Date: Mon, 6 Dec 2004 19:18:54 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 66561 for review Message-ID: <200412061918.iB6JIsKW001339@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=66561 Change 66561 by areisse@areisse_tislabs on 2004/12/06 19:18:23 First pass at merging changes from new selinux policy. The policy almost certainly does not build now. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/httpadm.te#4 delete .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/kernel.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/auth-net.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/fcron.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/startx.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/userspace_objmgr.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/xclient.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/chkpwd.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crond.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crontab.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/dmesg.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/fsadm.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#5 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/hostname.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ifconfig.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/init.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#5 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/klogd.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ldconfig.te#6 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/load_policy.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/login.te#5 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/logrotate.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/modutil.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/mount.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/netutils.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/newrole.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/restorecon.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/setfiles.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#6 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/su.te#4 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/sulogin.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/syslogd.te#5 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/tmpreaper.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/unconfined.te#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#2 integrate .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/user.te#4 integrate Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/admin.te#4 (text+ko) ==== @@ -3,24 +3,31 @@ ################################# # sysadm_t is the system administrator domain. -type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome; +type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule +ifdef(`unrestricted_admin', `,etc_writer, fs_domain, privmem, privlog, privowner, sysctl_kernel_writer, auth, auth_write') +ifdef(`direct_sysadm_daemon', `, priv_system_role') +; dnl end of sysadm_t type declaration + allow privhome home_root_t:dir search; # system_r is authorized for sysadm_t for single-user mode. role system_r types sysadm_t; -# sysadm_r is authorized for sysadm_t for the initial login domain. -role sysadm_r types sysadm_t; - general_proc_read_access(sysadm_t) -general_domain_access(sysadm_t) # sysadm_t is also granted permissions specific to administrator domains. admin_domain(sysadm) # Allow administrator domains to set the enforcing flag. -can_setenforce(admin) +can_setenforce(sysadm_t) + +# Allow administrator domains to set policy booleans. +can_setbool(sysadm_t) + +# for su +allow sysadm_t userdomain:fd use; define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }') - +# Add/remove user home directories +file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/kernel.te#4 (text+ko) ==== @@ -11,16 +11,20 @@ # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # -type