1 |
commit: a68e032aac3356ebd35f03c8fb64b916bf4309c0 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 12:28:10 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:33:24 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a68e032a |
7 |
|
8 |
Changes to the userhelper policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/shutdown.if | 18 ++++ |
16 |
policy/modules/contrib/shutdown.te | 2 +- |
17 |
policy/modules/contrib/userhelper.fc | 10 +-- |
18 |
policy/modules/contrib/userhelper.if | 166 ++++++++++++---------------------- |
19 |
policy/modules/contrib/userhelper.te | 154 +++++++++++++++++++++++++++++++- |
20 |
5 files changed, 233 insertions(+), 117 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/shutdown.if b/policy/modules/contrib/shutdown.if |
23 |
index 32a68bb..d1706bf 100644 |
24 |
--- a/policy/modules/contrib/shutdown.if |
25 |
+++ b/policy/modules/contrib/shutdown.if |
26 |
@@ -73,6 +73,24 @@ interface(`shutdown_run',` |
27 |
|
28 |
######################################## |
29 |
## <summary> |
30 |
+## Send generic signals to shutdown. |
31 |
+## </summary> |
32 |
+## <param name="domain"> |
33 |
+## <summary> |
34 |
+## Domain allowed access. |
35 |
+## </summary> |
36 |
+## </param> |
37 |
+# |
38 |
+interface(`shutdown_signal',` |
39 |
+ gen_require(` |
40 |
+ type shutdown_t; |
41 |
+ ') |
42 |
+ |
43 |
+ allow shutdown_t $1:process signal; |
44 |
+') |
45 |
+ |
46 |
+######################################## |
47 |
+## <summary> |
48 |
## Get attributes of shutdown executable files. |
49 |
## </summary> |
50 |
## <param name="domain"> |
51 |
|
52 |
diff --git a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te |
53 |
index d866caf..7880d1f 100644 |
54 |
--- a/policy/modules/contrib/shutdown.te |
55 |
+++ b/policy/modules/contrib/shutdown.te |
56 |
@@ -1,4 +1,4 @@ |
57 |
-policy_module(shutdown, 1.1.1) |
58 |
+policy_module(shutdown, 1.1.2) |
59 |
|
60 |
######################################## |
61 |
# |
62 |
|
63 |
diff --git a/policy/modules/contrib/userhelper.fc b/policy/modules/contrib/userhelper.fc |
64 |
index cb0d756..c416a83 100644 |
65 |
--- a/policy/modules/contrib/userhelper.fc |
66 |
+++ b/policy/modules/contrib/userhelper.fc |
67 |
@@ -1,9 +1,5 @@ |
68 |
-# |
69 |
-# /etc |
70 |
-# |
71 |
/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) |
72 |
|
73 |
-# |
74 |
-# /usr |
75 |
-# |
76 |
-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) |
77 |
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) |
78 |
+ |
79 |
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) |
80 |
\ No newline at end of file |
81 |
|
82 |
diff --git a/policy/modules/contrib/userhelper.if b/policy/modules/contrib/userhelper.if |
83 |
index 65baaac..7e33652 100644 |
84 |
--- a/policy/modules/contrib/userhelper.if |
85 |
+++ b/policy/modules/contrib/userhelper.if |
86 |
@@ -1,4 +1,4 @@ |
87 |
-## <summary>SELinux utility to run a shell with a new role</summary> |
88 |
+## <summary>A wrapper that helps users run system programs.</summary> |
89 |
|
90 |
####################################### |
91 |
## <summary> |
92 |
@@ -23,8 +23,9 @@ |
93 |
# |
94 |
template(`userhelper_role_template',` |
95 |
gen_require(` |
96 |
- attribute userhelper_type; |
97 |
- type userhelper_exec_t, userhelper_conf_t; |
98 |
+ attribute userhelper_type, consolehelper_type; |
99 |
+ attribute_role userhelper_roles, consolehelper_roles; |
100 |
+ type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; |
101 |
') |
102 |
|
103 |
######################################## |
104 |
@@ -32,133 +33,62 @@ template(`userhelper_role_template',` |
105 |
# Declarations |
106 |
# |
107 |
|
108 |
+ type $1_consolehelper_t, consolehelper_type; |
109 |
+ userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) |
110 |
