Navigation

← Previous Changeset
Next Changeset →

Changeset 2737

Timestamp:

06/25/08 09:41:46 (2 months ago)

Author:

cpebenito

Message:

rbacsep: revert screen to derived types.

Files:

branches/rbacsep/policy/modules/apps/screen.if (modified) (1 diff)
branches/rbacsep/policy/modules/apps/screen.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/apps/screen.if

r2727	r2737
1	1	## <summary>GNU terminal multiplexer</summary>
2	2
3		########################################
	3	#######################################
4	4	## <summary>
5		## ~~Role access for screen~~
	5	## The per role template for the screen module.
6	6	## </summary>
7		## <param name="role">
	7	## <desc>
	8	## <p>
	9	## This template creates a derived domains which are used
	10	## for screen sessions.
	11	## </p>
	12	## <p>
	13	## This template is invoked automatically for each user, and
	14	## generally does not need to be invoked directly
	15	## by policy writers.
	16	## </p>
	17	## </desc>
	18	## <param name="userdomain_prefix">
8	19	## <summary>
9		## Role allowed access
	20	## The prefix of the user domain (e.g., user
	21	## is the prefix for user_t).
10	22	## </summary>
11	23	## </param>
12		## <param name="domain">
	24	## <param name="user_domain">
13	25	## <summary>
14		## User domain for the role
	26	## The type of the user domain.
	27	## </summary>
	28	## </param>
	29	## <param name="user_role">
	30	## <summary>
	31	## The role associated with the user domain.
15	32	## </summary>
16	33	## </param>
17	34	#
18		~~interface(`screen_rol~~e',`
	35	template(`screen_per_role_template',`
19	36	gen_require(`
20		type screen_~~t, screen_exec_t, screen_home~~_t;
	37	type screen_dir_t, screen_exec_t;
21	38	')
22	39
23		role $1 types { screen_t screen_home_t };
	40	########################################
	41	#
	42	# Declarations
	43	#
24	44
25		# Transition from the user domain to the derived domain.
26		domtrans_pattern($2, screen_exec_t, screen_t)
	45	type $1_screen_t;
	46	application_domain($1_screen_t,screen_exec_t)
	47	domain_interactive_fd($1_screen_t)
	48	role $3 types $1_screen_t;
27	49
28		# allow ps to show screen and allow the user to kill it
29		ps_process_pattern($2, screen_t)
30		allow $2 screen_t:process signal;
	50	type $1_screen_tmp_t;
	51	files_tmp_file($1_screen_tmp_t)
31	52
32		domtrans_pattern($2, screen_exec_t, screen_t)
33		allow $2 screen_t:process signal;
34		allow screen_t $2:process signal;
	53	type $1_screen_ro_home_t;
	54	files_type($1_screen_ro_home_t)
	55
	56	type $1_screen_var_run_t;
	57	files_pid_file($1_screen_var_run_t)
35	58
36		manage_dirs_pattern($2, screen_home_t, screen_home_t)
37		manage_files_pattern($2, screen_home_t, screen_home_t)
38		manage_lnk_files_pattern($2, screen_home_t, screen_home_t)
39		relabel_dirs_pattern($2, screen_home_t, screen_home_t)
40		relabel_files_pattern($2, screen_home_t, screen_home_t)
41		relabel_lnk_files_pattern($2, screen_home_t, screen_home_t)
	59	########################################
	60	#
	61	# Local policy
	62	#
	63
	64	allow $1_screen_t self:capability { setuid setgid fsetid };
	65	allow $1_screen_t self:process signal_perms;
	66	allow $1_screen_t self:tcp_socket create_stream_socket_perms;
	67	allow $1_screen_t self:udp_socket create_socket_perms;
	68	# Internal screen networking
	69	allow $1_screen_t self:fd use;
	70	allow $1_screen_t self:unix_stream_socket create_socket_perms;
	71	allow $1_screen_t self:unix_dgram_socket create_socket_perms;
	72
	73	manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
	74	manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
	75	manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
	76	files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
	77
	78	# Create fifo
	79	manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t)
	80	manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t)
