APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media $(INSTALLDIR)/booleans
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/users
+USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+HOMEDIR_TEMPLATE = tmp/homedir_template
+
########################################
#
# Load appropriate rules
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
BASE_TE_FILES := $(BASE_MODS)
-BASE_POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
BASE_FC_FILES := $(BASE_MODS:.te=.fc)
MOD_MODULES := $(MOD_MODS:.te=.mod)
#
# Construct base module file contexts
#
-$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
+$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
ifeq ($(BASE_FC_FILES),)
$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
endif
rm -fR tmp
rm -f base.conf
rm -f *.pp
+ rm -f $(BASE_FC)
.PHONY: default base modules clean
ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
-HOMEDIR_TEMPLATE = tmp/homedir_template
-
########################################
#
# default action: build policy locally
class dir search;
')
- allow $1 proc_net_t:dir search;
+ dontaudit $1 proc_net_t:dir search;
')
########################################
kernel_rw_all_sysctl($1)
')
+
+################################################################################
+#
+# Reversed interfaces
+#
+# The following are reversed interfaces, meaning the point of view of the caller
+# of the interface is the object (target) type, rather than the subject (source)
+# type, like all other interfaces in the policy. These interfaces are here to
+# decouple policy from the base module, and should not be used anywhere else.
+#
+################################################################################
+
+########################################
+## <summary>
+## Allow the kernel to send a SIGCHLD
+## signal to the specified domain.
+## </summary>
+## <param name="domain">
+## Domain receiving the SIGCHLD.
+## </param>
+#
+interface(`kernel_sigchld_from',`
+ gen_require(`
+ type kernel_t;
+ class process sigchld;
+ ')
+
+ allow kernel_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow unlabeled processes to send a SIGCHLD
+## signal to the specified domain.
+## </summary>
+## <param name="domain">
+## Domain receiving the SIGCHLD.
+## </param>
+#
+interface(`kernel_sigchld_from_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ class process sigchld;
+ ')
+
+ allow unlabeled_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the kernel to search the
+## specified directory.
+## </summary>
+## <param name="dir_type">
+## Directory type to search.
+## </param>
+#
+interface(`kernel_search_from',`
+ gen_require(`
+ type kernel_t;
+ class dir search;
+ ')
+
+ allow kernel_t $1:dir search;
+')
+
+########################################
+## <summary>
+## Allow the kernel to read the contents
+## of the specified directory.
+## </summary>
+## <param name="dir_type">
+## Directory type to list.
+## </param>
+#
+interface(`kernel_list_from',`
+ gen_require(`
+ type kernel_t;
+ class dir r_dir_perms;
+ ')
+
+ allow kernel_t $1:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the kernel to read the
+## specified file.
+## </summary>
+## <param name="dir_type">
+## Directory type to list.
+## </param>
+#
+interface(`kernel_read_file_from',`
+ gen_require(`
+ type kernel_t;
+ class dir r_dir_perms;
+ ')
+
+ allow kernel_t $1:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the kernel to search the
+## specified directory.
+## </summary>
+## <param name="dir_type">
+## Directory type to search.
+## </param>
+#
+interface(`kernel_search_from',`
+ gen_require(`
+ type kernel_t;
+ class dir search;
+ ')
+
+ allow kernel_t $1:dir search;
+')
+
+########################################
+## <summary>
+## Use the specified types for /lib directory
+## and use the dynamic link/loader for automatic loading
+## of shared libraries, and the link/loader
+## cache.
+## </summary>
+## <param name="lib_type">
+## The type of the lib directories.
+## </param>
+## <param name="ld_type">
+## The type of the dynamic link/loader.
+## </param>
+## <param name="cache_type">
+## The type of the dynamic link/loader cache.
+## </param>
+#
+interface(`kernel_use_ld_so_from',`
+ gen_require(`
+ type kernel_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rx_file_perms;
+ ')
+
+ files_list_etc(kernel_t)
+ allow kernel_t $1:dir r_dir_perms;
+ allow kernel_t $1:lnk_file r_file_perms;
+ allow kernel_t $2:lnk_file r_file_perms;
+ allow kernel_t $2:file rx_file_perms;
+ allow kernel_t $3:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the kernel to load and execute
+## functions from the specified shared libraries.