kernel_t, domain; +type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer ifdef(`nfs_export_all_rw',`,etc_writer') ; role system_r types kernel_t; general_domain_access(kernel_t) general_proc_read_access(kernel_t) base_file_read_access(kernel_t) uses_shlib(kernel_t) +can_exec(kernel_t, shell_exec_t) # Use capabilities. allow kernel_t self:capability *; +allow kernel_t sysfs_t:dir search; +allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search; + # Run init in the init_t domain. domain_auto_trans(kernel_t, init_exec_t, init_t) @@ -30,9 +34,6 @@ # Mount and unmount file systems. allow kernel_t fs_type:filesystem mount_fs_perms; -# Search the persistent label mapping. -allow kernel_t file_labels_t:dir search; - # Send signal to any process. allow kernel_t domain:process signal; @@ -59,12 +60,6 @@ # Load the policy configuration. can_loadpol(kernel_t) -ifdef(`modutil.te', ` -# Run insmod (for kernel module loader). -domain_auto_trans(kernel_t,insmod_exec_t,insmod_t) -allow kernel_t insmod_exec_t:lnk_file read; -') - # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. can_exec(kernel_t, bin_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/auth-net.te#2 (text+ko) ==== @@ -1,4 +1,3 @@ #DESC Policy for using network servers for authenticating users (IE PAM-LDAP) can_network(auth) -allow auth resolv_conf_t:file { getattr read }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/fcron.te#2 (text+ko) ==== @@ -9,7 +9,7 @@ # Use capabilities. allow crond_t self:capability { dac_override dac_read_search }; -# differences betweenr_dir_perms and rw_dir_perms +# differences between r_dir_perms and rw_dir_perms allow crond_t cron_spool_t:dir { add_name remove_name write }; ifdef(`mta.te', ` @@ -18,12 +18,13 @@ allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr }; ') -ifdef(`dpkg.te', ` +ifdef(`debian', ` can_exec(dpkg_t, crontab_exec_t) -file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t) +file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file) ') rw_dir_create_file(crond_t, cron_spool_t) +can_setfscreate(crond_t) # for /var/run/fcron.fifo file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/misc/unused/startx.te#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/checkpolicy.te#2 (text+ko) ==== @@ -11,6 +11,7 @@ type checkpolicy_t, domain; role sysadm_r types checkpolicy_t; +role system_r types checkpolicy_t; type checkpolicy_exec_t, file_type, exec_type, sysadmfile; @@ -22,7 +23,7 @@ # able to create and modify binary policy files allow checkpolicy_t policy_config_t:dir rw_dir_perms; -allow checkpolicy_t policy_config_t:notdevfile_class_set create_file_perms; +allow checkpolicy_t policy_config_t:file create_file_perms; ########################### # constrain what checkpolicy can use as source files @@ -30,10 +31,10 @@ # only allow read of policy source files allow checkpolicy_t policy_src_t:dir r_dir_perms; -allow checkpolicy_t policy_src_t:notdevfile_class_set r_file_perms; +allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms; # allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t) +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) # directory search permissions for path to source and binary policy files allow checkpolicy_t root_t:dir search; @@ -45,7 +46,7 @@ `allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') # Other access -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; +allow checkpolicy_t { initrc_devpts_t admin_tty_type }:chr_file { read write ioctl getattr }; uses_shlib(checkpolicy_t) allow checkpolicy_t self:capability dac_override; @@ -56,6 +57,9 @@ # so it can be used without privilege to write real binary policy file can_exec(user_t, checkpolicy_exec_t) -allow checkpolicy_t privfd:fd use; -allow checkpolicy_t checkpolicy_t:fd { use create }; +allow checkpolicy_t { userdomain privfd }:fd use; +allow checkpolicy_t fs_t:filesystem getattr; +allow checkpolicy_t console_device_t:chr_file { read write }; +allow checkpolicy_t init_t:fd { use }; +allow checkpolicy_t selinux_config_t:dir { search }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/chkpwd.te#2 (text+ko) ==== @@ -9,5 +9,10 @@ # type chkpwd_exec_t, file_type, sysadmfile, exec_type; +chkpwd_domain(system) +dontaudit system_chkpwd_t privfd:fd use; +role sysadm_r types system_chkpwd_t; +in_user_role(system_chkpwd_t) + # Everything else is in the chkpwd_domain macro in # macros/program/chkpwd_macros.te. ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crond.te#4 (text+ko) ==== @@ -9,8 +9,11 @@ # Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # -# Domain for crond. It needs auth to check for locked accounts. -daemon_domain(crond, `, privrole, privmail, auth, privfd') +# NB The constraints file has some entries for crond_t, this makes it +# different from all other domains... + +# Domain for crond. It needs auth_chkpwd to check for locked accounts. +daemon_domain(crond, `, privmail, auth_chkpwd, privfd') # This domain is granted permissions common to most domains (including can_net) general_domain_access(crond_t) @@ -20,63 +23,51 @@ # Type for temporary files. tmp_domain(crond) +can_ypbind(crond_t) -# Domain for system cron jobs. -type system_crond_t, domain, privlog, privmail; +crond_domain(system) -# Read and write console and ttys. -allow system_crond_t devtty_t:chr_file rw_file_perms; - -# Read system information files in /proc. -allow system_crond_t proc_t:dir r_dir_perms; -allow system_crond_t proc_t:file r_file_perms; allow system_crond_t proc_t:lnk_file read; +allow system_crond_t proc_t:filesystem getattr; +allow system_crond_t usbdevfs_t:filesystem getattr; ifdef(`mta.te', ` allow mta_user_agent system_crond_t:fd use; ') -# to stop killall type operations from filling our logs -dontaudit system_crond_t domain:dir search; - # read files in /etc -allow system_crond_t etc_t:{ file lnk_file } r_file_perms; +allow system_crond_t etc_t:file r_file_perms; allow system_crond_t etc_runtime_t:file read; -read_locale({ crond_t system_crond_t }) +read_locale(crond_t) -# Type for log files. -type cron_log_t, file_type, sysadmfile, logfile; -# Use this type when creating files in /var/log. -file_type_auto_trans(crond_t, var_log_t, cron_log_t) +log_domain(crond) # Use capabilities. -allow crond_t crond_t:capability { sys_resource setgid setuid net_bind_service }; +allow crond_t self:capability { dac_override setgid setuid net_bind_service }; +dontaudit crond_t self:capability sys_resource; # Get security policy decisions. can_getsecurity(crond_t) # for finding binaries and /bin/sh allow crond_t { bin_t sbin_t }:dir search; -allow crond_t bin_t:lnk_file read; +allow crond_t { bin_t sbin_t }:lnk_file read; # Read from /var/spool/cron. -allow crond_t var_t:dir search; allow crond_t var_lib_t:dir search; allow crond_t var_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:file r_file_perms; -# Read system crontabs -allow crond_t system_crond_script_t:file r_file_perms; -allow crond_t system_crond_script_t:dir r_dir_perms; - # Read /etc/security/default_contexts. -allow crond_t default_context_t:file r_file_perms; +r_dir_file(crond_t, default_context_t) allow crond_t etc_t:file { getattr read }; allow crond_t etc_t:lnk_file read; +allow crond_t default_t:dir { search }; + # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; @@ -87,29 +78,17 @@ # Run a shell. can_exec(crond_t, shell_exec_t) -ifdef(`rpm.te', -`# Run the rpm program in the rpm_t domain. Allow creation of RPM log files +ifdef(`redhat', ` +# Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. -allow crond_t var_log_rpm_t: file create_file_perms; +allow crond_t rpm_log_t: file create_file_perms; system_crond_entry(rpm_exec_t, rpm_t) -allow system_crond_t var_log_rpm_t: file create_file_perms;') +allow system_crond_t rpm_log_t:file create_file_perms; +') -# This system_r role is authorized for this domain. -role system_r types system_crond_t; - -uses_shlib(system_crond_t); -general_domain_access(system_crond_t); allow system_crond_t var_log_t:file r_file_perms; -# Type