PERFORCE change 66561 for review
Andrew Reisse
areisse at FreeBSD.org
Mon Dec 6 19:18:54 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=66561
Change 66561 by areisse at areisse_tislabs on 2004/12/06 19:18:23
First pass at merging changes from new selinux policy. The policy
almost certainly does not build now.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/httpadm.te#4 delete
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/kernel.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/auth-net.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/fcron.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/startx.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/userspace_objmgr.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/xclient.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/chkpwd.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crond.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crontab.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/dmesg.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/fsadm.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#5 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ifconfig.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/init.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#5 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/klogd.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#6 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/load_policy.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/login.te#5 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/logrotate.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/modutil.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/mount.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/netutils.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/newrole.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/restorecon.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/setfiles.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#6 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/su.te#4 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/sulogin.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#5 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/tmpreaper.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#2 integrate
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/user.te#4 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#4 (text+ko) ====
@@ -3,24 +3,31 @@
#################################
# sysadm_t is the system administrator domain.
-type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome;
+type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule
+ifdef(`unrestricted_admin', `,etc_writer, fs_domain, privmem, privlog, privowner, sysctl_kernel_writer, auth, auth_write')
+ifdef(`direct_sysadm_daemon', `, priv_system_role')
+; dnl end of sysadm_t type declaration
+
allow privhome home_root_t:dir search;
# system_r is authorized for sysadm_t for single-user mode.
role system_r types sysadm_t;
-# sysadm_r is authorized for sysadm_t for the initial login domain.
-role sysadm_r types sysadm_t;
-
general_proc_read_access(sysadm_t)
-general_domain_access(sysadm_t)
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
# Allow administrator domains to set the enforcing flag.
-can_setenforce(admin)
+can_setenforce(sysadm_t)
+
+# Allow administrator domains to set policy booleans.
+can_setbool(sysadm_t)
+
+# for su
+allow sysadm_t userdomain:fd use;
define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
-
+# Add/remove user home directories
+file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/kernel.te#4 (text+ko) ====
@@ -11,16 +11,20 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer ifdef(`nfs_export_all_rw',`,etc_writer') ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
base_file_read_access(kernel_t)
uses_shlib(kernel_t)
+can_exec(kernel_t, shell_exec_t)
# Use capabilities.
allow kernel_t self:capability *;
+allow kernel_t sysfs_t:dir search;
+allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
@@ -30,9 +34,6 @@
# Mount and unmount file systems.
allow kernel_t fs_type:filesystem mount_fs_perms;
-# Search the persistent label mapping.
-allow kernel_t file_labels_t:dir search;
-
# Send signal to any process.
allow kernel_t domain:process signal;
@@ -59,12 +60,6 @@
# Load the policy configuration.
can_loadpol(kernel_t)
-ifdef(`modutil.te', `
-# Run insmod (for kernel module loader).
-domain_auto_trans(kernel_t,insmod_exec_t,insmod_t)
-allow kernel_t insmod_exec_t:lnk_file read;
-')
-
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/auth-net.te#2 (text+ko) ====
@@ -1,4 +1,3 @@
#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
can_network(auth)
-allow auth resolv_conf_t:file { getattr read };