+## </summary>
+## <param name="lib_dir_type">
+## The type of the lib directories.
+## </param>
+## <param name="shlib_type">
+## Shared library type.
+## </param>
+#
+interface(`kernel_use_shared_libs_from',`
+ gen_require(`
+ type kernel_t;
+ class lnk_file r_file_perms;
+ class file rx_dir_perms;
+ ')
+
+ allow kernel_t $1:dir r_dir_perms;
+ allow kernel_t $1:lnk_file r_file_perms;
+ allow kernel_t $2:lnk_file r_file_perms;
+ allow kernel_t $2:file rx_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow the kernel to send a syslog
+## message to the specified domain,
+## connecting over the specified named
+## socket.
+## </summary>
+## <param name="socket">
+## The type of the named socket file.
+## </param>
+## <param name="syslog_type">
+## The domain of the syslog daemon.
+## </param>
+#
+interface(`kernel_send_syslog_msg_from',`
+ gen_require(`
+ type syslogd_t, devlog_t;
+ class lnk_file read;
+ class sock_file rw_file_perms;
+ class unix_dgram_socket sendto;
+ class unix_stream_socket connectto;
+ ')
+
+ allow kernel_t $1:lnk_file read;
+ allow kernel_t $1:sock_file rw_file_perms;
+
+ # the type of socket depends on the syslog daemon
+ allow kernel_t $2:unix_dgram_socket sendto;
+ allow kernel_t $2:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow the kernel to send UDP network traffic
+## the specified domain.
+## </summary>
+## <param name="domain">
+## The type of the receiving domain.
+## </param>
+#
+interface(`kernel_udp_sendfrom',`
+ gen_require(`
+ type portmap_t;
+ class udp_socket { sendto recvfrom };
+ ')
+
+ allow kernel_t $1:udp_socket sendto;
+ allow $1 kernel_t:udp_socket recvfrom;
+')
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
+neverallow ~can_load_kernmodule self:capability sys_module;
+
# domains with unconfined access to kernel resources
attribute kern_unconfined;
domain_signal_all_domains(kernel_t)
files_list_root(kernel_t)
+files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
-init_sigchld(kernel_t)
-
-libs_use_ld_so(kernel_t)
-libs_use_shared_libs(kernel_t)
-
-logging_send_syslog_msg(kernel_t)
-
-seutil_read_config(kernel_t)
-seutil_read_binary_pol(kernel_t)
-
-neverallow ~can_load_kernmodule self:capability sys_module;
-
########################################
#
# Unlabeled process local policy
#
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init.
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-init_sigchld(unlabeled_t)
-
ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')
kernel_read_kernel_sysctl(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
+kernel_udp_sendfrom(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
type hotplug_etc_t; #, usercanread;
files_type(hotplug_etc_t)
+kernel_search_from(hotplug_etc_t)
type hotplug_var_run_t;
files_pid_file(hotplug_var_run_t)
rhgb_domain(hotplug_t)
')
-allow kernel_t hotplug_etc_t:dir search;
-
# for ps
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
kernel_read_system_state(init_t)
kernel_share_state(init_t)
+kernel_sigchld_from(init_t)
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init.
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+kernel_sigchld_from_unlabeled(init_t)
dev_read_sysfs(init_t)
type texrel_shlib_t;
files_type(texrel_shlib_t)
+kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
+kernel_use_shared_libs_from(lib_t,{ shlib_t texrel_shlib_t })
+
########################################
#
# ldconfig local policy
kernel_read_kernel_sysctl(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
+kernel_send_syslog_msg_from(devlog_t,syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
#
type policy_config_t;
files_type(policy_config_t)
+kernel_list_from(policy_config_t)
+kernel_read_file_from(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
#
type selinux_config_t;
files_type(selinux_config_t)
+kernel_list_from(selinux_config_t)
+kernel_read_file_from(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t)
#
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+########################################
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
+#
+define(`gen_user',`
+user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
+')
+
########################################
#
# gen_con(context,sensitivity)
--- /dev/null
+##################################
+#
+# System User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
+#
+define(`gen_user',`
+user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
+')
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
+
+# Normal users should not be added to this file,
+# but instead added to the users file.
#
#
-# gen_user(username, role_set, defaultlevel, range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
#
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
#
# user_u is a generic user identity for Linux users who have no