Changeset 2750
- Timestamp:
- 07/09/08 07:27:50 (5 months ago)
- Files:
-
- branches/rbacsep/policy/modules/apps/userhelper.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/apps/userhelper.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/auditadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/secadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/staff.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/sysadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
- branches/rbacsep/policy/modules/system/init.if (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/apps/userhelper.if
r2726 r2750 1 1 ## <summary>SELinux utility to run a shell with a new role</summary> 2 2 3 ######################################## 4 ## <summary> 5 ## Role access for userhelper 6 ## </summary> 7 ## <param name="role"> 8 ## <summary> 9 ## Role allowed access 10 ## </summary> 11 ## </param> 12 ## <param name="domain"> 13 ## <summary> 14 ## User domain for the role 15 ## </summary> 16 ## </param> 17 # 18 interface(`userhelper_role',` 19 gen_require(` 20 type userhelper_t, userhelper_exec_t; 21 ') 22 23 role $1 types userhelper_t; 24 25 # Transition from the user domain to the derived domain. 26 domtrans_pattern($2, userhelper_exec_t, userhelper_t) 27 3 ####################################### 4 ## <summary> 5 ## The role template for the userhelper module. 6 ## </summary> 7 ## <param name="userrole_prefix"> 8 ## <summary> 9 ## The prefix of the user role (e.g., user 10 ## is the prefix for user_r). 11 ## </summary> 12 ## </param> 13 ## <param name="user_role"> 14 ## <summary> 15 ## The user role. 16 ## </summary> 17 ## </param> 18 ## <param name="user_domain"> 19 ## <summary> 20 ## The user domain associated with the role. 21 ## </summary> 22 ## </param> 23 # 24 template(`userhelper_role_template',` 25 gen_require(` 26 attribute userhelper_type; 27 type userhelper_exec_t, userhelper_conf_t; 28 ') 29 30 ######################################## 31 # 32 # Declarations 33 # 34 35 type $1_userhelper_t, userhelper_type; 36 application_domain($1_userhelper_t, userhelper_exec_t) 37 domain_role_change_exemption($1_userhelper_t) 38 domain_obj_id_change_exemption($1_userhelper_t) 39 domain_interactive_fd($1_userhelper_t) 40 domain_subj_id_change_exemption($1_userhelper_t) 41 role $2 types $1_userhelper_t; 42 43 ######################################## 44 # 45 # Local policy 46 # 47 allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; 48 allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 49 allow $1_userhelper_t self:process setexec; 50 allow $1_userhelper_t self:fd use; 51 allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; 52 allow $1_userhelper_t self:shm create_shm_perms; 53 allow $1_userhelper_t self:sem create_sem_perms; 54 allow $1_userhelper_t self:msgq create_msgq_perms; 55 allow $1_userhelper_t self:msg { send receive }; 56 allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; 57 allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; 58 allow $1_userhelper_t self:unix_dgram_socket sendto; 59 allow $1_userhelper_t self:unix_stream_socket connectto; 60 allow $1_userhelper_t self:sock_file read_sock_file_perms; 61 62 #Transition to the derived domain. 