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/fcron.te#2 (text+ko) ====
@@ -9,7 +9,7 @@
# Use capabilities.
allow crond_t self:capability { dac_override dac_read_search };
-# differences betweenr_dir_perms and rw_dir_perms
+# differences between r_dir_perms and rw_dir_perms
allow crond_t cron_spool_t:dir { add_name remove_name write };
ifdef(`mta.te', `
@@ -18,12 +18,13 @@
allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
')
-ifdef(`dpkg.te', `
+ifdef(`debian', `
can_exec(dpkg_t, crontab_exec_t)
-file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t)
+file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
')
rw_dir_create_file(crond_t, cron_spool_t)
+can_setfscreate(crond_t)
# for /var/run/fcron.fifo
file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/startx.te#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#2 (text+ko) ====
@@ -11,6 +11,7 @@
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
+role system_r types checkpolicy_t;
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
@@ -22,7 +23,7 @@
# able to create and modify binary policy files
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:notdevfile_class_set create_file_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
###########################
# constrain what checkpolicy can use as source files
@@ -30,10 +31,10 @@
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:notdevfile_class_set r_file_perms;
+allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t)
+file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
# directory search permissions for path to source and binary policy files
allow checkpolicy_t root_t:dir search;
@@ -45,7 +46,7 @@
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr };
uses_shlib(checkpolicy_t)
allow checkpolicy_t self:capability dac_override;
@@ -56,6 +57,9 @@
# so it can be used without privilege to write real binary policy file
can_exec(user_t, checkpolicy_exec_t)
-allow checkpolicy_t privfd:fd use;
-allow checkpolicy_t checkpolicy_t:fd { use create };
+allow checkpolicy_t { userdomain privfd }:fd use;
+allow checkpolicy_t fs_t:filesystem getattr;
+allow checkpolicy_t console_device_t:chr_file { read write };
+allow checkpolicy_t init_t:fd { use };
+allow checkpolicy_t selinux_config_t:dir { search };
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/chkpwd.te#2 (text+ko) ====
@@ -9,5 +9,10 @@
#
type chkpwd_exec_t, file_type, sysadmfile, exec_type;
+chkpwd_domain(system)
+dontaudit system_chkpwd_t privfd:fd use;
+role sysadm_r types system_chkpwd_t;
+in_user_role(system_chkpwd_t)
+
# Everything else is in the chkpwd_domain macro in
# macros/program/chkpwd_macros.te.
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crond.te#4 (text+ko) ====
@@ -9,8 +9,11 @@
# Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser
#
-# Domain for crond. It needs auth to check for locked accounts.
-daemon_domain(crond, `, privrole, privmail, auth, privfd')
+# NB The constraints file has some entries for crond_t, this makes it
+# different from all other domains...
+
+# Domain for crond. It needs auth_chkpwd to check for locked accounts.
+daemon_domain(crond, `, privmail, auth_chkpwd, privfd')
# This domain is granted permissions common to most domains (including can_net)
general_domain_access(crond_t)
@@ -20,63 +23,51 @@
# Type for temporary files.
tmp_domain(crond)
+can_ypbind(crond_t)
-# Domain for system cron jobs.
-type system_crond_t, domain, privlog, privmail;
+crond_domain(system)
-# Read and write console and ttys.
-allow system_crond_t devtty_t:chr_file rw_file_perms;
-
-# Read system information files in /proc.
-allow system_crond_t proc_t:dir r_dir_perms;
-allow system_crond_t proc_t:file r_file_perms;
allow system_crond_t proc_t:lnk_file read;
+allow system_crond_t proc_t:filesystem getattr;
+allow system_crond_t usbdevfs_t:filesystem getattr;
ifdef(`mta.te', `
allow mta_user_agent system_crond_t:fd use;
')
-# to stop killall type operations from filling our logs
-dontaudit system_crond_t domain:dir search;
-
# read files in /etc
-allow system_crond_t etc_t:{ file lnk_file } r_file_perms;
+allow system_crond_t etc_t:file r_file_perms;
allow system_crond_t etc_runtime_t:file read;
-read_locale({ crond_t system_crond_t })
+read_locale(crond_t)
-# Type for log files.
-type cron_log_t, file_type, sysadmfile, logfile;
-# Use this type when creating files in /var/log.
