1 |
commit: 9b5d3482a2a3e51aeae9402e8b56156f5eceffd7 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sun Jul 29 07:18:12 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Jul 29 07:18:12 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b5d3482 |
7 |
|
8 |
Userspace confinement proceedings. Include xdg_videos support and mozilla only accessing .mozilla |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/mozilla.te | 2 +- |
12 |
policy/modules/contrib/xdg.if | 18 ++++ |
13 |
.../contrib/xdg/xdg_manage_videos_home.part | 18 ++++ |
14 |
policy/modules/kernel/files.if | 105 ++++++++++---------- |
15 |
policy/modules/system/authlogin.te | 4 +- |
16 |
policy/modules/system/init.te | 4 +- |
17 |
policy/modules/system/udev.if | 39 ------- |
18 |
policy/modules/system/userdomain.if | 1 + |
19 |
8 files changed, 94 insertions(+), 97 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
22 |
index 0909cd6..dfd4705 100644 |
23 |
--- a/policy/modules/contrib/mozilla.te |
24 |
+++ b/policy/modules/contrib/mozilla.te |
25 |
@@ -95,7 +95,7 @@ can_exec(mozilla_t, mozilla_exec_t) |
26 |
manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) |
27 |
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) |
28 |
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) |
29 |
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) |
30 |
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") |
31 |
|
32 |
# Mozpluggerrc |
33 |
allow mozilla_t mozilla_conf_t:file read_file_perms; |
34 |
|
35 |
diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if |
36 |
index 923b957..1d628b7 100644 |
37 |
--- a/policy/modules/contrib/xdg.if |
38 |
+++ b/policy/modules/contrib/xdg.if |
39 |
@@ -796,3 +796,21 @@ interface(`xdg_relabel_all_runtime_home',` |
40 |
|
41 |
files_search_pids($1) |
42 |
') |
43 |
+######################################### |
44 |
+## <summary> |
45 |
+## Manage video content |
46 |
+## </summary> |
47 |
+## <param name="domain"> |
48 |
+## <summary> |
49 |
+## Domain allowed access |
50 |
+## </summary> |
51 |
+## </param> |
52 |
+# |
53 |
+interface(`xdg_manage_videos_home',` |
54 |
+ gen_require(` |
55 |
+ type xdg_videos_home_t; |
56 |
+ ') |
57 |
+ |
58 |
+ manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t) |
59 |
+ manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t) |
60 |
+') |
61 |
|
62 |
diff --git a/policy/modules/contrib/xdg/xdg_manage_videos_home.part b/policy/modules/contrib/xdg/xdg_manage_videos_home.part |
63 |
new file mode 100644 |
64 |
index 0000000..5118d5d |
65 |
--- /dev/null |
66 |
+++ b/policy/modules/contrib/xdg/xdg_manage_videos_home.part |
67 |
@@ -0,0 +1,18 @@ |
68 |
+######################################### |
69 |
+## <summary> |
70 |
+## Manage video content |
71 |
+## </summary> |
72 |
+## <param name="domain"> |
73 |
+## <summary> |
74 |
+## Domain allowed access |
75 |
+## </summary> |
76 |
+## </param> |
77 |
+# |
78 |
+interface(`xdg_manage_videos_home',` |
79 |
+ gen_require(` |
80 |
+ type xdg_videos_home_t; |
81 |
+ ') |
82 |
+ |
83 |
+ manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t) |
84 |
+ manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t) |
85 |
+') |
86 |
|
87 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
88 |
index 93bdc1b..6b7cc92 100644 |
89 |
--- a/policy/modules/kernel/files.if |
90 |
+++ b/policy/modules/kernel/files.if |
91 |
@@ -86,6 +86,26 @@ interface(`files_type',` |
92 |
|
93 |
######################################## |
94 |
## <summary> |
95 |
+## Mark the specified type as a file |
96 |
+## that is related to authentication. |
97 |
+## </summary> |
98 |
+## <param name="file_type"> |
99 |
+## <summary> |
100 |
+## Type of the authentication-related |
101 |
+## file. |
102 |
+## </summary> |
103 |
+## </param> |
104 |
+# |
105 |
+interface(`files_auth_file',` |
106 |
+ gen_require(` |
107 |
+ attribute file_type, security_file_type, auth_file_type; |
108 |
+ ') |
109 |
+ |
110 |
+ typeattribute $1 file_type, security_file_type, auth_file_type; |
111 |
+') |
112 |
+ |
113 |
+######################################## |
114 |
+## <summary> |
115 |
## Make the specified type a file that |
116 |
## should not be dontaudited from |
117 |
## browsing from user domains. |
118 |
@@ -1277,28 +1297,8 @@ interface(`files_unmount_all_file_type_fs',` |
119 |
|
120 |
######################################## |
121 |
## <summary> |
122 |
-## Mark the specified type as a file |
123 |
-## that is related to authentication. |
124 |
-## </summary> |
125 |
-## <param name="file_type"> |
126 |
-## <summary> |