+ |
111 |
+ role consolehelper_roles types $1_consolehelper_t; |
112 |
+ roleattribute $2 consolehelper_roles; |
113 |
+ |
114 |
type $1_userhelper_t, userhelper_type; |
115 |
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) |
116 |
+ |
117 |
domain_role_change_exemption($1_userhelper_t) |
118 |
domain_obj_id_change_exemption($1_userhelper_t) |
119 |
domain_interactive_fd($1_userhelper_t) |
120 |
domain_subj_id_change_exemption($1_userhelper_t) |
121 |
- role $2 types $1_userhelper_t; |
122 |
+ |
123 |
+ role userhelper_roles types $1_userhelper_t; |
124 |
+ roleattribute $2 userhelper_roles; |
125 |
|
126 |
######################################## |
127 |
# |
128 |
- # Local policy |
129 |
+ # Consolehelper local policy |
130 |
# |
131 |
- allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; |
132 |
- allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
133 |
- allow $1_userhelper_t self:process setexec; |
134 |
- allow $1_userhelper_t self:fd use; |
135 |
- allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; |
136 |
- allow $1_userhelper_t self:shm create_shm_perms; |
137 |
- allow $1_userhelper_t self:sem create_sem_perms; |
138 |
- allow $1_userhelper_t self:msgq create_msgq_perms; |
139 |
- allow $1_userhelper_t self:msg { send receive }; |
140 |
- allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; |
141 |
- allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; |
142 |
- allow $1_userhelper_t self:unix_dgram_socket sendto; |
143 |
- allow $1_userhelper_t self:unix_stream_socket connectto; |
144 |
- allow $1_userhelper_t self:sock_file read_sock_file_perms; |
145 |
|
146 |
- #Transition to the derived domain. |
147 |
- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) |
148 |
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) |
149 |
|
150 |
- allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; |
151 |
- rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) |
152 |
- |
153 |
- can_exec($1_userhelper_t, userhelper_exec_t) |
154 |
- |
155 |
- dontaudit $3 $1_userhelper_t:process signal; |
156 |
+ allow $3 $1_consolehelper_t:process { ptrace signal_perms }; |
157 |
+ ps_process_pattern($3, $1_consolehelper_t) |
158 |
|
159 |
- kernel_read_all_sysctls($1_userhelper_t) |
160 |
- kernel_getattr_debugfs($1_userhelper_t) |
161 |
- kernel_read_system_state($1_userhelper_t) |
162 |
+ auth_use_pam($1_consolehelper_t) |
163 |
|
164 |
- # Execute shells |
165 |
- corecmd_exec_shell($1_userhelper_t) |
166 |
- # By default, revert to the calling domain when a program is executed |
167 |
- corecmd_bin_domtrans($1_userhelper_t, $3) |
168 |
- |
169 |
- # Inherit descriptors from the current session. |
170 |
- domain_use_interactive_fds($1_userhelper_t) |
171 |
- # for when the user types "exec userhelper" at the command line |
172 |
- domain_sigchld_interactive_fds($1_userhelper_t) |
173 |
+ optional_policy(` |
174 |
+ dbus_connect_all_session_bus($1_consolehelper_t) |
175 |
|
176 |
- dev_read_urand($1_userhelper_t) |
177 |
- # Read /dev directories and any symbolic links. |
178 |
- dev_list_all_dev_nodes($1_userhelper_t) |
179 |
+ optional_policy(` |
180 |
+ userhelper_dbus_chat_all_consolehelper($3) |
181 |
+ ') |
182 |
+ ') |
183 |
|
184 |
- files_list_var_lib($1_userhelper_t) |
185 |
- # Read the /etc/security/default_type file |
186 |
- files_read_etc_files($1_userhelper_t) |
187 |
- # Read /var. |
188 |
- files_read_var_files($1_userhelper_t) |
189 |
- files_read_var_symlinks($1_userhelper_t) |
190 |
- # for some PAM modules and for cwd |
191 |
- files_search_home($1_userhelper_t) |
192 |
+ ######################################## |
193 |
+ # |
194 |
+ # Userhelper local policy |
195 |
+ # |
196 |
|
197 |
- fs_search_auto_mountpoints($1_userhelper_t) |
198 |