-file_type_auto_trans(crond_t, var_log_t, cron_log_t)
+log_domain(crond)
# Use capabilities.
-allow crond_t crond_t:capability { sys_resource setgid setuid net_bind_service };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service };
+dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
can_getsecurity(crond_t)
# for finding binaries and /bin/sh
allow crond_t { bin_t sbin_t }:dir search;
-allow crond_t bin_t:lnk_file read;
+allow crond_t { bin_t sbin_t }:lnk_file read;
# Read from /var/spool/cron.
-allow crond_t var_t:dir search;
allow crond_t var_lib_t:dir search;
allow crond_t var_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
-# Read system crontabs
-allow crond_t system_crond_script_t:file r_file_perms;
-allow crond_t system_crond_script_t:dir r_dir_perms;
-
# Read /etc/security/default_contexts.
-allow crond_t default_context_t:file r_file_perms;
+r_dir_file(crond_t, default_context_t)
allow crond_t etc_t:file { getattr read };
allow crond_t etc_t:lnk_file read;
+allow crond_t default_t:dir { search };
+
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
@@ -87,29 +78,17 @@
# Run a shell.
can_exec(crond_t, shell_exec_t)
-ifdef(`rpm.te',
-`# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ifdef(`redhat', `
+# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
-allow crond_t var_log_rpm_t: file create_file_perms;
+allow crond_t rpm_log_t: file create_file_perms;
system_crond_entry(rpm_exec_t, rpm_t)
-allow system_crond_t var_log_rpm_t: file create_file_perms;')
+allow system_crond_t rpm_log_t:file create_file_perms;
+')
-# This system_r role is authorized for this domain.
-role system_r types system_crond_t;
-
-uses_shlib(system_crond_t);
-general_domain_access(system_crond_t);
allow system_crond_t var_log_t:file r_file_perms;
-# Type for system crontab files.
-type system_crond_script_t, file_type, sysadmfile;
-
-# Permit crond_t to transition to this domain.
-# The transition is requested explicitly by the modified crond
-# via execve_secure. There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, system_crond_t)
# Set exec context.
can_setexec(crond_t)
@@ -119,40 +98,24 @@
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
# Access log files
-file_type_auto_trans(system_crond_t, var_log_t, cron_log_t)
+file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
-# Inherit and use descriptors from init.
+# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;
-# Inherit and use descriptors from initrc.
+# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
+allow system_crond_t initrc_devpts_t:chr_file { read write };
-# Write to a socket from initrc.
-allow system_crond_t initrc_t:udp_socket rw_socket_perms;
-
# Use capabilities.
-allow system_crond_t system_crond_t:capability { setgid setuid dac_override fowner net_bind_service fsetid };
+allow system_crond_t self:capability { chown setgid setuid fowner net_bind_service fsetid };
# Read the system crontabs.
-allow system_crond_t system_crond_script_t:file r_file_perms;
+allow system_crond_t system_cron_spool_t:file r_file_perms;
-#
-# Since crontab files are not directly executed,
-# crond must ensure that the crontab file has
-# a type that is appropriate for the domain of
-# the system cron job. It performs an entrypoint
-# permission check for this purpose.
-#
-allow system_crond_t system_crond_script_t:file entrypoint;
-ifdef(`fcron.te', `
-allow system_crond_t sysadm_cron_spool_t:file entrypoint;
-')
+allow crond_t system_cron_spool_t:dir r_dir_perms;
+allow crond_t system_cron_spool_t:file r_file_perms;
-# Run helper programs in the system_crond_t domain.
-allow system_crond_t { bin_t sbin_t }:dir r_dir_perms;
-allow system_crond_t { bin_t sbin_t }:lnk_file read;
-can_exec(system_crond_t, { bin_t sbin_t exec_type etc_t })
-
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir r_dir_perms;
allow system_crond_t cron_spool_t:file r_file_perms;
@@ -170,14 +133,9 @@
# Write /var/lock/makewhatis.lock.
lock_domain(system_crond)
-# Modutils are now combined, so we can no longer distinguish them.
-# Let crond run the insmod executable in the insmod_t domain.