127 |
-## Type of the authentication-related |
128 |
-## file. |
129 |
-## </summary> |
130 |
-## </param> |
131 |
-# |
132 |
-interface(`files_auth_file',` |
133 |
- gen_require(` |
134 |
- attribute file_type, security_file_type, auth_file_type; |
135 |
- ') |
136 |
- |
137 |
- typeattribute $1 file_type, security_file_type, auth_file_type; |
138 |
-') |
139 |
- |
140 |
-######################################## |
141 |
-## <summary> |
142 |
## Read all non-authentication related |
143 |
-## directories. |
144 |
+## directories. |
145 |
## </summary> |
146 |
## <param name="domain"> |
147 |
## <summary> |
148 |
@@ -1317,7 +1317,7 @@ interface(`files_list_non_auth_dirs',` |
149 |
######################################## |
150 |
## <summary> |
151 |
## Read all non-authentication related |
152 |
-## files. |
153 |
+## files. |
154 |
## </summary> |
155 |
## <param name="domain"> |
156 |
## <summary> |
157 |
@@ -1354,58 +1354,54 @@ interface(`files_read_non_auth_symlinks',` |
158 |
|
159 |
######################################## |
160 |
## <summary> |
161 |
-## Relabel all non-authentication related |
162 |
-## files. |
163 |
+## rw non-authentication related files. |
164 |
## </summary> |
165 |
## <param name="domain"> |
166 |
## <summary> |
167 |
## Domain allowed access. |
168 |
## </summary> |
169 |
## </param> |
170 |
-## <rolecap/> |
171 |
# |
172 |
-interface(`files_relabel_non_auth_files',` |
173 |
+interface(`files_rw_non_auth_files',` |
174 |
gen_require(` |
175 |
attribute non_auth_file_type; |
176 |
') |
177 |
|
178 |
- allow $1 non_auth_file_type:dir list_dir_perms; |
179 |
- relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) |
180 |
- relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) |
181 |
- relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
182 |
- relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) |
183 |
- relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) |
184 |
- # this is only relabelfrom since there should be no |
185 |
- # device nodes with file types. |
186 |
- relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
187 |
- relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) |
188 |
- |
189 |
- # satisfy the assertions: |
190 |
- seutil_relabelto_bin_policy($1) |
191 |
+ rw_files_pattern($1, non_auth_file_type, non_auth_file_type) |
192 |
') |
193 |
|
194 |
######################################## |
195 |
## <summary> |
196 |
-## rw non-authentication related files. |
197 |
+## Manage non-authentication related |
198 |
+## files. |
199 |
## </summary> |
200 |
## <param name="domain"> |
201 |
## <summary> |
202 |
## Domain allowed access. |
203 |
## </summary> |
204 |
## </param> |
205 |
+## <rolecap/> |
206 |
# |
207 |
-interface(`files_rw_non_auth_files',` |
208 |
+interface(`files_manage_non_auth_files',` |
209 |
gen_require(` |
210 |
attribute non_auth_file_type; |
211 |
') |
212 |
|
213 |
- rw_files_pattern($1, non_auth_file_type, non_auth_file_type) |
214 |
+ manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) |
215 |
+ manage_files_pattern($1, non_auth_file_type, non_auth_file_type) |
216 |
+ manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
217 |
+ manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) |
218 |
+ manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) |
219 |
+ |
220 |
+ # satisfy the assertions: |
221 |
+ seutil_create_bin_policy($1) |
222 |
+ files_manage_kernel_modules($1) |
223 |
') |
224 |
|
225 |
######################################## |
226 |
## <summary> |
227 |
-## Manage non-authentication related |
228 |
-## files. |
229 |
+## Relabel all non-authentication related |
230 |
+## files. |
231 |
## </summary> |
232 |
## <param name="domain"> |
233 |
## <summary> |
234 |
@@ -1414,22 +1410,27 @@ interface(`files_rw_non_auth_files',` |
235 |
## </param> |
236 |
## <rolecap/> |
237 |
# |
238 |
-interface(`files_manage_non_auth_files',` |
239 |
+interface(`files_relabel_non_auth_files',` |
240 |
gen_require(` |
241 |
attribute non_auth_file_type; |
242 |
') |
243 |
|
244 |
- manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) |
245 |
- manage_files_pattern($1, non_auth_file_type, non_auth_file_type) |
246 |
- manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
247 |
- manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) |
248 |
- manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) |
249 |
+ allow $1 non_auth_file_type:dir list_dir_perms; |
250 |
+ relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) |
251 |
+ relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) |
252 |
+ relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
253 |
+ relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) |
254 |
+ relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) |
255 |
+ # this is only relabelfrom since there should be no |
256 |
+ # device nodes with file types. |
257 |
+ relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) |
258 |
+ relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) |
259 |
|
260 |
# satisfy the assertions: |
261 |
- seutil_create_bin_policy($1) |
262 |
- files_manage_kernel_modules($1) |
263 |
+ seutil_relabelto_bin_policy($1) |
264 |
') |
265 |
|
266 |
+ |
267 |
############################################# |
268 |
## <summary> |
269 |
## Manage all configuration directories on filesystem |
270 |
|
271 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
272 |
index 60ae701..c7c4fb6 100644 |
273 |
--- a/policy/modules/system/authlogin.te |
274 |
+++ b/policy/modules/system/authlogin.te |
275 |
@@ -5,10 +5,10 @@ policy_module(authlogin, 2.4.0) |
276 |
# Declarations |
277 |
# |
278 |
|
279 |
+ |
280 |
## <desc> |
281 |
## <p> |
282 |
-## Allow users to resolve user passwd entries directly from ldap rather |
283 |
-## than using an sssd server |
284 |
+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server |
285 |
## </p> |
286 |
## </desc> |
287 |
gen_tunable(authlogin_nsswitch_use_ldap, false) |
288 |
|
289 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
290 |
index a2c1806..56bfca9 100644 |
291 |
--- a/policy/modules/system/init.te |
292 |
+++ b/policy/modules/system/init.te |
293 |
@@ -260,7 +260,7 @@ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
294 |
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) |
295 |
|
296 |
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |
297 |
-manage_files_pattern(initrc_t, initrc_var_log_t, dir) |
298 |
+manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) |
299 |
logging_log_filetrans(initrc_t, initrc_var_log_t, dir) |
300 |
|
301 |
init_write_initctl(initrc_t) |
302 |
@@ -856,8 +856,6 @@ optional_policy(` |
303 |
|
304 |
optional_policy(` |
305 |
udev_create_db_dirs(initrc_t) |
306 |
- udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t) |
307 |
- udev_dontaudit_getattr_unix_stream_sockets(initrc_t) |
308 |
udev_generic_pid_filetrans_run_dirs(initrc_t, "udev") |
309 |
udev_pid_filetrans_db(initrc_t, dir, "rules.d") |
310 |
udev_manage_pid_files(initrc_t) |
311 |
|
312 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
313 |
index 53f6d62..7423f26 100644 |
314 |
--- a/policy/modules/system/udev.if |
315 |
+++ b/policy/modules/system/udev.if |
316 |
@@ -132,45 +132,6 @@ interface(`udev_dontaudit_rw_dgram_sockets',` |
317 |
|
318 |
######################################## |
319 |
## <summary> |
320 |
-## Do not audit attempts to get attributes |
321 |
-## of a udev netlink_kobject_uevent_socket |
322 |
-## </summary> |
323 |
-## <param name="domain"> |
324 |
-## <summary> |
325 |
-## Domain to not audit. |
326 |
-## </summary> |
327 |
-## </param> |
328 |
-# |
329 |
-interface(`udev_dontaudit_getattr_netlink_kobject_uevent_sockets',` |
330 |
- gen_require(` |
331 |
- type udev_t; |
332 |
- ') |
333 |
- |
334 |
- dontaudit $1 udev_t:netlink_kobject_uevent_socket getattr; |
335 |
-') |
336 |
- |
337 |
-######################################## |
338 |
-## <summary> |
339 |
-## Do not audit attempts to get attributes |
340 |
-## of a udev unix_stream_socket. |
341 |
-## </summary> |
342 |
-## <param name="domain"> |
343 |
-## <summary> |
344 |
-## Domain to not audit. |
345 |
-## </summary> |
346 |
-## </param> |
347 |
-# |
348 |
-interface(`udev_dontaudit_getattr_unix_stream_sockets',` |
349 |
- gen_require(` |
350 |
- type udev_t; |
351 |
- ') |
352 |
- |
353 |
- dontaudit $1 udev_t:unix_stream_socket getattr; |
354 |
-') |
355 |
- |
356 |
- |
357 |
-######################################## |
358 |
-## <summary> |
359 |
## Read udev rules files |
360 |
## </summary> |
361 |
## <param name="domain"> |
362 |
|
363 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
364 |
index 4c33988..cf58129 100644 |
365 |
--- a/policy/modules/system/userdomain.if |
366 |
+++ b/policy/modules/system/userdomain.if |
367 |
@@ -282,6 +282,7 @@ interface(`userdom_manage_home_role',` |
368 |
xdg_manage_all_data_home($2) |
369 |
xdg_manage_all_runtime_home($2) |
370 |
xdg_manage_downloads_home($2) |
371 |
+ xdg_manage_videos_home($2) |
372 |
xdg_relabel_all_cache_home($2) |
373 |
xdg_relabel_all_config_home($2) |
374 |
xdg_relabel_all_data_home($2) |