- fs_read_nfs_files($1_userhelper_t) |
199 |
- fs_read_nfs_symlinks($1_userhelper_t) |
200 |
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) |
201 |
|
202 |
- # Allow $1_userhelper to obtain contexts to relabel TTYs |
203 |
- selinux_get_fs_mount($1_userhelper_t) |
204 |
- selinux_validate_context($1_userhelper_t) |
205 |
- selinux_compute_access_vector($1_userhelper_t) |
206 |
- selinux_compute_create_context($1_userhelper_t) |
207 |
- selinux_compute_relabel_context($1_userhelper_t) |
208 |
- selinux_compute_user_contexts($1_userhelper_t) |
209 |
+ dontaudit $3 $1_userhelper_t:process signal; |
210 |
|
211 |
- # Read the devpts root directory. |
212 |
- term_list_ptys($1_userhelper_t) |
213 |
- # Relabel terminals. |
214 |
- term_relabel_all_ttys($1_userhelper_t) |
215 |
- term_relabel_all_ptys($1_userhelper_t) |
216 |
- # Access terminals. |
217 |
- term_use_all_ttys($1_userhelper_t) |
218 |
- term_use_all_ptys($1_userhelper_t) |
219 |
+ corecmd_bin_domtrans($1_userhelper_t, $3) |
220 |
|
221 |
auth_domtrans_chk_passwd($1_userhelper_t) |
222 |
- auth_manage_pam_pid($1_userhelper_t) |
223 |
- auth_manage_var_auth($1_userhelper_t) |
224 |
- auth_search_pam_console_data($1_userhelper_t) |
225 |
+ auth_use_nsswitch($1_userhelper_t) |
226 |
|
227 |
- # Inherit descriptors from the current session. |
228 |
- init_use_fds($1_userhelper_t) |
229 |
- # Write to utmp. |
230 |
- init_manage_utmp($1_userhelper_t) |
231 |
- init_pid_filetrans_utmp($1_userhelper_t) |
232 |
- |
233 |
- miscfiles_read_localization($1_userhelper_t) |
234 |
- |
235 |
- seutil_read_config($1_userhelper_t) |
236 |
- seutil_read_default_contexts($1_userhelper_t) |
237 |
- |
238 |
- # Allow $1_userhelper_t to transition to user domains. |
239 |
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) |
240 |
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) |
241 |
|
242 |
- ifdef(`distro_redhat',` |
243 |
- optional_policy(` |
244 |
- # Allow transitioning to rpm_t, for up2date |
245 |
- rpm_domtrans($1_userhelper_t) |
246 |
- ') |
247 |
- ') |
248 |
- |
249 |
- optional_policy(` |
250 |
- logging_send_syslog_msg($1_userhelper_t) |
251 |
- ') |
252 |
- |
253 |
- optional_policy(` |
254 |
- nis_use_ypbind($1_userhelper_t) |
255 |
- ') |
256 |
- |
257 |
- optional_policy(` |
258 |
- nscd_socket_use($1_userhelper_t) |
259 |
- ') |
260 |
- |
261 |
optional_policy(` |
262 |
tunable_policy(`! secure_mode',` |
263 |
- #if we are not in secure mode then we can transition to sysadm_t |
264 |
sysadm_bin_spec_domtrans($1_userhelper_t) |
265 |
sysadm_entry_spec_domtrans($1_userhelper_t) |
266 |
') |
267 |
@@ -167,7 +97,7 @@ template(`userhelper_role_template',` |
268 |
|
269 |
######################################## |
270 |
## <summary> |
271 |
-## Search the userhelper configuration directory. |
272 |
+## Search userhelper configuration directories. |
273 |
## </summary> |
274 |
## <param name="domain"> |
275 |
## <summary> |
276 |
@@ -186,7 +116,7 @@ interface(`userhelper_search_config',` |
277 |
######################################## |
278 |
## <summary> |
279 |
## Do not audit attempts to search |
280 |
-## the userhelper configuration directory. |
281 |
+## userhelper configuration directories. |
282 |
## </summary> |
283 |
## <param name="domain"> |
284 |
## <summary> |
285 |
@@ -204,7 +134,28 @@ interface(`userhelper_dontaudit_search_config',` |
286 |
|
287 |
######################################## |
288 |
## <summary> |
289 |
-## Allow domain to use userhelper file descriptor. |
290 |
+## Send and receive messages from |
291 |
+## consolehelper over dbus. |
292 |
+## </summary> |
293 |
+## <param name="domain"> |
294 |
+## <summary> |
295 |
+## Domain allowed access. |
296 |
+## </summary> |
297 |
+## </param> |
298 |
+# |
299 |