	81	filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
	82	files_pid_filetrans($1_screen_t,screen_dir_t,dir)
	83
	84	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
	85	read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
	86	read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
	87
	88	allow $1_screen_t $2:process signal;
	89
	90	domtrans_pattern($2, screen_exec_t, $1_screen_t)
	91	allow $2 $1_screen_t:process signal;
	92	allow $1_screen_t $2:process signal;
	93
	94	manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
	95	manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
	96	manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
	97	relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
	98	relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
	99	relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
42	100
	101	kernel_read_system_state($1_screen_t)
	102	kernel_read_kernel_sysctls($1_screen_t)
	103
	104	corecmd_list_bin($1_screen_t)
	105	corecmd_read_bin_files($1_screen_t)
	106	corecmd_read_bin_symlinks($1_screen_t)
	107	corecmd_read_bin_pipes($1_screen_t)
	108	corecmd_read_bin_sockets($1_screen_t)
43	109	# Revert to the user domain when a shell is executed.
44		corecmd_shell_domtrans(~~screen_t,~~ $2)
45		corecmd_bin_domtrans(~~screen_t,~~ $2)
	110	corecmd_shell_domtrans($1_screen_t,$2)
	111	corecmd_bin_domtrans($1_screen_t,$2)
46	112
47		userdom_user_home_domtrans(screen_t,$2)
48
	113	corenet_all_recvfrom_unlabeled($1_screen_t)
	114	corenet_all_recvfrom_netlabel($1_screen_t)
	115	corenet_tcp_sendrecv_generic_if($1_screen_t)
	116	corenet_udp_sendrecv_generic_if($1_screen_t)
	117	corenet_tcp_sendrecv_all_nodes($1_screen_t)
	118	corenet_udp_sendrecv_all_nodes($1_screen_t)
	119	corenet_tcp_sendrecv_all_ports($1_screen_t)
	120	corenet_udp_sendrecv_all_ports($1_screen_t)
	121	corenet_tcp_connect_all_ports($1_screen_t)
	122
	123	dev_dontaudit_getattr_all_chr_files($1_screen_t)
	124	dev_dontaudit_getattr_all_blk_files($1_screen_t)
	125	# for SSP
	126	dev_read_urand($1_screen_t)
	127
	128	domain_use_interactive_fds($1_screen_t)
	129
	130	files_search_tmp($1_screen_t)
	131	files_search_home($1_screen_t)
	132	files_list_home($1_screen_t)
	133	files_read_usr_files($1_screen_t)
	134	files_read_etc_files($1_screen_t)
	135
	136	fs_search_auto_mountpoints($1_screen_t)
	137	fs_getattr_xattr_fs($1_screen_t)
	138
	139	auth_dontaudit_read_shadow($1_screen_t)
	140	auth_dontaudit_exec_utempter($1_screen_t)
	141
	142	# Write to utmp.
	143	init_rw_utmp($1_screen_t)
	144
	145	libs_use_ld_so($1_screen_t)
	146	libs_use_shared_libs($1_screen_t)
	147
	148	logging_send_syslog_msg($1_screen_t)
	149
	150	miscfiles_read_localization($1_screen_t)
	151
	152	seutil_read_config($1_screen_t)
	153
	154	sysnet_read_config($1_screen_t)
	155
	156	userdom_use_user_terminals($1,$1_screen_t)
	157	userdom_create_user_pty($1,$1_screen_t)
	158	userdom_user_home_domtrans($1,$1_screen_t,$2)
	159	userdom_setattr_user_ptys($1,$1_screen_t)
	160
	161	tunable_policy(`read_default_t',`
	162	files_list_default($1_screen_t)
	163	files_read_default_files($1_screen_t)
	164	files_read_default_symlinks($1_screen_t)
	165	files_read_default_sockets($1_screen_t)
	166	files_read_default_pipes($1_screen_t)
	167	')
	168
49	169	tunable_policy(`use_samba_home_dirs',`
50		fs_cifs_domtrans(screen_t, $2)
	170	fs_cifs_domtrans($1_screen_t,$2)
	171	fs_read_cifs_symlinks($1_screen_t)
	172	fs_list_cifs($1_screen_t)
51	173	')
52
	174
53	175	tunable_policy(`use_nfs_home_dirs',`
54		fs_nfs_domtrans(screen_t, $2)
	176	fs_nfs_domtrans($1_screen_t,$2)
	177	fs_list_nfs($1_screen_t)
	178	fs_read_nfs_symlinks($1_screen_t)
	179	')
	180
	181	optional_policy(`
	182	nis_use_ypbind($1_screen_t)
	183	')
	184
	185	optional_policy(`
	186	nscd_socket_use($1_screen_t)
55	187	')
56	188	')