-ifdef(`modutil.te', `
-system_crond_entry(insmod_exec_t, insmod_t)
-')
-
# for if /var/mail is a symlink
allow crond_t mail_spool_t:lnk_file read;
+allow crond_t mail_spool_t:dir search;
# Run logrotate in the logrotate_t domain.
ifdef(`logrotate.te', `
@@ -189,7 +147,8 @@
')
# Stat any file and search any directory for find.
-allow system_crond_t file_type:file_class_set getattr;
+allow system_crond_t { root_dir_type file_type fs_type }:notdevfile_class_set getattr;
+allow system_crond_t device_type:{ chr_file blk_file } getattr;
allow system_crond_t file_type:dir { read search getattr };
# Create temporary files.
@@ -198,17 +157,10 @@
# /sbin/runlevel ask for w access to utmp, but will operate
# correctly without it. Do not audit write denials to utmp.
-dontaudit system_crond_t initrc_var_run_t:file { read write };
-
-# Access accounting summary files.
-allow system_crond_t var_log_sa_t:file create_file_perms;
-allow system_crond_t var_log_sa_t:dir rw_dir_perms;
+# /sbin/runlevel needs lock access however
+dontaudit system_crond_t initrc_var_run_t:file write;
+allow system_crond_t initrc_var_run_t:file { getattr read lock };
-allow system_crond_t fs_t:filesystem getattr;
-
-allow system_crond_t { sysctl_t sysctl_kernel_t }:dir search;
-allow system_crond_t sysctl_kernel_t:file { getattr read };
-
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
allow system_crond_t var_spool_t:file create_file_perms;
@@ -218,3 +170,37 @@
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;
+#
+# reading /var/spool/cron/mailman
+#
+allow crond_t var_spool_t:file { getattr read };
+allow system_crond_t devpts_t:filesystem getattr;
+allow system_crond_t sysfs_t:filesystem getattr;
+allow system_crond_t tmpfs_t:filesystem getattr;
+allow system_crond_t rpc_pipefs_t:filesystem getattr;
+
+#
+# These rules are here to allow system cron jobs to su
+#
+ifdef(`su.te', `
+su_restricted_domain(system_crond,system)
+role system_r types system_crond_su_t;
+allow system_crond_su_t crond_t:fifo_file { ioctl };
+')
+allow system_crond_t self:passwd rootok;
+#
+# prelink tells init to restart it self, we either need to allow or dontaudit
+#
+allow system_crond_t initctl_t:fifo_file { write };
+dontaudit userdomain system_crond_t:fd { use };
+
+r_dir_file(crond_t, selinux_config_t)
+
+# Allow system cron jobs to relabel filesystem for restoring file contexts.
+bool cron_can_relabel false;
+if (cron_can_relabel) {
+domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
+} else {
+r_dir_file(system_crond_t, file_context_t)
+can_getsecurity(system_crond_t)
+}
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crontab.te#4 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/fsadm.te#4 (text+ko) ====
@@ -12,12 +12,15 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog;
+type fsadm_t, domain, privlog, fs_domain;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
+# for swapon
+allow fsadm_t sysfs_t:dir { search getattr };
+
# Read system information files in /proc.
allow fsadm_t proc_t:dir r_dir_perms;
allow fsadm_t proc_t:notdevfile_class_set r_file_perms;
@@ -43,24 +46,28 @@
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`unrestricted_admin', `
+allow sysadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
+allow sysadm_t removable_device_t:devfile_class_set rw_file_perms;
+', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
+')
-type fsadm_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(fsadm_t, tmp_t, fsadm_tmp_t)
+tmp_domain(fsadm)
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
+allow fsadm_t fs_t:filesystem getattr;
+
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
-allow fsadm_t device_t:filesystem getattr;
-
# mkreiserfs and other programs need this for UUID
-allow fsadm_t random_device_t:chr_file { getattr read };
+allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -98,10 +105,18 @@
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t admin_tty_type:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
+allow fsadm_t devpts_t:dir getattr;
read_locale(fsadm_t)
allow fsadm_t fs_type:filesystem getattr;
+
+# for smartctl cron jobs
+system_crond_entry(fsadm_exec_t, fsadm_t)