for system crontab files. -type system_crond_script_t, file_type, sysadmfile; - -# Permit crond_t to transition to this domain. -# The transition is requested explicitly by the modified crond -# via execve_secure. There is no way to set up an automatic -# transition, since crontabs are configuration files, not executables. -domain_trans(crond_t, shell_exec_t, system_crond_t) # Set exec context. can_setexec(crond_t) @@ -119,40 +98,24 @@ domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) # Access log files -file_type_auto_trans(system_crond_t, var_log_t, cron_log_t) +file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file) -# Inherit and use descriptors from init. +# Inherit and use descriptors from init for anacron. allow system_crond_t init_t:fd use; -# Inherit and use descriptors from initrc. +# Inherit and use descriptors from initrc for anacron. allow system_crond_t initrc_t:fd use; +allow system_crond_t initrc_devpts_t:chr_file { read write }; -# Write to a socket from initrc. -allow system_crond_t initrc_t:udp_socket rw_socket_perms; - # Use capabilities. -allow system_crond_t system_crond_t:capability { setgid setuid dac_override fowner net_bind_service fsetid }; +allow system_crond_t self:capability { chown setgid setuid fowner net_bind_service fsetid }; # Read the system crontabs. -allow system_crond_t system_crond_script_t:file r_file_perms; +allow system_crond_t system_cron_spool_t:file r_file_perms; -# -# Since crontab files are not directly executed, -# crond must ensure that the crontab file has -# a type that is appropriate for the domain of -# the system cron job. It performs an entrypoint -# permission check for this purpose. -# -allow system_crond_t system_crond_script_t:file entrypoint; -ifdef(`fcron.te', ` -allow system_crond_t sysadm_cron_spool_t:file entrypoint; -') +allow crond_t system_cron_spool_t:dir r_dir_perms; +allow crond_t system_cron_spool_t:file r_file_perms; -# Run helper programs in the system_crond_t domain. -allow system_crond_t { bin_t sbin_t }:dir r_dir_perms; -allow system_crond_t { bin_t sbin_t }:lnk_file read; -can_exec(system_crond_t, { bin_t sbin_t exec_type etc_t }) - # Read from /var/spool/cron. allow system_crond_t cron_spool_t:dir r_dir_perms; allow system_crond_t cron_spool_t:file r_file_perms; @@ -170,14 +133,9 @@ # Write /var/lock/makewhatis.lock. lock_domain(system_crond) -# Modutils are now combined, so we can no longer distinguish them. -# Let crond run the insmod executable in the insmod_t domain. -ifdef(`modutil.te', ` -system_crond_entry(insmod_exec_t, insmod_t) -') - # for if /var/mail is a symlink allow crond_t mail_spool_t:lnk_file read; +allow crond_t mail_spool_t:dir search; # Run logrotate in the logrotate_t domain. ifdef(`logrotate.te', ` @@ -189,7 +147,8 @@ ') # Stat any file and search any directory for find. -allow system_crond_t file_type:file_class_set getattr; +allow system_crond_t { root_dir_type file_type fs_type }:notdevfile_class_set getattr; +allow system_crond_t device_type:{ chr_file blk_file } getattr; allow system_crond_t file_type:dir { read search getattr }; # Create temporary files. @@ -198,17 +157,10 @@ # /sbin/runlevel ask for w access to utmp, but will operate # correctly without it. Do not audit write denials to utmp. -dontaudit system_crond_t initrc_var_run_t:file { read write }; - -# Access accounting summary files. -allow system_crond_t var_log_sa_t:file create_file_perms; -allow system_crond_t var_log_sa_t:dir rw_dir_perms; +# /sbin/runlevel needs lock access however +dontaudit system_crond_t initrc_var_run_t:file write; +allow system_crond_t initrc_var_run_t:file { getattr read lock }; -allow system_crond_t fs_t:filesystem getattr; - -allow system_crond_t { sysctl_t sysctl_kernel_t }:dir search; -allow system_crond_t sysctl_kernel_t:file { getattr read }; - # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. allow system_crond_t var_spool_t:file create_file_perms; @@ -218,3 +170,37 @@ dontaudit system_crond_t unlabeled_t:dir r_dir_perms; dontaudit