1 |
commit: 81a88d7f2e5391813affdc4b375892681ee8bc09 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 10:55:05 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:33:08 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81a88d7f |
7 |
|
8 |
Changes to the uml policy module |
9 |
|
10 |
Module clean up |
11 |
Role attribute for uml client |
12 |
|
13 |
So the user is expected to label and create the tools executable |
14 |
files himself? |
15 |
|
16 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
17 |
|
18 |
--- |
19 |
policy/modules/contrib/uml.fc | 9 ----- |
20 |
policy/modules/contrib/uml.if | 54 +++++++++------------------ |
21 |
policy/modules/contrib/uml.te | 81 ++++++++++++++++++++--------------------- |
22 |
3 files changed, 57 insertions(+), 87 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc |
25 |
index 40120e1..c384968 100644 |
26 |
--- a/policy/modules/contrib/uml.fc |
27 |
+++ b/policy/modules/contrib/uml.fc |
28 |
@@ -1,14 +1,5 @@ |
29 |
-# |
30 |
-# HOME_DIR/ |
31 |
-# |
32 |
HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) |
33 |
|
34 |
-# |
35 |
-# /usr |
36 |
-# |
37 |
/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) |
38 |
|
39 |
-# |
40 |
-# /var |
41 |
-# |
42 |
/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) |
43 |
|
44 |
diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if |
45 |
index d2ab7cb..ab5c1d0 100644 |
46 |
--- a/policy/modules/contrib/uml.if |
47 |
+++ b/policy/modules/contrib/uml.if |
48 |
@@ -1,69 +1,50 @@ |
49 |
-## <summary>Policy for UML</summary> |
50 |
+## <summary>User mode linux tools and services.</summary> |
51 |
|
52 |
######################################## |
53 |
## <summary> |
54 |
-## Role access for uml |
55 |
+## Role access for uml. |
56 |
## </summary> |
57 |
## <param name="role"> |
58 |
## <summary> |
59 |
-## Role allowed access |
60 |
+## Role allowed access. |
61 |
## </summary> |
62 |
## </param> |
63 |
## <param name="domain"> |
64 |
## <summary> |
65 |
-## User domain for the role |
66 |
+## User domain for the role. |
67 |
## </summary> |
68 |
## </param> |
69 |
# |
70 |
interface(`uml_role',` |
71 |
gen_require(` |
72 |
+ attribute_role uml_roles; |
73 |
type uml_t, uml_exec_t; |
74 |
type uml_ro_t, uml_rw_t, uml_tmp_t; |
75 |
type uml_devpts_t, uml_tmpfs_t; |
76 |
') |
77 |
|
78 |
- role $1 types uml_t; |
79 |
+ roleattribute $1 uml_roles; |
80 |
|
81 |
- # Transition from the user domain to this domain. |
82 |
domtrans_pattern($2, uml_exec_t, uml_t) |
83 |
|
84 |
- # for mconsole |
85 |
- allow $2 uml_t:unix_dgram_socket sendto; |
86 |
+ dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t) |
87 |
+ |
88 |
allow uml_t $2:unix_dgram_socket sendto; |
89 |
|
90 |
- # allow ps, ptrace, signal |
91 |
ps_process_pattern($2, uml_t) |
92 |
allow $2 uml_t:process { ptrace signal_perms }; |
93 |
|
94 |
- allow $2 uml_ro_t:dir list_dir_perms; |
95 |
- read_files_pattern($2, uml_ro_t, uml_ro_t) |
96 |
- read_lnk_files_pattern($2, uml_ro_t, uml_ro_t) |
97 |
- |
98 |
- manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
99 |
- manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
100 |
- manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
101 |
- manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
102 |
- manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
103 |
- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
104 |
- relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
105 |
- relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
106 |
- relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
107 |
- relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t }) |
108 |
- |
109 |
- manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) |
110 |
- manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) |
111 |
- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) |
112 |
- relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t }) |
113 |
- |
114 |
- manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t) |
115 |
- manage_files_pattern($2, uml_tmp_t, uml_tmp_t) |
116 |
- manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t) |
117 |
- manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t) |
118 |
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; |
119 |
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; |
120 |
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
121 |
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
122 |
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
123 |
+ userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml") |
124 |
') |
125 |
|
126 |
######################################## |
127 |
## <summary> |
128 |
-## Set attributes on uml utility socket files. |
129 |
+## Set attributes of uml pid sock files. |
130 |
## </summary> |
131 |
## <param name="domain"> |
132 |
## <summary> |
133 |
@@ -76,12 +57,13 @@ interface(`uml_setattr_util_sockets',` |
134 |
type uml_switch_var_run_t; |
135 |
') |
136 |
|
137 |
- allow $1 uml_switch_var_run_t:sock_file setattr; |
138 |
+ allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms; |
139 |
') |
140 |
|
141 |
######################################## |
142 |
## <summary> |
143 |
-## Manage uml utility files. |
144 |
+## Create, read, write, and delete |
145 |
+## uml pid files. |
146 |
## </summary> |
147 |
## <param name="domain"> |
148 |
## <summary> |
149 |
|
150 |
diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te |
151 |
index ff094e5..dc03cc5 100644 |
152 |
--- a/policy/modules/contrib/uml.te |
153 |
+++ b/policy/modules/contrib/uml.te |
154 |
@@ -1,17 +1,20 @@ |
155 |
-policy_module(uml, 2.2.0) |
156 |
+policy_module(uml, 2.2.1) |
157 |
|
158 |
######################################## |
159 |
# |
160 |
# Declarations |
161 |
# |
162 |
|
163 |
+attribute_role uml_roles; |
164 |
+ |
165 |
type uml_t; |
166 |
-type uml_exec_t; |
167 |
+type uml_exec_t; # customizable |
168 |
typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t }; |
169 |
typealias uml_t alias { auditadm_uml_t secadm_uml_t }; |
170 |
userdom_user_application_domain(uml_t, uml_exec_t) |
171 |
+role uml_roles types uml_t; |
172 |
|
173 |
-type uml_ro_t; |
174 |
+type uml_ro_t; # customizable |
175 |
typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t }; |
176 |
typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t }; |
177 |
userdom_user_home_content(uml_ro_t) |
178 |
@@ -49,93 +52,88 @@ files_pid_file(uml_switch_var_run_t) |
179 |
# Local policy |
180 |
# |
181 |
|
182 |
+allow uml_t self:process signal_perms; |
183 |
allow uml_t self:fifo_file rw_fifo_file_perms; |
184 |
-allow uml_t self:process { signal_perms ptrace }; |
185 |
allow uml_t self:unix_stream_socket create_stream_socket_perms; |
186 |
-allow uml_t self:unix_dgram_socket create_socket_perms; |
187 |
-# Use the network. |
188 |
-allow uml_t self:tcp_socket create_stream_socket_perms; |
189 |
-allow uml_t self:udp_socket create_socket_perms; |
190 |
+allow uml_t self:tcp_socket { accept listen }; |
191 |
allow uml_t self:tun_socket create; |
192 |
-# for mconsole |
193 |
-allow uml_t self:unix_dgram_socket sendto; |
194 |
+allow uml_t self:unix_dgram_socket { create_socket_perms sendto }; |
195 |
|
196 |
-# allow the UML thing to happen |
197 |
-allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr }; |
198 |
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms }; |
199 |
term_create_pty(uml_t, uml_devpts_t) |
200 |
|
201 |
manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t) |
202 |
manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t) |
203 |
files_tmp_filetrans(uml_t, uml_tmp_t, { file dir }) |
204 |
-can_exec(uml_t, uml_tmp_t) |
205 |
|
206 |
manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) |
207 |
manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) |
208 |
manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) |
209 |
manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t) |
210 |
fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file }) |
211 |
-can_exec(uml_t, uml_tmpfs_t) |
212 |
|
213 |
-# access config files |
214 |
-allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms; |
215 |
-read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) |
216 |
-read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t }) |
217 |
+allow uml_t uml_ro_t:dir list_dir_perms; |
218 |
+allow uml_t uml_ro_t:file read_file_perms; |
219 |
+allow uml_t uml_ro_t:lnk_file read_lnk_file_perms; |
220 |
|
221 |
manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t) |
222 |
manage_files_pattern(uml_t, uml_rw_t, uml_rw_t) |
223 |
manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t) |
224 |
manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t) |
225 |
manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t) |
226 |
-userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file }) |
227 |
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml") |
228 |
|
229 |
-can_exec(uml_t, { uml_exec_t uml_exec_t }) |
230 |
+can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t }) |
231 |
|
232 |
kernel_read_system_state(uml_t) |
233 |
-# for SKAS - need something better |
234 |
kernel_write_proc_files(uml_t) |
235 |
|
236 |
-# for xterm |
237 |
corecmd_exec_bin(uml_t) |
238 |
|
239 |
corenet_all_recvfrom_unlabeled(uml_t) |
240 |
corenet_all_recvfrom_netlabel(uml_t) |
241 |
corenet_tcp_sendrecv_generic_if(uml_t) |
242 |
-corenet_udp_sendrecv_generic_if(uml_t) |
243 |
corenet_tcp_sendrecv_generic_node(uml_t) |
244 |
-corenet_udp_sendrecv_generic_node(uml_t) |
245 |
corenet_tcp_sendrecv_all_ports(uml_t) |
246 |
-corenet_udp_sendrecv_all_ports(uml_t) |
247 |
-corenet_tcp_connect_all_ports(uml_t) |
248 |
+ |
249 |
corenet_sendrecv_all_client_packets(uml_t) |
250 |
+corenet_tcp_connect_all_ports(uml_t) |
251 |
+ |
252 |
corenet_rw_tun_tap_dev(uml_t) |
253 |
|
254 |
domain_use_interactive_fds(uml_t) |
255 |
|
256 |
-# for xterm |
257 |
-files_read_etc_files(uml_t) |
258 |
files_dontaudit_read_etc_runtime_files(uml_t) |
259 |
-# putting uml data under /var is usual... |
260 |
-files_search_var(uml_t) |
261 |
|
262 |
-fs_getattr_xattr_fs(uml_t) |
263 |
+fs_getattr_all_fs(uml_t) |
264 |
+fs_search_auto_mountpoints(uml_t) |
265 |
+ |
266 |
+auth_use_nsswitch(uml_t) |
267 |
|
268 |
init_read_utmp(uml_t) |
269 |
init_dontaudit_write_utmp(uml_t) |
270 |
|
271 |
-# for xterm |
272 |
libs_exec_lib_files(uml_t) |
273 |
|
274 |
-# Inherit and use descriptors from newrole. |
275 |
-seutil_use_newrole_fds(uml_t) |
276 |
- |
277 |
-# Use the network. |
278 |
-sysnet_read_config(uml_t) |
279 |
- |
280 |
userdom_use_user_terminals(uml_t) |
281 |
userdom_attach_admin_tun_iface(uml_t) |
282 |
|
283 |
+tunable_policy(`use_nfs_home_dirs',` |
284 |
+ fs_manage_nfs_dirs(uml_t) |
285 |
+ fs_manage_nfs_files(uml_t) |
286 |
+ fs_manage_nfs_named_pipes(uml_t) |
287 |
+ fs_manage_nfs_symlinks(uml_t) |
288 |
+') |
289 |
+ |
290 |
+tunable_policy(`use_samba_home_dirs',` |
291 |
+ fs_manage_cifs_dirs(uml_t) |
292 |
+ fs_manage_cifs_files(uml_t) |
293 |
+ fs_manage_cifs_named_pipes(uml_t) |
294 |
+ fs_manage_cifs_symlinks(uml_t) |
295 |
+') |
296 |
+ |
297 |
optional_policy(` |
298 |
- nis_use_ypbind(uml_t) |
299 |
+ seutil_use_newrole_fds(uml_t) |
300 |
') |
301 |
|
302 |
optional_policy(` |
303 |
@@ -144,13 +142,12 @@ optional_policy(` |
304 |
|
305 |
######################################## |
306 |
# |
307 |
-# Local policy |
308 |
+# Switch local policy |
309 |
# |
310 |
|
311 |
dontaudit uml_switch_t self:capability sys_tty_config; |
312 |
allow uml_switch_t self:process signal_perms; |
313 |
-allow uml_switch_t self:unix_dgram_socket create_socket_perms; |
314 |
-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; |
315 |
+allow uml_switch_t self:unix_stream_socket { accept listen }; |
316 |
|
317 |
manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) |
318 |
manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) |