63 domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) 64 65 allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; 66 rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) 67 68 can_exec($1_userhelper_t, userhelper_exec_t) 69 70 dontaudit $3 $1_userhelper_t:process signal; 71 72 kernel_read_all_sysctls($1_userhelper_t) 73 kernel_getattr_debugfs($1_userhelper_t) 74 kernel_read_system_state($1_userhelper_t) 75 76 # Execute shells 77 corecmd_exec_shell($1_userhelper_t) 28 78 # By default, revert to the calling domain when a program is executed 29 corecmd_bin_domtrans(userhelper_t, $2) 30 31 # allow ps to show userhelper 32 ps_process_pattern($2, userhelper_t) 33 dontaudit $2 userhelper_t:process signal; 79 corecmd_bin_domtrans($1_userhelper_t, $3) 80 81 # Inherit descriptors from the current session. 82 domain_use_interactive_fds($1_userhelper_t) 83 # for when the user types "exec userhelper" at the command line 84 domain_sigchld_interactive_fds($1_userhelper_t) 85 86 dev_read_urand($1_userhelper_t) 87 # Read /dev directories and any symbolic links. 88 dev_list_all_dev_nodes($1_userhelper_t) 89 90 files_list_var_lib($1_userhelper_t) 91 # Read the /etc/security/default_type file 92 files_read_etc_files($1_userhelper_t) 93 # Read /var. 94 files_read_var_files($1_userhelper_t) 95 files_read_var_symlinks($1_userhelper_t) 96 # for some PAM modules and for cwd 97 files_search_home($1_userhelper_t) 98 99 fs_search_auto_mountpoints($1_userhelper_t) 100 fs_read_nfs_files($1_userhelper_t) 101 fs_read_nfs_symlinks($1_userhelper_t) 102 103 # Allow $1_userhelper to obtain contexts to relabel TTYs 104 selinux_get_fs_mount($1_userhelper_t) 105 selinux_validate_context($1_userhelper_t) 106 selinux_compute_access_vector($1_userhelper_t) 107 selinux_compute_create_context($1_userhelper_t) 108 selinux_compute_relabel_context($1_userhelper_t) 109 selinux_compute_user_contexts($1_userhelper_t) 110 111 # Read the devpts root directory. 112 term_list_ptys($1_userhelper_t) 113 # Relabel terminals. 114 term_relabel_all_user_ttys($1_userhelper_t) 115 term_relabel_all_user_ptys($1_userhelper_t) 116 # Access terminals. 117 term_use_all_user_ttys($1_userhelper_t) 118 term_use_all_user_ptys($1_userhelper_t) 119 120 auth_domtrans_chk_passwd($1_userhelper_t) 121 auth_manage_pam_pid($1_userhelper_t) 122 auth_manage_var_auth($1_userhelper_t) 123 auth_search_pam_console_data($1_userhelper_t) 124 125 # Inherit descriptors from the current session. 126 init_use_fds($1_userhelper_t) 127 # Write to utmp. 128 init_manage_utmp($1_userhelper_t) 129 init_pid_filetrans_utmp($1_userhelper_t) 130 131 libs_use_ld_so($1_userhelper_t) 132 libs_use_shared_libs($1_userhelper_t) 133 134 miscfiles_read_localization($1_userhelper_t) 135 136 seutil_read_config($1_userhelper_t) 137 seutil_read_default_contexts($1_userhelper_t) 138 139 userdom_use_unpriv_users_fds($1_userhelper_t) 140 # Allow $1_userhelper_t to transition to user domains. 141 userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) 142 userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) 143 144 ifdef(`distro_redhat',` 145 optional_policy(` 146 # Allow transitioning to rpm_t, for up2date 147 rpm_domtrans($1_userhelper_t) 148 ') 149 ') 150 151 optional_policy(` 152 ethereal_domtrans($1_userhelper_t) 153 ') 154 155 optional_policy(` 156 logging_send_syslog_msg($1_userhelper_t) 157 ') 158 159 optional_policy(` 160 nis_use_ypbind($1_userhelper_t) 161 ') 162 163 optional_policy(` 164 nscd_socket_use($1_userhelper_t) 165 ') 166 167 optional_policy(` 168 tunable_policy(`! secure_mode',` 169 #if we are not in secure mode then we can transition to sysadm_t 170 sysadm_bin_spec_domtrans($1_userhelper_t) 171 