+interface(`userhelper_dbus_chat_all_consolehelper',` |
300 |
+ gen_require(` |
301 |
+ attribute consolehelper_type; |
302 |
+ class dbus send_msg; |
303 |
+ ') |
304 |
+ |
305 |
+ allow $1 consolehelper_type:dbus send_msg; |
306 |
+ allow consolehelper_type $1:dbus send_msg; |
307 |
+') |
308 |
+ |
309 |
+######################################## |
310 |
+## <summary> |
311 |
+## Use userhelper all userhelper file descriptors. |
312 |
## </summary> |
313 |
## <param name="domain"> |
314 |
## <summary> |
315 |
@@ -222,7 +173,7 @@ interface(`userhelper_use_fd',` |
316 |
|
317 |
######################################## |
318 |
## <summary> |
319 |
-## Allow domain to send sigchld to userhelper. |
320 |
+## Send child terminated signals to all userhelper. |
321 |
## </summary> |
322 |
## <param name="domain"> |
323 |
## <summary> |
324 |
@@ -253,5 +204,6 @@ interface(`userhelper_exec',` |
325 |
type userhelper_exec_t; |
326 |
') |
327 |
|
328 |
+ corecmd_search_bin($1) |
329 |
can_exec($1, userhelper_exec_t) |
330 |
') |
331 |
|
332 |
diff --git a/policy/modules/contrib/userhelper.te b/policy/modules/contrib/userhelper.te |
333 |
index f25ed61..ead383b 100644 |
334 |
--- a/policy/modules/contrib/userhelper.te |
335 |
+++ b/policy/modules/contrib/userhelper.te |
336 |
@@ -1,14 +1,164 @@ |
337 |
-policy_module(userhelper, 1.7.0) |
338 |
+policy_module(userhelper, 1.7.1) |
339 |
|
340 |
######################################## |
341 |
# |
342 |
# Declarations |
343 |
# |
344 |
|
345 |
+attribute consolehelper_type; |
346 |
attribute userhelper_type; |
347 |
|
348 |
+attribute_role consolehelper_roles; |
349 |
+attribute_role userhelper_roles; |
350 |
+ |
351 |
type userhelper_conf_t; |
352 |
-files_type(userhelper_conf_t) |
353 |
+files_config_file(userhelper_conf_t) |
354 |
|
355 |
type userhelper_exec_t; |
356 |
application_executable_file(userhelper_exec_t) |
357 |
+ |
358 |
+type consolehelper_exec_t; |
359 |
+application_executable_file(consolehelper_exec_t) |
360 |
+ |
361 |
+######################################## |
362 |
+# |
363 |
+# Common consolehelper domain local policy |
364 |
+# |
365 |
+ |
366 |
+allow consolehelper_type self:capability { setgid setuid dac_override }; |
367 |
+allow consolehelper_type self:process signal; |
368 |
+allow consolehelper_type self:fifo_file rw_fifo_file_perms; |
369 |
+allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; |
370 |
+allow consolehelper_type self:shm create_shm_perms; |
371 |
+ |
372 |
+allow consolehelper_type userhelper_conf_t:file audit_access; |
373 |
+dontaudit consolehelper_type userhelper_conf_t:file write; |
374 |
+read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) |
375 |
+ |
376 |
+domain_use_interactive_fds(consolehelper_type) |
377 |
+ |
378 |
+kernel_read_system_state(consolehelper_type) |
379 |
+kernel_read_kernel_sysctls(consolehelper_type) |
380 |
+ |
381 |
+corecmd_exec_bin(consolehelper_type) |
382 |
+ |
383 |
+dev_getattr_all_chr_files(consolehelper_type) |
384 |
+dev_dontaudit_list_all_dev_nodes(consolehelper_type) |
385 |
+ |
386 |
+files_read_config_files(consolehelper_type) |
387 |
+files_read_usr_files(consolehelper_type) |
388 |
+ |
389 |
+fs_getattr_all_dirs(consolehelper_type) |
390 |
+fs_getattr_all_fs(consolehelper_type) |
391 |
+fs_search_auto_mountpoints(consolehelper_type) |
392 |
+files_search_mnt(consolehelper_type) |
393 |
+ |
394 |
+term_list_ptys(consolehelper_type) |
395 |
+ |
396 |
+auth_search_pam_console_data(consolehelper_type) |
397 |
+auth_read_pam_pid(consolehelper_type) |
398 |
+ |
399 |
+miscfiles_read_localization(consolehelper_type) |
400 |
+miscfiles_read_fonts(consolehelper_type) |
401 |
+ |
402 |
+userhelper_exec(consolehelper_type) |
403 |
+ |
404 |
+userdom_use_user_terminals(consolehelper_type) |
405 |
+ |
406 |