system_crond_t unlabeled_t:file r_file_perms; +# +# reading /var/spool/cron/mailman +# +allow crond_t var_spool_t:file { getattr read }; +allow system_crond_t devpts_t:filesystem getattr; +allow system_crond_t sysfs_t:filesystem getattr; +allow system_crond_t tmpfs_t:filesystem getattr; +allow system_crond_t rpc_pipefs_t:filesystem getattr; + +# +# These rules are here to allow system cron jobs to su +# +ifdef(`su.te', ` +su_restricted_domain(system_crond,system) +role system_r types system_crond_su_t; +allow system_crond_su_t crond_t:fifo_file { ioctl }; +') +allow system_crond_t self:passwd rootok; +# +# prelink tells init to restart it self, we either need to allow or dontaudit +# +allow system_crond_t initctl_t:fifo_file { write }; +dontaudit userdomain system_crond_t:fd { use }; + +r_dir_file(crond_t, selinux_config_t) + +# Allow system cron jobs to relabel filesystem for restoring file contexts. +bool cron_can_relabel false; +if (cron_can_relabel) { +domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) +} else { +r_dir_file(system_crond_t, file_context_t) +can_getsecurity(system_crond_t) +} ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/crontab.te#4 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/fsadm.te#4 (text+ko) ==== @@ -12,12 +12,15 @@ # administration. # fsadm_exec_t is the type of the corresponding programs. # -type fsadm_t, domain, privlog; +type fsadm_t, domain, privlog, fs_domain; role system_r types fsadm_t; role sysadm_r types fsadm_t; general_domain_access(fsadm_t) +# for swapon +allow fsadm_t sysfs_t:dir { search getattr }; + # Read system information files in /proc. allow fsadm_t proc_t:dir r_dir_perms; allow fsadm_t proc_t:notdevfile_class_set r_file_perms; @@ -43,24 +46,28 @@ type fsadm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) +ifdef(`unrestricted_admin', ` +allow sysadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; +allow sysadm_t removable_device_t:devfile_class_set rw_file_perms; +', ` domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) +') -type fsadm_tmp_t, file_type, sysadmfile, tmpfile; -file_type_auto_trans(fsadm_t, tmp_t, fsadm_tmp_t) +tmp_domain(fsadm) # remount file system to apply changes allow fsadm_t fs_t:filesystem remount; +allow fsadm_t fs_t:filesystem getattr; + # mkreiserfs needs this allow fsadm_t proc_t:filesystem getattr; -allow fsadm_t device_t:filesystem getattr; - # mkreiserfs and other programs need this for UUID -allow fsadm_t random_device_t:chr_file { getattr read }; +allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; # Use capabilities. ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin }; +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config }; # Write to /etc/mtab. file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) @@ -98,10 +105,18 @@ allow fsadm_t kernel_t:system syslog_console; # Access terminals. -allow fsadm_t admin_tty_type:chr_file rw_file_perms; +allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') allow fsadm_t privfd:fd use; +allow fsadm_t devpts_t:dir getattr; read_locale(fsadm_t) allow fsadm_t fs_type:filesystem getattr; + +# for smartctl cron jobs +system_crond_entry(fsadm_exec_t, fsadm_t) + +# Access to /initrd devices +allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; +allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/getty.te#5 (text+ko) ==== @@ -8,10 +8,10 @@ # # Rules for the getty_t domain. # -daemon_domain(getty, `, mlstrustedwriter, privfd') +init_service_domain(getty, `, mlstrustedwriter, privfd') -type etc_getty_t, file_type, sysadmfile; -r_dir_file(getty_t, etc_getty_t) +etcdir_domain(getty) +typealias getty_etc_t alias etc_getty_t; allow getty_t console_device_t:chr_file setattr; @@ -23,31 +23,27 @@ allow getty_t self:process { getpgid getsession }; allow getty_t self:unix_dgram_socket create_socket_perms; allow getty_t self:unix_stream_socket create_socket_perms; -allow getty_t self:fd { create use }; - -# for ldap and other authentication services -allow getty_t resolv_conf_t:file { getattr read }; # to allow w to display everyone... -#allow userdomain ttyfile:chr_file getattr; +bool user_ttyfile_stat false; +if (user_ttyfile_stat) { +allow userdomain ttyfile:chr_file getattr; +} # Use capabilities. -allow getty_t getty_t:capability { dac_override chown sys_tty_config }; +allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }; # fbgetty needs fsetid for some reason -allow getty_t getty_t:capability fsetid; +#allow getty_t getty_t:capability fsetid; -# Run getty in its own domain. -domain_auto_trans(init_t, getty_exec_t, getty_t) - -# Inherit and use descriptors from init. -allow getty_t init_t:fd use; +read_locale(getty_t) # Run login in local_login_t domain. allow getty_t bin_t:dir search; domain_auto_trans(getty_t, login_exec_t, local_login_t) # Write to /var/run/utmp. +allow getty_t { var_t var_run_t }:dir search; allow getty_t initrc_var_run_t:file rw_file_perms; # Write to /var/log/wtmp. @@ -56,7 +52,13 @@ # Chown, chmod, read and write ttys. allow getty_t tty_device_t:chr_file { setattr rw_file_perms }; allow getty_t ttyfile:chr_file { setattr rw_file_perms }; +allow getty_t initrc_devpts_t:chr_file { setattr rw_file_perms }; +dontaudit getty_t { user_devpts_t sysadm_devpts_t }:chr_file { read write }; +# for error condition handling +allow getty_t fs_t:filesystem getattr; + rw_dir_create_file(getty_t, var_lock_t) dontaudit getty_t staff_home_dir_t:dir search; +r_dir_file(getty_t, sysfs_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ifconfig.te#4 (text+ko) ==== @@ -11,7 +11,7 @@ # ifconfig_t is the domain for the ifconfig program. # ifconfig_exec_t is the type of the corresponding program. # -type ifconfig_t, domain, privlog; +type ifconfig_t, domain, privlog, privmodule; type ifconfig_exec_t, file_type, sysadmfile, exec_type; role system_r types ifconfig_t; @@ -23,14 +23,19 @@ domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) +# for /sbin/ip +allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow ifconfig_t self:tcp_socket { create ioctl }; +allow ifconfig_t etc_t:file { getattr read }; + +allow ifconfig_t self:socket create_socket_perms; + # Use capabilities. -allow ifconfig_t ifconfig_t:capability { sys_module net_admin }; +allow ifconfig_t self:capability net_admin; +dontaudit ifconfig_t self:capability sys_module; # Inherit and use descriptors from init. -allow ifconfig_t init_t:fd use; - -# Execute insmod. -domain_auto_trans(ifconfig_t, insmod_exec_t, insmod_t) +allow ifconfig_t { kernel_t init_t }:fd use; # Access /proc allow ifconfig_t proc_t:dir r_dir_perms; @@ -41,12 +46,13 @@ allow ifconfig_t boot_t:file r_file_perms; allow ifconfig_t privfd:fd use; +allow ifconfig_t run_init_t:fd use; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # Access terminals. -allow ifconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; +allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') allow ifconfig_t tun_tap_device_t:chr_file { read write }; @@ -58,5 +64,11 @@ allow ifconfig_t fs_t:filesystem getattr; +read_locale(ifconfig_t) +allow ifconfig_t lib_t:file { getattr read }; + +rhgb_domain(ifconfig_t) +allow ifconfig_t userdomain:fd use; + # read /etc/mac.conf allow ifconfig_t etc_t:file r_file_perms; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/init.te#4 (text+ko) ==== @@ -13,14 +13,17 @@ # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -# sulogin_exec_t is the type of sulogin. # -type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter; +type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer; role system_r types init_t; uses_shlib(init_t); type init_exec_t, file_type, sysadmfile, exec_type; type initctl_t, file_type, sysadmfile; -type sulogin_exec_t, file_type, exec_type, sysadmfile; + +# for init to determine whether SE Linux is active so it can know whether to +# activate it +allow init_t security_t:dir search; +allow init_t security_t:file { getattr read }; allow init_t self:fd { create use }; @@ -33,9 +36,8 @@ # Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain. domain_auto_trans(init_t, initrc_exec_t, initrc_t) -# Run the shell or sulogin in the sysadm_t domain for single-user mode. +# Run the shell in the sysadm_t domain for single-user mode. domain_auto_trans(init_t, shell_exec_t, sysadm_t) -domain_auto_trans(init_t, sulogin_exec_t, sysadm_t) # Run /sbin/update in the init_t domain. can_exec(init_t, sbin_t) @@ -60,6 +62,7 @@ # Allow access to log files allow init_t var_t:dir search; allow init_t var_log_t:dir search; +allow init_t var_log_t:file rw_file_perms; read_locale(init_t) @@ -69,11 +72,8 @@ allow init_t self:fifo_file rw_file_perms; # Permissions required for system startup -allow init_t bin_t:dir { read getattr lock search ioctl }; -allow init_t bin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl }; -allow init_t exec_type:{ file lnk_file } { read getattr lock ioctl }; -allow init_t sbin_t:dir { read getattr lock search ioctl }; -allow init_t sbin_t:{ file lnk_file sock_file fifo_file } { read getattr lock ioctl }; +allow init_t { bin_t sbin_t }:dir r_dir_perms; +allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl }; # allow init to fork allow init_t self:process { fork sigchld }; @@ -88,9 +88,11 @@ # Shutdown permissions allow init_t proc_t:dir r_dir_perms; allow init_t proc_t:lnk_file r_file_perms; +allow init_t proc_t:file r_file_perms; allow init_t self:dir r_dir_perms; allow init_t self:lnk_file r_file_perms; -allow init_t devpts_t:dir r_file_perms; +allow init_t self:file r_file_perms; +allow init_t devpts_t:dir r_dir_perms; # Modify wtmp. allow init_t wtmp_t:file rw_file_perms; @@ -107,6 +109,12 @@ # since you may have compromised system security. allow unlabeled_t init_t:process sigchld; +# for loading policy +allow init_t policy_config_t:file r_file_perms; + +# Set booleans. +can_setbool(init_t) + # Read and write the console and ttys. allow init_t console_device_t:chr_file rw_file_perms; allow init_t tty_device_t:chr_file rw_file_perms; @@ -115,9 +123,19 @@ # Run system executables. can_exec(init_t,bin_t) +ifdef(`consoletype.te', ` +can_exec(init_t, consoletype_exec_t) +') # Run /etc/X11/prefdm. can_exec(init_t,etc_t) -# for initrd pivot_root seems to access this -dontaudit init_t file_labels_t:dir { search }; +allow init_t lib_t:file { getattr read }; + +ifdef(`rhgb.te', ` +allow init_t devtty_t:chr_file { read write }; +allow init_t ramfs_t:dir search; +') +r_dir_file(init_t, sysfs_t) + +r_dir_file(init_t, selinux_config_t) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/initrc.te#5 (text+ko) ==== @@ -13,14 +13,20 @@ # ifdef(`sendmail.te', ` # do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, domain, privlog, privowner; +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer; +allow system_mail_t initrc_t:fd use; +allow system_mail_t initrc_t:fifo_file write; ', ` -type initrc_t, domain, privlog, privowner, privmail; +type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem,auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail; ') role system_r types initrc_t; uses_shlib(initrc_t); +can_ypbind(initrc_t) type initrc_exec_t, file_type, sysadmfile, exec_type; +# for halt to down interfaces +allow initrc_t self:udp_socket create_socket_perms; + allow initrc_t self:fd { create use }; # read files in /etc/init.d @@ -29,13 +35,15 @@ read_locale(initrc_t) +r_dir_file(initrc_t, usr_t) + # Read system information files in /proc. allow initrc_t proc_t:dir r_dir_perms; allow initrc_t proc_t:{ file lnk_file } r_file_perms; # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket create_socket_perms; +allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow initrc_t self:fifo_file rw_file_perms; # Read the root directory of a usbdevfs filesystem, and @@ -48,31 +56,25 @@ allow initrc_t device_t:dir r_dir_perms; # allow initrc to fork and renice itself -allow initrc_t self:process { fork sigchld setsched }; +allow initrc_t self:process { fork sigchld setsched setpgid setrlimit }; # Can create ptys for open_init_pty can_create_pty(initrc) -type