+
+# Access to /initrd devices
+allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
+allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#5 (text+ko) ====
@@ -8,10 +8,10 @@
#
# Rules for the getty_t domain.
#
-daemon_domain(getty, `, mlstrustedwriter, privfd')
+init_service_domain(getty, `, mlstrustedwriter, privfd')
-type etc_getty_t, file_type, sysadmfile;
-r_dir_file(getty_t, etc_getty_t)
+etcdir_domain(getty)
+typealias getty_etc_t alias etc_getty_t;
allow getty_t console_device_t:chr_file setattr;
@@ -23,31 +23,27 @@
allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
-allow getty_t self:fd { create use };
-
-# for ldap and other authentication services
-allow getty_t resolv_conf_t:file { getattr read };
# to allow w to display everyone...
-#allow userdomain ttyfile:chr_file getattr;
+bool user_ttyfile_stat false;
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
# Use capabilities.
-allow getty_t getty_t:capability { dac_override chown sys_tty_config };
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
# fbgetty needs fsetid for some reason
-allow getty_t getty_t:capability fsetid;
+#allow getty_t getty_t:capability fsetid;
-# Run getty in its own domain.
-domain_auto_trans(init_t, getty_exec_t, getty_t)
-
-# Inherit and use descriptors from init.
-allow getty_t init_t:fd use;
+read_locale(getty_t)
# Run login in local_login_t domain.
allow getty_t bin_t:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
+allow getty_t { var_t var_run_t }:dir search;
allow getty_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
@@ -56,7 +52,13 @@
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
+allow getty_t initrc_devpts_t:chr_file { setattr rw_file_perms };
+dontaudit getty_t { user_devpts_t sysadm_devpts_t }:chr_file { read write };
+# for error condition handling
+allow getty_t fs_t:filesystem getattr;
+
rw_dir_create_file(getty_t, var_lock_t)
dontaudit getty_t staff_home_dir_t:dir search;
+r_dir_file(getty_t, sysfs_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ifconfig.te#4 (text+ko) ====
@@ -11,7 +11,7 @@
# ifconfig_t is the domain for the ifconfig program.
# ifconfig_exec_t is the type of the corresponding program.
#
-type ifconfig_t, domain, privlog;
+type ifconfig_t, domain, privlog, privmodule;
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
role system_r types ifconfig_t;
@@ -23,14 +23,19 @@
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
+# for /sbin/ip
+allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow ifconfig_t self:tcp_socket { create ioctl };
+allow ifconfig_t etc_t:file { getattr read };
+
+allow ifconfig_t self:socket create_socket_perms;
+
# Use capabilities.
-allow ifconfig_t ifconfig_t:capability { sys_module net_admin };
+allow ifconfig_t self:capability net_admin;
+dontaudit ifconfig_t self:capability sys_module;
# Inherit and use descriptors from init.
-allow ifconfig_t init_t:fd use;
-
-# Execute insmod.
-domain_auto_trans(ifconfig_t, insmod_exec_t, insmod_t)
+allow ifconfig_t { kernel_t init_t }:fd use;
# Access /proc
allow ifconfig_t proc_t:dir r_dir_perms;
@@ -41,12 +46,13 @@
allow ifconfig_t boot_t:file r_file_perms;
allow ifconfig_t privfd:fd use;
+allow ifconfig_t run_init_t:fd use;
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
-allow ifconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
@@ -58,5 +64,11 @@
allow ifconfig_t fs_t:filesystem getattr;
+read_locale(ifconfig_t)
+allow ifconfig_t lib_t:file { getattr read };
+
+rhgb_domain(ifconfig_t)
+allow ifconfig_t userdomain:fd use;
+
# read /etc/mac.conf
allow ifconfig_t etc_t:file r_file_perms;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/init.te#4 (text+ko) ====
@@ -13,14 +13,17 @@
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-# sulogin_exec_t is the type of sulogin.
#
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter;
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile;
-type sulogin_exec_t, file_type, exec_type, sysadmfile;
+
+# for init to determine whether SE Linux is active so it can know whether to
+# activate it
+allow init_t security_t:dir search;
+allow init_t security_t:file { getattr read };
allow init_t self:fd { create use };
@@ -33,9 +36,8 @@
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
-# Run the shell or sulogin in the sysadm_t domain for single-user mode.
+# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
-domain_auto_trans(init_t, sulogin_exec_t, sysadm_t)
# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)
@@ -60,6 +62,7 @@
# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
+allow init_t var_log_t:file rw_file_perms;
read_locale(init_t)
@@ -69,11 +72,8 @@
allow init_t self:fifo_file rw_file_perms;
# Permissions required for system startup
-allow init_t bin_t:dir { read getattr lock search ioctl };
-allow init_t bin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl };
-allow init_t exec_type:{ file lnk_file } { read getattr lock ioctl };
-allow init_t sbin_t:dir { read getattr lock search ioctl };
-allow init_t sbin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl };
+allow init_t { bin_t sbin_t }:dir r_dir_perms;
+allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
# allow init to fork
allow init_t self:process { fork sigchld };
@@ -88,9 +88,11 @@
# Shutdown permissions
allow init_t proc_t:dir r_dir_perms;
allow init_t proc_t:lnk_file r_file_perms;
+allow init_t proc_t:file r_file_perms;
allow init_t self:dir r_dir_perms;
allow init_t self:lnk_file r_file_perms;
-allow init_t devpts_t:dir r_file_perms;
+allow init_t self:file r_file_perms;
+allow init_t devpts_t:dir r_dir_perms;
# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;
@@ -107,6 +109,12 @@
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;
+# for loading policy
+allow init_t policy_config_t:file r_file_perms;
+
+# Set booleans.
+can_setbool(init_t)
+
# Read and write the console and ttys.
allow init_t console_device_t:chr_file rw_file_perms;
allow init_t tty_device_t:chr_file rw_file_perms;
@@ -115,9 +123,19 @@
# Run system executables.
can_exec(init_t,bin_t)
+ifdef(`consoletype.te', `
+can_exec(init_t, consoletype_exec_t)
+')
# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)
-# for initrd pivot_root seems to access this
-dontaudit init_t file_labels_t:dir { search };
+allow init_t lib_t:file { getattr read };
+
+ifdef(`rhgb.te', `
+allow init_t devtty_t:chr_file { read write };
+allow init_t ramfs_t:dir search;
+')
+r_dir_file(init_t, sysfs_t)
+
+r_dir_file(init_t, selinux_config_t)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#5 (text+ko) ====
@@ -13,14 +13,20 @@
#
ifdef(`sendmail.te', `
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, domain, privlog, privowner;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
+allow system_mail_t initrc_t:fd use;
+allow system_mail_t initrc_t:fifo_file write;
', `
-type initrc_t, domain, privlog, privowner, privmail;
+type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
')
role system_r types initrc_t;
uses_shlib(initrc_t);
+can_ypbind(initrc_t)
type initrc_exec_t, file_type, sysadmfile, exec_type;
+# for halt to down interfaces
+allow initrc_t self:udp_socket create_socket_perms;
+
allow initrc_t self:fd { create use };
# read files in /etc/init.d
@@ -29,13 +35,15 @@
read_locale(initrc_t)
+r_dir_file(initrc_t, usr_t)
+
# Read system information files in /proc.
allow initrc_t proc_t:dir r_dir_perms;
allow initrc_t proc_t:{ file lnk_file } r_file_perms;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-allow initrc_t self:unix_stream_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow initrc_t self:fifo_file rw_file_perms;
# Read the root directory of a usbdevfs filesystem, and
@@ -48,31 +56,25 @@
allow initrc_t device_t:dir r_dir_perms;
# allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld setsched };
+allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
# Can create ptys for open_init_pty
can_create_pty(initrc)
-type initrc_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(initrc_t, tmp_t, initrc_tmp_t)
+tmp_domain(initrc)
var_run_domain(initrc)
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
+allow initrc_t var_run_t:dir { create rmdir };
allow initrc_t framebuf_device_t:chr_file r_file_perms;
# Use capabilities.
-allow initrc_t initrc_t:capability ~sys_module;
+allow initrc_t self:capability ~{ sys_admin sys_module };
# Use system operations.
allow initrc_t kernel_t:system *;
-# Allow initrc_t to set the enforcing flag.