branches/rbacsep/policy/modules/apps/screen.te

r2720	r2737
7	7	#
8	8
9		~~type screen_t;~~
10		~~type screen_exec_t;~~
11		~~application_domain(screen_t, screen_exec_t)~~
12		~~domain_interactive_fd(screen_t)~~
13
14	9	type screen_dir_t;
15	10	files_pid_file(screen_dir_t)
16	11
17		type screen_home_t;
18		files_type(screen_home_t)
19
20		type screen_tmp_t;
21		files_tmp_file(screen_tmp_t)
22
23		type screen_var_run_t;
24		files_pid_file(screen_var_run_t)
25
26		########################################
27		#
28		# Local policy
29		#
30
31		allow screen_t self:capability { setuid setgid fsetid };
32		allow screen_t self:process signal_perms;
33		allow screen_t self:tcp_socket create_stream_socket_perms;
34		allow screen_t self:udp_socket create_socket_perms;
35		# Internal screen networking
36		allow screen_t self:fd use;
37		allow screen_t self:unix_stream_socket create_socket_perms;
38		allow screen_t self:unix_dgram_socket create_socket_perms;
39
40		manage_dirs_pattern(screen_t, screen_tmp_t, screen_tmp_t)
41		manage_files_pattern(screen_t, screen_tmp_t, screen_tmp_t)
42		manage_fifo_files_pattern(screen_t, screen_tmp_t, screen_tmp_t)
43		files_tmp_filetrans(screen_t, screen_tmp_t, { file dir })
44
45		# Create fifo
46		manage_fifo_files_pattern(screen_t, screen_dir_t, screen_var_run_t)
47		manage_dirs_pattern(screen_t, screen_dir_t, screen_dir_t)
48		filetrans_pattern(screen_t, screen_dir_t, screen_var_run_t, fifo_file)
49		files_pid_filetrans(screen_t, screen_dir_t, dir)
50
51		allow screen_t screen_home_t:dir list_dir_perms;
52		read_files_pattern(screen_t, screen_home_t, screen_home_t)
53		read_lnk_files_pattern(screen_t, screen_home_t, screen_home_t)
54
55		kernel_read_system_state(screen_t)
56		kernel_read_kernel_sysctls(screen_t)
57
58		corecmd_list_bin(screen_t)
59		corecmd_read_bin_files(screen_t)
60		corecmd_read_bin_symlinks(screen_t)
61		corecmd_read_bin_pipes(screen_t)
62		corecmd_read_bin_sockets(screen_t)
63
64		corenet_all_recvfrom_unlabeled(screen_t)
65		corenet_all_recvfrom_netlabel(screen_t)
66		corenet_tcp_sendrecv_generic_if(screen_t)
67		corenet_udp_sendrecv_generic_if(screen_t)
68		corenet_tcp_sendrecv_all_nodes(screen_t)
69		corenet_udp_sendrecv_all_nodes(screen_t)
70		corenet_tcp_sendrecv_all_ports(screen_t)
71		corenet_udp_sendrecv_all_ports(screen_t)
72		corenet_tcp_connect_all_ports(screen_t)
73
74		dev_dontaudit_getattr_all_chr_files(screen_t)
75		dev_dontaudit_getattr_all_blk_files(screen_t)
76		# for SSP
77		dev_read_urand(screen_t)
78
79		domain_use_interactive_fds(screen_t)
80
81		files_search_tmp(screen_t)
82		files_search_home(screen_t)
83		files_list_home(screen_t)
84		files_read_usr_files(screen_t)
85		files_read_etc_files(screen_t)
86
87		fs_search_auto_mountpoints(screen_t)
88		fs_getattr_xattr_fs(screen_t)
89
90		auth_dontaudit_read_shadow(screen_t)
91		auth_dontaudit_exec_utempter(screen_t)
92
93		# Write to utmp.
94		init_rw_utmp(screen_t)
95
96		libs_use_ld_so(screen_t)
97		libs_use_shared_libs(screen_t)
98
99		logging_send_syslog_msg(screen_t)
100
101		miscfiles_read_localization(screen_t)
102
103		seutil_read_config(screen_t)
104
105		sysnet_read_config(screen_t)
106
107		userdom_use_user_terminals(screen_t)
108		userdom_create_user_pty(screen_t)
109		userdom_setattr_user_ptys(screen_t)
110
111		tunable_policy(`read_default_t',`
112		files_list_default(screen_t)
113		files_read_default_files(screen_t)
114		files_read_default_symlinks(screen_t)
115		files_read_default_sockets(screen_t)
116		files_read_default_pipes(screen_t)
117		')
118
119		tunable_policy(`use_samba_home_dirs',`
120		fs_read_cifs_symlinks(screen_t)
121		fs_list_cifs(screen_t)
122		')
123
124		tunable_policy(`use_nfs_home_dirs',`
125		fs_list_nfs(screen_t)
126		fs_read_nfs_symlinks(screen_t)
127		')
128
129		optional_policy(`
130		nis_use_ypbind(screen_t)
131		')
132
133		optional_policy(`
134		nscd_socket_use(screen_t)
135		')
	12	type screen_exec_t;
	13	application_executable_file(screen_exec_t)

Navigation

Changeset 2737

Legend:

branches/rbacsep/policy/modules/apps/screen.if

branches/rbacsep/policy/modules/apps/screen.te

Download in other formats: