Changeset 2753
- Timestamp:
- 07/09/08 09:43:33 (5 months ago)
- Files:
-
- branches/rbacsep/policy/modules/roles/auditadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/secadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/staff.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/sysadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
- branches/rbacsep/policy/modules/services/dbus.if (modified) (4 diffs)
- branches/rbacsep/policy/modules/services/dbus.te (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/roles/auditadm.te
r2752 r2753 53 53 54 54 optional_policy(` 55 dbus_role (auditadm_r, auditadm_t)55 dbus_role_template(auditadm, auditadm_r, auditadm_t) 56 56 ') 57 57 branches/rbacsep/policy/modules/roles/secadm.te
r2752 r2753 65 65 66 66 optional_policy(` 67 dbus_role (secadm_r, secadm_t)67 dbus_role_template(secadm, secadm_r, secadm_t) 68 68 ') 69 69 branches/rbacsep/policy/modules/roles/staff.te
r2752 r2753 37 37 38 38 optional_policy(` 39 dbus_role (staff_r, staff_t)39 dbus_role_template(staff, staff_r, staff_t) 40 40 ') 41 41 branches/rbacsep/policy/modules/roles/sysadm.te
r2752 r2753 128 128 129 129 optional_policy(` 130 dbus_role (sysadm_r, sysadm_t)130 dbus_role_template(sysadm, sysadm_r, sysadm_t) 131 131 ') 132 132 branches/rbacsep/policy/modules/roles/unprivuser.te
r2752 r2753 31 31 32 32 optional_policy(` 33 dbus_role (user_r, user_t)33 dbus_role_template(user, user_r, user_t) 34 34 ') 35 35 branches/rbacsep/policy/modules/services/dbus.if
r2745 r2753 22 22 ## Role access for dbus 23 23 ## </summary> 24 ## <param name="role_prefix"> 25 ## <summary> 26 ## The prefix of the user role (e.g., user 27 ## is the prefix for user_r). 28 ## </summary> 29 ## </param> 24 30 ## <param name="role"> 25 31 ## <summary> … … 33 39 ## </param> 34 40 # 35 interface(`dbus_role',`41 template(`dbus_role_template',` 36 42 gen_require(` 37 43 class dbus { send_msg acquire_svc }; 38 44 39 type system_dbusd_t, session_dbusd_t, dbusd_exec_t; 40 type session_dbusd_tmp_t; 41 ') 42 43 role $1 types { session_dbusd_t session_dbusd_tmp_t }; 44 45 domtrans_pattern($2, dbusd_exec_t, session_dbusd_t) 46 allow $2 session_dbusd_t:process { sigkill signal }; 45 attribute session_bus_type; 46 type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t; 47 ') 48 49 ############################## 50 # 51 # Delcarations 52 # 53 54 type $1_dbusd_t, session_bus_type; 55 domain_type($1_dbusd_t) 56 domain_entry_file($1_dbusd_t, dbusd_exec_t) 57 role $2 types $1_dbusd_t; 58 59 ############################## 60 # 61 # Local policy 62 # 63 64 allow $1_dbusd_t self:process { getattr sigkill signal }; 65 dontaudit $1_dbusd_t self:process ptrace; 66 allow $1_dbusd_t self:file { getattr read write }; 67 allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; 68 allow $1_dbusd_t self:dbus { send_msg acquire_svc }; 69 allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; 70 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; 71 allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; 72 allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; 73 47 74 # For connecting to the bus 48 allow $ 2 session_dbusd_t:unix_stream_socket connectto;75 allow $3 $1_dbusd_t:unix_stream_socket connectto; 49 76 50 77 # SE-DBus specific permissions 51 allow $2 session_dbusd_t:dbus { send_msg acquire_svc }; 52 allow $2 system_dbusd_t:dbus { send_msg acquire_svc }; 78 allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; 79 allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; 80 81 allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; 82 read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) 83 read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) 84 85 manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) 86 manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) 87 files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) 