+# might want to make this consolehelper_tmp_t |
407 |
+userdom_manage_user_tmp_dirs(consolehelper_type) |
408 |
+userdom_manage_user_tmp_files(consolehelper_type) |
409 |
+userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) |
410 |
+ |
411 |
+tunable_policy(`use_nfs_home_dirs',` |
412 |
+ fs_search_nfs(consolehelper_type) |
413 |
+') |
414 |
+ |
415 |
+tunable_policy(`use_samba_home_dirs',` |
416 |
+ fs_search_cifs(consolehelper_type) |
417 |
+') |
418 |
+ |
419 |
+optional_policy(` |
420 |
+ shutdown_run(consolehelper_type, consolehelper_roles) |
421 |
+ shutdown_signal(consolehelper_type) |
422 |
+') |
423 |
+ |
424 |
+optional_policy(` |
425 |
+ xserver_domtrans_xauth(consolehelper_type) |
426 |
+ xserver_read_xdm_pid(consolehelper_type) |
427 |
+ xserver_stream_connect(consolehelper_type) |
428 |
+') |
429 |
+ |
430 |
+######################################## |
431 |
+# |
432 |
+# Common userhelper domain local policy |
433 |
+# |
434 |
+ |
435 |
+allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; |
436 |
+allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; |
437 |
+allow userhelper_type self:fd use; |
438 |
+allow userhelper_type self:fifo_file rw_fifo_file_perms; |
439 |
+allow userhelper_type self:shm create_shm_perms; |
440 |
+allow userhelper_type self:sem create_sem_perms; |
441 |
+allow userhelper_type self:msgq create_msgq_perms; |
442 |
+allow userhelper_type self:msg { send receive }; |
443 |
+allow userhelper_type self:unix_dgram_socket sendto; |
444 |
+allow userhelper_type self:unix_stream_socket { accept connectto listen }; |
445 |
+ |
446 |
+allow userhelper_type userhelper_conf_t:file audit_access; |
447 |
+dontaudit userhelper_type userhelper_conf_t:file write; |
448 |
+read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) |
449 |
+ |
450 |
+can_exec(userhelper_type, userhelper_exec_t) |
451 |
+ |
452 |
+kernel_read_all_sysctls(userhelper_type) |
453 |
+kernel_getattr_debugfs(userhelper_type) |
454 |
+kernel_read_system_state(userhelper_type) |
455 |
+ |
456 |
+corecmd_exec_shell(userhelper_type) |
457 |
+ |
458 |
+domain_use_interactive_fds(userhelper_type) |
459 |
+domain_sigchld_interactive_fds(userhelper_type) |
460 |
+ |
461 |
+dev_read_urand(userhelper_type) |
462 |
+dev_list_all_dev_nodes(userhelper_type) |
463 |
+ |
464 |
+files_list_var_lib(userhelper_type) |
465 |
+files_read_var_files(userhelper_type) |
466 |
+files_read_var_symlinks(userhelper_type) |
467 |
+files_search_home(userhelper_type) |
468 |
+ |
469 |
+fs_getattr_all_fs(userhelper_type) |
470 |
+fs_search_auto_mountpoints(userhelper_type) |
471 |
+ |
472 |
+selinux_get_fs_mount(userhelper_type) |
473 |
+selinux_validate_context(userhelper_type) |
474 |
+selinux_compute_access_vector(userhelper_type) |
475 |
+selinux_compute_create_context(userhelper_type) |
476 |
+selinux_compute_relabel_context(userhelper_type) |
477 |
+selinux_compute_user_contexts(userhelper_type) |
478 |
+ |
479 |
+term_list_ptys(userhelper_type) |
480 |
+term_relabel_all_ttys(userhelper_type) |
481 |
+term_relabel_all_ptys(userhelper_type) |
482 |
+term_use_all_ttys(userhelper_type) |
483 |
+term_use_all_ptys(userhelper_type) |
484 |
+ |
485 |
+auth_manage_pam_pid(userhelper_type) |
486 |
+auth_manage_var_auth(userhelper_type) |
487 |
+auth_search_pam_console_data(userhelper_type) |
488 |
+ |
489 |
+init_use_fds(userhelper_type) |
490 |
+init_manage_utmp(userhelper_type) |
491 |
+init_pid_filetrans_utmp(userhelper_type) |
492 |
+ |
493 |
+logging_send_syslog_msg(userhelper_type) |
494 |
+ |
495 |
+miscfiles_read_localization(userhelper_type) |
496 |
+ |
497 |
+seutil_read_config(userhelper_type) |
498 |
+seutil_read_default_contexts(userhelper_type) |
499 |
+ |
500 |
+optional_policy(` |
501 |
+ rpm_domtrans(userhelper_type) |
502 |
+') |