-# The initrc_t domain is granted this permission for
-# people who want to use a development kernel and toggle
-# into enforcing mode from an /etc/rc.d script.
-can_setenforce(initrc_t)
-
# Set values in /proc/sys.
can_sysctl(initrc_t)
@@ -84,7 +86,17 @@
can_exec(initrc_t, bin_t)
can_exec(initrc_t, sbin_t)
can_exec(initrc_t, exec_type)
+#
+# These rules are here to allow init scripts to su
+#
+ifdef(`su.te', `
+su_restricted_domain(initrc,system)
+role system_r types initrc_su_t;
+')
+allow initrc_t self:passwd rootok;
+# read /lib/modules
+allow initrc_t modules_object_t:dir { search read };
# Read conf.modules.
allow initrc_t modules_conf_t:file r_file_perms;
@@ -102,17 +114,13 @@
ifdef(`portmap.te', `can_udp_send(initrc_t, portmap_t)')
ifdef(`ypbind.te', `can_udp_send(initrc_t, ypbind_t)')
-# Search persistent label mappings.
-allow initrc_t file_labels_t:dir r_dir_perms;
-allow initrc_t file_labels_t:file stat_file_perms;
-
# Read /proc/PID directories for all domains.
-allow initrc_t domain:notdevfile_class_set r_file_perms;
-allow initrc_t domain:dir r_dir_perms;
+r_dir_file(initrc_t, domain)
+allow initrc_t domain:process { getattr getsession };
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t file_t:dir { read search getattr mounton };
+allow initrc_t { file_t default_t }:dir { read search getattr mounton };
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -126,11 +134,14 @@
allow initrc_t sendmail_exec_t:lnk_file read;
')
-ifdef(`xfs.te',
-`# Unlink the xfs socket.
+ifdef(`xfs.te', `
+# Unlink the xfs socket.
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
allow initrc_t xfs_tmp_t:dir rmdir;
-allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };')
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
+allow initrc_t fonts_t:dir create_dir_perms;
+allow initrc_t fonts_t:file create_file_perms;
+')
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
@@ -159,11 +170,8 @@
allow initrc_t pidfile:file { getattr read unlink };
# Write to /dev/urandom.
-allow initrc_t random_device_t:chr_file rw_file_perms;
+allow initrc_t urandom_device_t:chr_file rw_file_perms;
-# Access /dev/psaux (for kudzu).
-allow initrc_t psaux_t:chr_file rw_file_perms;
-
# Set device ownerships/modes.
allow initrc_t framebuf_device_t:lnk_file read;
allow initrc_t framebuf_device_t:devfile_class_set setattr;
@@ -171,9 +179,10 @@
allow initrc_t device_t:devfile_class_set setattr;
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
allow initrc_t removable_device_t:devfile_class_set setattr;
+allow initrc_t device_t:lnk_file read;
# Stat any file.
-allow initrc_t file_type:file_class_set getattr;
+allow initrc_t file_type:notdevfile_class_set getattr;
allow initrc_t file_type:dir { search getattr };
# Read and write console and ttys.
@@ -191,36 +200,39 @@
allow initrc_t var_spool_t:dir create_dir_perms;
allow initrc_t var_spool_t:file { create_file_perms unlink };
-ifdef(`rpm.te', `
-# Create and read /boot/kernel.h.
+ifdef(`redhat', `
+# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file r_file_perms;
-file_type_auto_trans(initrc_t, boot_t, boot_runtime_t)
+allow initrc_t boot_t:lnk_file rw_file_perms;
+file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list