88 89 domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) 90 allow $3 $1_dbusd_t:process { sigkill signal }; 53 91 54 92 # cjp: this seems very broken 55 corecmd_bin_domtrans(session_dbusd_t, $2) 56 allow session_dbusd_t $2:process sigkill; 57 allow $2 session_dbusd_t:fd use; 58 allow $2 session_dbusd_t:fifo_file rw_fifo_file_perms; 59 allow $2 session_dbusd_t:process sigchld; 93 corecmd_bin_domtrans($1_dbusd_t, $3) 94 allow $1_dbusd_t $3:process sigkill; 95 allow $3 $1_dbusd_t:fd use; 96 allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; 97 allow $3 $1_dbusd_t:process sigchld; 98 99 kernel_read_system_state($1_dbusd_t) 100 kernel_read_kernel_sysctls($1_dbusd_t) 101 102 corecmd_list_bin($1_dbusd_t) 103 corecmd_read_bin_symlinks($1_dbusd_t) 104 corecmd_read_bin_files($1_dbusd_t) 105 corecmd_read_bin_pipes($1_dbusd_t) 106 corecmd_read_bin_sockets($1_dbusd_t) 107 108 corenet_all_recvfrom_unlabeled($1_dbusd_t) 109 corenet_all_recvfrom_netlabel($1_dbusd_t) 110 corenet_tcp_sendrecv_all_if($1_dbusd_t) 111 corenet_tcp_sendrecv_all_nodes($1_dbusd_t) 112 corenet_tcp_sendrecv_all_ports($1_dbusd_t) 113 corenet_tcp_bind_all_nodes($1_dbusd_t) 114 corenet_tcp_bind_reserved_port($1_dbusd_t) 115 116 dev_read_urand($1_dbusd_t) 117 118 domain_use_interactive_fds($1_dbusd_t) 119 120 files_read_etc_files($1_dbusd_t) 121 files_list_home($1_dbusd_t) 122 files_read_usr_files($1_dbusd_t) 123 files_dontaudit_search_var($1_dbusd_t) 124 125 fs_getattr_romfs($1_dbusd_t) 126 fs_getattr_xattr_fs($1_dbusd_t) 127 128 selinux_get_fs_mount($1_dbusd_t) 129 selinux_validate_context($1_dbusd_t) 130 selinux_compute_access_vector($1_dbusd_t) 131 selinux_compute_create_context($1_dbusd_t) 132 selinux_compute_relabel_context($1_dbusd_t) 133 selinux_compute_user_contexts($1_dbusd_t) 134 135 auth_read_pam_console_data($1_dbusd_t) 136 auth_use_nsswitch($1_dbusd_t) 137 138 libs_use_ld_so($1_dbusd_t) 139 libs_use_shared_libs($1_dbusd_t) 140 141 logging_send_audit_msgs($1_dbusd_t) 142 logging_send_syslog_msg($1_dbusd_t) 143 144 miscfiles_read_localization($1_dbusd_t) 145 146 seutil_read_config($1_dbusd_t) 147 seutil_read_default_contexts($1_dbusd_t) 148 149 userdom_read_user_home_content_files($1_dbusd_t) 60 150 61 151 ifdef(`hide_broken_symptoms', ` 62 dontaudit $2 session_dbusd_t:netlink_selinux_socket { read write }; 152 dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; 153 ') 154 155 tunable_policy(`read_default_t',` 156 files_list_default($1_dbusd_t) 157 files_read_default_files($1_dbusd_t) 158 files_read_default_symlinks($1_dbusd_t) 159 files_read_default_sockets($1_dbusd_t) 160 files_read_default_pipes($1_dbusd_t) 161 ') 162 163 optional_policy(` 164 hal_dbus_chat($1_dbusd_t) 165 ') 166 167 optional_policy(` 168 xserver_use_xdm_fds($1_dbusd_t) 169 xserver_rw_xdm_pipes($1_dbusd_t) 63 170 ') 64 171 ') … … 107 214 interface(`dbus_session_bus_client',` 108 215 gen_require(` 109 type session_dbusd_t;216 attribute session_bus_type; 110 217 class dbus send_msg; 111 218 ') 112 219 113 220 # SE-DBus specific permissions 114 allow $1 { session_ dbusd_tself }:dbus send_msg;221 allow $1 { session_bus_type self }:dbus send_msg; 115 222 116 223 # For connecting to the bus 117 allow $1 session_ dbusd_t:unix_stream_socket connectto;224 allow $1 session_bus_type:unix_stream_socket connectto; 118 225 ') 119 226 … … 130 237 interface(`dbus_send_session_bus',` 131 238 gen_require(` 132 type session_dbusd_t;239 attribute session_bus_type; 133 240 class dbus send_msg; 134 241 ') 135 242 136 allow $1 session_ dbusd_t:dbus send_msg;243 allow $1 session_bus_type:dbus send_msg; 137 244 ') 138 245 branches/rbacsep/policy/modules/services/dbus.te