initrc_tmp_t, file_type, sysadmfile, tmpfile; -file_type_auto_trans(initrc_t, tmp_t, initrc_tmp_t) +tmp_domain(initrc) var_run_domain(initrc) allow initrc_t var_run_t:{ file sock_file lnk_file } unlink; +allow initrc_t var_run_t:dir { create rmdir }; allow initrc_t framebuf_device_t:chr_file r_file_perms; # Use capabilities. -allow initrc_t initrc_t:capability ~sys_module; +allow initrc_t self:capability ~{ sys_admin sys_module }; # Use system operations. allow initrc_t kernel_t:system *; -# Allow initrc_t to set the enforcing flag. -# The initrc_t domain is granted this permission for -# people who want to use a development kernel and toggle -# into enforcing mode from an /etc/rc.d script. -can_setenforce(initrc_t) - # Set values in /proc/sys. can_sysctl(initrc_t) @@ -84,7 +86,17 @@ can_exec(initrc_t, bin_t) can_exec(initrc_t, sbin_t) can_exec(initrc_t, exec_type) +# +# These rules are here to allow init scripts to su +# +ifdef(`su.te', ` +su_restricted_domain(initrc,system) +role system_r types initrc_su_t; +') +allow initrc_t self:passwd rootok; +# read /lib/modules +allow initrc_t modules_object_t:dir { search read }; # Read conf.modules. allow initrc_t modules_conf_t:file r_file_perms; @@ -102,17 +114,13 @@ ifdef(`portmap.te', `can_udp_send(initrc_t, portmap_t)') ifdef(`ypbind.te', `can_udp_send(initrc_t, ypbind_t)') -# Search persistent label mappings. -allow initrc_t file_labels_t:dir r_dir_perms; -allow initrc_t file_labels_t:file stat_file_perms; - # Read /proc/PID directories for all domains. -allow initrc_t domain:notdevfile_class_set r_file_perms; -allow initrc_t domain:dir r_dir_perms; +r_dir_file(initrc_t, domain) +allow initrc_t domain:process { getattr getsession }; # Mount and unmount file systems. allow initrc_t fs_type:filesystem mount_fs_perms; -allow initrc_t file_t:dir { read search getattr mounton }; +allow initrc_t { file_t default_t }:dir { read search getattr mounton }; # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME. file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file) @@ -126,11 +134,14 @@ allow initrc_t sendmail_exec_t:lnk_file read; ') -ifdef(`xfs.te', -`# Unlink the xfs socket. +ifdef(`xfs.te', ` +# Unlink the xfs socket. allow initrc_t xfs_tmp_t:dir rw_dir_perms; allow initrc_t xfs_tmp_t:dir rmdir; -allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };') +allow initrc_t xfs_tmp_t:sock_file { read getattr unlink }; +allow initrc_t fonts_t:dir create_dir_perms; +allow initrc_t fonts_t:file create_file_perms; +') # Update /var/log/wtmp and /var/log/dmesg. allow initrc_t wtmp_t:file { setattr rw_file_perms }; @@ -159,11 +170,8 @@ allow initrc_t pidfile:file { getattr read unlink }; # Write to /dev/urandom. -allow initrc_t random_device_t:chr_file rw_file_perms; +allow initrc_t urandom_device_t:chr_file rw_file_perms; -# Access /dev/psaux (for kudzu). -allow initrc_t psaux_t:chr_file rw_file_perms; - # Set device ownerships/modes. allow initrc_t framebuf_device_t:lnk_file read; allow initrc_t framebuf_device_t:devfile_class_set setattr; @@ -171,9 +179,10 @@ allow initrc_t device_t:devfile_class_set setattr; allow initrc_t fixed_disk_device_t:devfile_class_set setattr; allow initrc_t removable_device_t:devfile_class_set setattr; +allow initrc_t device_t:lnk_file read; # Stat any file. -allow initrc_t file_type:file_class_set getattr; +allow initrc_t file_type:notdevfile_class_set getattr; allow initrc_t file_type:dir { search getattr }; # Read and write console and ttys. @@ -191,36 +200,39 @@ allow initrc_t var_spool_t:dir create_dir_perms; allow initrc_t var_spool_t:file { create_file_perms unlink }; -ifdef(`rpm.te', ` -# Create and read /boot/kernel.h. +ifdef(`redhat', ` +# Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. -allow initrc_t boot_t:lnk_file r_file_perms; -file_type_auto_trans(initrc_t, boot_t, boot_runtime_t) +allow initrc_t boot_t:lnk_file rw_file_perms; +file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file) >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412061918.iB6JIsKW001339>