sysadm_entry_spec_domtrans($1_userhelper_t) 172 ') 173 ') 34 174 ') 35 175 … … 83 223 interface(`userhelper_use_fd',` 84 224 gen_require(` 85 type userhelper_t;86 ') 87 88 allow $1 userhelper_t :fd use;225 attribute userhelper_type; 226 ') 227 228 allow $1 userhelper_type:fd use; 89 229 ') 90 230 … … 101 241 interface(`userhelper_sigchld',` 102 242 gen_require(` 103 type userhelper_t;104 ') 105 106 allow $1 userhelper_t :process sigchld;243 attribute userhelper_type; 244 ') 245 246 allow $1 userhelper_type:process sigchld; 107 247 ') 108 248 … … 122 262 ') 123 263 124 can_exec($1, userhelper_exec_t)125 ') 264 can_exec($1, userhelper_exec_t) 265 ') branches/rbacsep/policy/modules/apps/userhelper.te
r2745 r2750 7 7 # 8 8 9 type userhelper_t; 10 type userhelper_exec_t; 11 application_domain(userhelper_t, userhelper_exec_t) 12 domain_role_change_exemption(userhelper_t) 13 domain_obj_id_change_exemption(userhelper_t) 14 domain_interactive_fd(userhelper_t) 15 domain_subj_id_change_exemption(userhelper_t) 9 attribute userhelper_type; 16 10 17 11 type userhelper_conf_t; 18 12 files_type(userhelper_conf_t) 19 13 20 ######################################## 21 # 22 # Local policy 23 # 24 allow userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; 25 allow userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 26 allow userhelper_t self:process setexec; 27 allow userhelper_t self:fd use; 28 allow userhelper_t self:fifo_file rw_fifo_file_perms; 29 allow userhelper_t self:shm create_shm_perms; 30 allow userhelper_t self:sem create_sem_perms; 31 allow userhelper_t self:msgq create_msgq_perms; 32 allow userhelper_t self:msg { send receive }; 33 allow userhelper_t self:unix_dgram_socket create_socket_perms; 34 allow userhelper_t self:unix_stream_socket create_stream_socket_perms; 35 allow userhelper_t self:unix_dgram_socket sendto; 36 allow userhelper_t self:unix_stream_socket connectto; 37 allow userhelper_t self:sock_file read_sock_file_perms; 38 39 allow userhelper_t userhelper_conf_t:dir rw_dir_perms; 40 rw_files_pattern(userhelper_t, userhelper_conf_t, userhelper_conf_t) 41 42 can_exec(userhelper_t, userhelper_exec_t) 43 44 kernel_read_all_sysctls(userhelper_t) 45 kernel_getattr_debugfs(userhelper_t) 46 kernel_read_system_state(userhelper_t) 47 48 # Execute shells 49 corecmd_exec_shell(userhelper_t) 50 51 # Inherit descriptors from the current session. 52 domain_use_interactive_fds(userhelper_t) 53 # for when the user types "exec userhelper" at the command line 54 domain_sigchld_interactive_fds(userhelper_t) 55 56 dev_read_urand(userhelper_t) 57 # Read /dev directories and any symbolic links. 58 dev_list_all_dev_nodes(userhelper_t) 59 60 files_list_var_lib(userhelper_t) 61 # Write to utmp. 62 files_pid_filetrans(userhelper_t,initrc_var_run_t,file) 63 # Read the /etc/security/default_type file 64 files_read_etc_files(userhelper_t) 65 # Read /var. 66 files_read_var_files(userhelper_t) 67 files_read_var_symlinks(userhelper_t) 68 # for some PAM modules and for cwd 69 files_search_home(userhelper_t) 70 71 fs_search_auto_mountpoints(userhelper_t) 72 fs_read_nfs_files(userhelper_t) 73 fs_read_nfs_symlinks(userhelper_t) 74 75 # Allow userhelper to obtain contexts to relabel TTYs 76 selinux_get_fs_mount(userhelper_t) 77 selinux_validate_context(userhelper_t) 78 selinux_compute_access_vector(userhelper_t) 79 selinux_compute_create_context(userhelper_t) 80 selinux_compute_relabel_context(userhelper_t) 81 selinux_compute_user_contexts(userhelper_t) 82 83 # Read the devpts root directory. 