r2745 r2753 11 11 # 12 12 13 type dbusd_etc_t alias etc_dbusd_t; 13 attribute session_bus_type; 14 15 type dbusd_etc_t; 14 16 files_type(dbusd_etc_t) 15 17 16 type session_dbusd_t; 17 type dbusd_exec_t alias system_dbusd_exec_t; 18 domain_type(session_dbusd_t) 19 domain_entry_file(session_dbusd_t, dbusd_exec_t) 18 type dbusd_exec_t; 19 corecmd_executable_file(dbusd_exec_t) 20 20 21 21 type session_dbusd_tmp_t; 22 22 files_tmp_file(session_dbusd_tmp_t) 23 23 24 type system_dbusd_t alias dbusd_t;24 type system_dbusd_t; 25 25 init_system_domain(system_dbusd_t, dbusd_exec_t) 26 26 … … 33 33 type system_dbusd_var_run_t; 34 34 files_pid_file(system_dbusd_var_run_t) 35 36 ##############################37 #38 # Local policy39 #40 41 allow session_dbusd_t self:process { getattr sigkill signal };42 dontaudit session_dbusd_t self:process ptrace;43 allow session_dbusd_t self:file { getattr read write };44 allow session_dbusd_t self:fifo_file rw_fifo_file_perms;45 allow session_dbusd_t self:dbus { send_msg acquire_svc };46 allow session_dbusd_t self:unix_stream_socket create_stream_socket_perms;47 allow session_dbusd_t self:unix_dgram_socket create_socket_perms;48 allow session_dbusd_t self:tcp_socket create_stream_socket_perms;49 allow session_dbusd_t self:netlink_selinux_socket create_socket_perms;50 51 # SE-DBus specific permissions52 allow session_dbusd_t self:dbus send_msg;53 54 allow session_dbusd_t dbusd_etc_t:dir list_dir_perms;55 read_files_pattern(session_dbusd_t, dbusd_etc_t, dbusd_etc_t)56 read_lnk_files_pattern(session_dbusd_t, dbusd_etc_t, dbusd_etc_t)57 58 manage_dirs_pattern(session_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)59 manage_files_pattern(session_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)60 files_tmp_filetrans(session_dbusd_t, session_dbusd_tmp_t, { file dir })61 62 kernel_read_system_state(session_dbusd_t)63 kernel_read_kernel_sysctls(session_dbusd_t)64 65 corecmd_list_bin(session_dbusd_t)66 corecmd_read_bin_symlinks(session_dbusd_t)67 corecmd_read_bin_files(session_dbusd_t)68 corecmd_read_bin_pipes(session_dbusd_t)69 corecmd_read_bin_sockets(session_dbusd_t)70 71 corenet_all_recvfrom_unlabeled(session_dbusd_t)72 corenet_all_recvfrom_netlabel(session_dbusd_t)73 corenet_tcp_sendrecv_all_if(session_dbusd_t)74 corenet_tcp_sendrecv_all_nodes(session_dbusd_t)75 corenet_tcp_sendrecv_all_ports(session_dbusd_t)76 corenet_tcp_bind_all_nodes(session_dbusd_t)77 corenet_tcp_bind_reserved_port(session_dbusd_t)78 79 dev_read_urand(session_dbusd_t)80 81 domain_use_interactive_fds(session_dbusd_t)82 83 files_read_etc_files(session_dbusd_t)84 files_list_home(session_dbusd_t)85 files_read_usr_files(session_dbusd_t)86 files_dontaudit_search_var(session_dbusd_t)87 88 fs_getattr_romfs(session_dbusd_t)89 fs_getattr_xattr_fs(session_dbusd_t)90 91 selinux_get_fs_mount(session_dbusd_t)92 selinux_validate_context(session_dbusd_t)93 selinux_compute_access_vector(session_dbusd_t)94 selinux_compute_create_context(session_dbusd_t)95 selinux_compute_relabel_context(session_dbusd_t)96 selinux_compute_user_contexts(session_dbusd_t)97 98 auth_read_pam_console_data(session_dbusd_t)99 auth_use_nsswitch(session_dbusd_t)100 101 libs_use_ld_so(session_dbusd_t)102 libs_use_shared_libs(session_dbusd_t)103 104 logging_send_audit_msgs(session_dbusd_t)105 logging_send_syslog_msg(session_dbusd_t)106 107 miscfiles_read_localization(session_dbusd_t)108 109 seutil_read_config(session_dbusd_t)110 seutil_read_default_contexts(session_dbusd_t)111 112 userdom_read_user_home_content_files(session_dbusd_t)113 114 tunable_policy(`read_default_t',`115 files_list_default(session_dbusd_t)116 files_read_default_files(session_dbusd_t)117 files_read_default_symlinks(session_dbusd_t)118 files_read_default_sockets(session_dbusd_t)119 files_read_default_pipes(session_dbusd_t)120 ')121 122 optional_policy(`123 hal_dbus_chat(session_dbusd_t)124 ')125 126 optional_policy(`127 xserver_use_xdm_fds(session_dbusd_t)128 xserver_rw_xdm_pipes(session_dbusd_t)129 ')130 35 131 36 ##############################
