)
|
|
|
|
ifdef(`cardmgr.te', `
|
|
# to allow monitoring of pcmcia status
|
|
allow $1_t cardmgr_var_run_t:file { getattr read };
|
|
')
|
|
|
|
# Modify mail spool file.
|
|
allow $1_t mail_spool_t:dir r_dir_perms;
|
|
allow $1_t mail_spool_t:file rw_file_perms;
|
|
allow $1_t mail_spool_t:lnk_file read;
|
|
|
|
#
|
|
# Allow graphical boot to check battery lifespan
|
|
#
|
|
ifdef(`apmd.te', `
|
|
allow $1_t apmd_t:unix_stream_socket connectto;
|
|
allow $1_t apmd_var_run_t:sock_file write;
|
|
')
|
|
|
|
#
|
|
# Allow the query of filesystem quotas
|
|
#
|
|
allow $1_t fs_type:filesystem quotaget;
|
|
|
|
# Run helper programs.
|
|
can_exec_any($1_t)
|
|
# Run programs developed by other users in the same domain.
|
|
can_exec($1_t, $1_home_t)
|
|
can_exec($1_t, $1_tmp_t)
|
|
|
|
# Run user programs that require different permissions in their own domain.
|
|
# These rules were moved into the individual program domains.
|
|
|
|
# Instantiate derived domains for a number of programs.
|
|
# These derived domains encode both information about the calling
|
|
# user domain and the program, and allow us to maintain separation
|
|
# between different instances of the program being run by different
|
|
# user domains.
|
|
ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
|
|
ifdef(`chkpwd.te', `chkpwd_domain($1)')
|
|
ifdef(`fingerd.te', `fingerd_macro($1)')
|
|
ifdef(`mta.te', `mail_domain($1)')
|
|
ifdef(`crontab.te', `crontab_domain($1)')
|
|
|
|
ifdef(`screen.te', `screen_domain($1)')
|
|
ifdef(`tvtime.te', `tvtime_domain($1)')
|
|
ifdef(`mozilla.te', `mozilla_domain($1)')
|
|
ifdef(`thunderbird.te', `thunderbird_domain($1)')
|
|
ifdef(`samba.te', `samba_domain($1)')
|
|
ifdef(`gpg.te', `gpg_domain($1)')
|
|
ifdef(`xauth.te', `xauth_domain($1)')
|
|
ifdef(`iceauth.te', `iceauth_domain($1)')
|
|
ifdef(`startx.te', `xserver_domain($1)')
|
|
ifdef(`lpr.te', `lpr_domain($1)')
|
|
ifdef(`ssh.te', `ssh_domain($1)')
|
|
ifdef(`irc.te', `irc_domain($1)')
|
|
ifdef(`using_spamassassin', `spamassassin_domain($1)')
|
|
ifdef(`pyzor.te', `pyzor_domain($1)')
|
|
ifdef(`razor.te', `razor_domain($1)')
|
|
ifdef(`uml.te', `uml_domain($1)')
|
|
ifdef(`cdrecord.te', `cdrecord_domain($1)')
|
|
ifdef(`mplayer.te', `mplayer_domains($1)')
|
|
|
|
fontconfig_domain($1)
|
|
|
|
# GNOME
|
|
ifdef(`gnome.te', `
|
|
gnome_domain($1)
|
|
ifdef(`games.te', `games_domain($1)')
|
|
ifdef(`gift.te', `gift_domains($1)')
|
|
ifdef(`evolution.te', `evolution_domains($1)')
|
|
ifdef(`ethereal.te', `ethereal_domain($1)')
|
|
')
|
|
|
|
# ICE communication channel
|
|
ice_domain($1, $1)
|
|
|
|
# ORBit communication channel (independent of GNOME)
|
|
orbit_domain($1, $1)
|
|
|
|
# Instantiate a derived domain for user cron jobs.
|
|
ifdef(`crond.te', `crond_domain($1)')
|
|
|
|
ifdef(`vmware.te', `vmware_domain($1)')
|
|
|
|
if (user_direct_mouse) {
|
|
# Read the mouse.
|
|
allow $1_t mouse_device_t:chr_file r_file_perms;
|
|
}
|
|
# Access other miscellaneous devices.
|
|
allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
|
|
allow $1_t device_t:lnk_file { getattr read };
|
|
|
|
can_resmgrd_connect($1_t)
|
|
|
|
#
|
|
# evolution and gnome-session try to create a netlink socket
|
|
#
|
|
dontaudit $1_t self:netlink_socket create_socket_perms;
|
|
dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
# Use the network.
|
|
can_network($1_t)
|
|
allow $1_t port_type:tcp_socket name_connect;
|
|
can_ypbind($1_t)
|
|
can_winbind($1_t)
|
|
|
|
ifdef(`pamconsole.te', `
|
|
allow $1_t pam_var_console_t:dir search;
|
|
')
|
|
|
|
allow $1_t var_lock_t:dir search;
|
|
|
|
# Grant permissions to access the system DBus
|
|
ifdef(`dbusd.te', `
|
|
dbusd_client(system, $1)
|
|
can_network_server_tcp($1_dbusd_t)
|
|
allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
|
|
|
|
allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
|
|
dbusd_client($1, $1)
|
|
allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
|
|
dbusd_domain($1)
|
|
ifdef(`hald.te', `
|
|
allow $1_t hald_t:dbus send_msg;
|
|
allow hald_t $1_t:dbus send_msg;
|
|
') dnl end ifdef hald.te
|
|
') dnl end ifdef dbus.te
|
|
|
|
# allow port_t name binding for UDP because it is not very usable otherwise
|
|
allow $1_t port_t:udp_socket name_bind;
|
|
|
|
# Gnome pannel binds to the following
|
|
ifdef(`cups.te', `
|
|
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
|
|
')
|
|
|
|
# for perl
|
|
dontaudit $1_t net_conf_t:file ioctl;
|
|
|
|
# Communicate within the domain.
|
|
can_udp_send($1_t, self)
|
|
|
|
# Connect to inetd.
|
|
ifdef(`inetd.te', `
|
|
can_tcp_connect($1_t, inetd_t)
|
|
can_udp_send($1_t, inetd_t)
|
|
can_udp_send(inetd_t, $1_t)
|
|
')
|
|
|
|
# Connect to portmap.
|
|
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
|
|
|
|
# Inherit and use sockets from inetd
|
|
ifdef(`inetd.te', `
|
|
allow $1_t inetd_t:fd use;
|
|
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
|
|
|
|
# Very permissive allowing every domain to see every type.
|
|
allow $1_t kernel_t:system ipc_info;
|
|
|
|
# When the user domain runs ps, there will be a number of access
|
|
# denials when ps tries to search /proc. Do not audit these denials.
|
|
dontaudit $1_t domain:dir r_dir_perms;
|
|
dontaudit $1_t domain:notdevfile_class_set r_file_perms;
|
|
dontaudit $1_t domain:process { getattr getsession };
|
|
#
|
|
# Cups daemon running as user tries to write /etc/printcap
|
|
#
|
|
dontaudit $1_t usr_t:file setattr;
|
|
|
|
ifdef(`xserver.te', `
|
|
# for /tmp/.ICE-unix
|
|
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
|
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
|
|
')
|
|
|
|
ifdef(`xdm.te', `
|
|
# Connect to the X server run by the X Display Manager.
|
|
can_unix_connect($1_t, xdm_t)
|
|
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
|
|
allow $1_t xdm_tmp_t:dir r_dir_perms;
|
|
allow $1_t xdm_tmp_t:file { getattr read };
|
|
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
|
|
allow $1_t xdm_xserver_tmp_t:dir search;
|
|
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
|
# certain apps want to read xdm.pid file
|
|
r_dir_file($1_t, xdm_var_run_t)
|
|
allow $1_t xdm_var_lib_t:file { getattr read };
|
|
allow xdm_t $1_home_dir_t:dir getattr;
|
|
ifdef(`xauth.te', `
|
|
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
|
|
')
|
|
|
|
# for shared memory
|
|
allow xdm_xserver_t $1_tmpfs_t:file { read write };
|
|
|
|
')dnl end ifdef xdm.te
|
|
|
|
# Access the sound device.
|
|
allow $1_t sound_device_t:chr_file { getattr read write ioctl };
|
|
|
|
# Access the power device.
|
|
allow $1_t power_device_t:chr_file { getattr read write ioctl };
|
|
|
|
allow $1_t var_log_t:dir { getattr search };
|
|
dontaudit $1_t logfile:file getattr;
|
|
|
|
# Check to see if cdrom is mounted
|
|
allow $1_t mnt_t:dir { getattr search };
|
|
|
|
# Get attributes of file systems.
|
|
allow $1_t fs_type:filesystem getattr;
|
|
|
|
# Read and write /dev/tty and /dev/null.
|
|
allow $1_t devtty_t:chr_file rw_file_perms;
|
|
allow $1_t null_device_t:chr_file rw_file_perms;
|
|
allow $1_t zero_device_t:chr_file { rw_file_perms execute };
|
|
allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
|
|
#
|
|
# Added to allow reading of cdrom
|
|
#
|
|
allow $1_t rpc_pipefs_t:dir getattr;
|
|
allow $1_t nfsd_fs_t:dir getattr;
|
|
allow $1_t binfmt_misc_fs_t:dir getattr;
|
|
|
|
# /initrd is left mounted, various programs try to look at it
|
|
dontaudit $1_t ramfs_t:dir getattr;
|
|
|
|
#
|
|
# Emacs wants this access
|
|
#
|
|
allow $1_t wtmp_t:file r_file_perms;
|
|
dontaudit $1_t wtmp_t:file write;
|
|
|
|
# Read the devpts root directory.
|
|
allow $1_t devpts_t:dir r_dir_perms;
|
|
|
|
r_dir_file($1_t, src_t)
|
|
|
|
# Allow user to read default_t files
|
|
# This is different from reading default_t content,
|
|
# because it also includes sockets, fifos, and links
|
|
|
|
if (read_default_t) {
|
|
allow $1_t default_t:dir r_dir_perms;
|
|
allow $1_t default_t:notdevfile_class_set r_file_perms;
|
|
}
|
|
|
|
read_sysctl($1_t);
|
|
|
|
#
|
|
# Caused by su - init scripts
|
|
#
|
|
dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
|
|
|
|
#
|
|
# Running ifconfig as a user generates the following
|
|
#
|
|
dontaudit $1_t self:socket create;
|
|
dontaudit $1_t sysctl_net_t:dir search;
|
|
|
|
ifdef(`rpcd.te', `
|
|
create_dir_file($1_t, nfsd_rw_t)
|
|
')
|
|
|
|
')dnl end base_user_domain macro
|
|
|