84 term_list_ptys(userhelper_t) 85 # Relabel terminals. 86 term_relabel_all_user_ttys(userhelper_t) 87 term_relabel_all_user_ptys(userhelper_t) 88 # Access terminals. 89 term_use_all_user_ttys(userhelper_t) 90 term_use_all_user_ptys(userhelper_t) 91 92 auth_domtrans_chk_passwd(userhelper_t) 93 auth_manage_pam_pid(userhelper_t) 94 auth_manage_var_auth(userhelper_t) 95 auth_search_pam_console_data(userhelper_t) 96 97 # Inherit descriptors from the current session. 98 init_use_fds(userhelper_t) 99 # Write to utmp. 100 init_manage_utmp(userhelper_t) 101 102 libs_use_ld_so(userhelper_t) 103 libs_use_shared_libs(userhelper_t) 104 105 miscfiles_read_localization(userhelper_t) 106 107 seutil_read_config(userhelper_t) 108 seutil_read_default_contexts(userhelper_t) 109 110 userdom_use_unpriv_users_fds(userhelper_t) 111 # Allow userhelper_t to transition to user domains. 112 userdom_bin_spec_domtrans_unpriv_users(userhelper_t) 113 userdom_entry_spec_domtrans_unpriv_users(userhelper_t) 114 115 ifdef(`distro_redhat',` 116 optional_policy(` 117 # Allow transitioning to rpm_t, for up2date 118 rpm_domtrans(userhelper_t) 119 ') 120 ') 121 122 tunable_policy(`! secure_mode',` 123 #if we are not in secure mode then we can transition to sysadm_t 124 sysadm_bin_spec_domtrans(userhelper_t) 125 sysadm_entry_spec_domtrans(userhelper_t) 126 ') 127 128 optional_policy(` 129 ethereal_domtrans(userhelper_t) 130 ') 131 132 optional_policy(` 133 logging_send_syslog_msg(userhelper_t) 134 ') 135 136 optional_policy(` 137 nis_use_ypbind(userhelper_t) 138 ') 139 140 optional_policy(` 141 nscd_socket_use(userhelper_t) 142 ') 143 144 optional_policy(` 145 wireshark_domtrans(userhelper_t) 146 ') 14 type userhelper_exec_t; 15 application_executable_file(userhelper_exec_t) branches/rbacsep/policy/modules/roles/auditadm.te
r2738 r2750 162 162 163 163 optional_policy(` 164 userhelper_role (auditadm_r, auditadm_t)164 userhelper_role_template(auditadm, auditadm_r, auditadm_t) 165 165 ') 166 166 branches/rbacsep/policy/modules/roles/secadm.te
r2738 r2750 178 178 179 179 optional_policy(` 180 userhelper_role (secadm_r, secadm_t)180 userhelper_role_template(secadm, secadm_r, secadm_t) 181 181 ') 182 182 branches/rbacsep/policy/modules/roles/staff.te
r2738 r2750 146 146 147 147 optional_policy(` 148 userhelper_role (staff_r, staff_t)148 userhelper_role_template(staff, staff_r, staff_t) 149 149 ') 150 150 branches/rbacsep/policy/modules/roles/sysadm.te
r2738 r2750 411 411 412 412 optional_policy(` 413 userhelper_role (sysadm_r, sysadm_t)413 userhelper_role_template(sysadm, sysadm_r, sysadm_t) 414 414 ') 415 415 branches/rbacsep/policy/modules/roles/unprivuser.te
r2738 r2750 131 131 132 132 optional_policy(` 133 userhelper_role (user_r, user_t)133 userhelper_role_template(user, user_r, user_t) 134 134 ') 135 135 branches/rbacsep/policy/modules/system/init.if
r2479 r2750 1274 1274 allow $1 initrc_var_run_t:file manage_file_perms; 1275 1275 ') 1276 1277 ######################################## 1278 ## <summary> 1279 ## Create files in /var/run with the 1280 ## utmp file type. 1281 ## </summary> 1282 ## <param name="domain"> 1283 ## <summary> 1284 ## Domain access allowed. 1285 ## </summary> 1286 ## </param> 1287 # 1288 interface(`init_pid_filetrans_utmp',` 1289 gen_require(` 1290 type initrc_var_run_t; 1291 ') 1292 1293 files_pid_filetrans($1, initrc_var_run_t, file) 1294 ')
