root/archive/mls/assert.te

Revision 1056, 6.1 kB (checked in by cpebenito, 3 years ago)

add fc mls policy

Line 
1 ##############################
2 #
3 # Assertions for the type enforcement (TE) configuration.
4 #
5
6 #
7 # Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser 
8 #
9
10 ##################################
11 #
12 # Access vector assertions.
13 #
14 # An access vector assertion specifies permissions that should not be in
15 # an access vector based on a source type, a target type, and a class.
16 # If any of the specified permissions are in the corresponding access
17 # vector, then the policy compiler will reject the policy configuration.
18 # Currently, there is only one kind of access vector assertion, neverallow,
19 # but support for the other kinds of vectors could be easily added.  Access
20 # vector assertions use the same syntax as access vector rules.
21 #
22
23 #
24 # Verify that every type that can be entered by
25 # a domain is also tagged as a domain.
26 #
27 neverallow domain ~domain:process { transition dyntransition };
28
29 #
30 # Verify that only the insmod_t and kernel_t domains
31 # have the sys_module capability.
32 #
33 neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
34
35 #
36 # Verify that executable types, the system dynamic loaders, and the
37 # system shared libraries can only be modified by administrators.
38 #
39 neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
40 neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
41
42 #
43 # Verify that only appropriate domains can access /etc/shadow
44 neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
45 neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
46
47 #
48 # Verify that only appropriate domains can write to /etc (IE mess with
49 # /etc/passwd)
50 neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
51 neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
52 neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
53
54 #
55 # Verify that other system software can only be modified by administrators.
56 #
57 neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
58 neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
59
60 #
61 # Verify that only certain domains have access to the raw disk devices.
62 #
63 neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
64
65 #
66 # Verify that only the X server and klogd have access to memory devices.
67 #
68 neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
69
70 #
71 # Verify that only domains with the privlog attribute can actually syslog
72 #
73 neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
74
75 #
76 # Verify that /proc/kmsg is only accessible to klogd.
77 #
78 neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
79
80 #
81 # Verify that /proc/kcore is inaccessible.
82 #
83
84 neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
85
86 #
87 # Verify that sysctl variables are only changeable
88 # by initrc and administrators.
89 #
90 neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
91 neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
92 neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
93 neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
94 neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
95 neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
96 neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
97 neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
98
99 #
100 # Verify that certain domains are limited to only being
101 # entered by their entrypoint types and to only executing
102 # the dynamic loader without a transition to another domain.
103 #
104
105 define(`assert_execute', `
106     ifelse($#, 0, ,
107            $#, 1,
108            ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
109            `assert_execute($1) assert_execute(shift($@))')')
110
111 ifdef(`getty.te', `assert_execute(getty)')
112 ifdef(`klogd.te', `assert_execute(klogd)')
113 ifdef(`tcpd.te', `assert_execute(tcpd)')
114 ifdef(`portmap.te', `assert_execute(portmap)')
115 ifdef(`syslogd.te', `assert_execute(syslogd)')
116 ifdef(`rpcd.te', `assert_execute(rpcd)')
117 ifdef(`rlogind.te', `assert_execute(rlogind)')
118 ifdef(`ypbind.te', `assert_execute(ypbind)')
119 ifdef(`xfs.te', `assert_execute(xfs)')
120 ifdef(`gpm.te', `assert_execute(gpm)')
121 ifdef(`ifconfig.te', `assert_execute(ifconfig)')
122 ifdef(`iptables.te', `assert_execute(iptables)')
123
124 ifdef(`login.te', `
125 neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
126 neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
127 ')
128
129 #
130 # Verify that the passwd domain can only be entered by its
131 # entrypoint type and can only execute the dynamic loader
132 # and the ordinary passwd program without a transition to another domain.
133 #
134 ifdef(`passwd.te', `
135 neverallow passwd_t ~passwd_exec_t:file entrypoint;
136 neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
137 neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
138 ')
139
140 #
141 # Verify that only the admin domains and initrc_t have setenforce.
142 #
143 neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
144
145 #
146 # Verify that only the kernel and load_policy_t have load_policy.
147 #
148
149 neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
150
151 #
152 # for gross mistakes in policy
153 neverallow * domain:dir ~r_dir_perms;
154 neverallow * domain:file_class_set ~rw_file_perms;
155 neverallow { domain unlabeled_t } file_type:process *;
156 neverallow ~{ domain unlabeled_t } *:process *;
Note: See TracBrowser for help on using the browser.