include $(ROOT)/Rules.modular
endif
-test:
- # $(MODDIR)
- # $(ALL_LAYERS)
-
########################################
#
# Generated files
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) cat $^ > $@
-$(TMPDIR)/generated_definitions.conf: $(ALL_TE_FILES)
+$(TMPDIR)/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
# per-userdomain templates:
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) echo "define(\`base_per_userdomain_template',\`" > $@
# Only files are constrained by MCS at this stage.
#
mlsconstrain file { write setattr append unlink link rename
- ioctl lock execute relabelfrom } (h1 dom h2);
-
-mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
+ create ioctl lock execute } (h1 dom h2);
mlsconstrain file { read } ((h1 dom h2) or
( t1 == mlsfileread ));
# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
( h1 dom h2 );
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
-mlsconstrain process { ptrace } ( h1 dom h2 );
-
-mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
- ( t1 == mcskillall );
define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
link unlink rename relabelfrom relabelto }')
typeattribute $1 memory_raw_write, memory_raw_read;
')
-
-########################################
-## <summary>
-## Read and write the USB device.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_rw_usb',`
- gen_require(`
- type usb_device_t;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file { read write };
-')
-## <summary>Multicategory security policy</summary>
-## <required val="true">
-## Contains attributes used in MCS policy.
-## </required>
-
-########################################
-## <summary>
-## This domain is allowed to sigkill and sigstop
-## all domains regardless of their MCS level.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain target for user exemption.
-## </summary>
-## </param>
-#
-interface(`mcs_killall',`
- gen_require(`
- attribute mcskillall;
- ')
-
- typeattribute $1 mcskillall;
-')
-
-policy_module(mcs,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute mcskillall;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-#
-
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
-type sshd_exec_t;
-type su_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-range_transition unconfined_t initrc_exec_t s0;
-')
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
-# Other types are declared in the mcs module.
#
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
type lvm_exec_t;
+type sshd_exec_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+
+ifdef(`enable_mcs',`
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+
+# these might be targeted_policy only
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t initrc_exec_t s0;
+')
ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c255;
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
-dev_rw_usb(bluetooth_t)
dev_read_urand(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
mls_file_read_up(hald_t)
-modutils_domtrans_insmod(hald_t)
-
selinux_get_fs_mount(hald_t)
selinux_validate_context(hald_t)
selinux_compute_access_vector(hald_t)
libs_exec_lib_files(hald_t)
logging_send_syslog_msg(hald_t)
-logging_search_logs(hald_t)
miscfiles_read_localization(hald_t)
miscfiles_read_hwdata(hald_t)
# System mail local policy
#
-# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
-
allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms;
dontaudit NetworkManager_t self:capability sys_tty_config;
allow NetworkManager_t self:process { setcap getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
-files_read_etc_files(postfix_local_t)
-
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
-allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
-
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
#
# /sbin
#
-/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
-
+/sbin/init -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
-mcs_killall(init_t)
-
mls_file_read_up(init_t)
mls_file_write_down(init_t)
mls_rangetrans_target(init_t)
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-mcs_killall(initrc_t)
-
mls_file_read_up(initrc_t)
mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
allow $1 lib_t:dir search_dir_perms;
allow $1 lib_t:file manage_file_perms;
- allow $1 lib_t:lnk_file unlink;
')
########################################
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
-/etc/selinux/([^/]*/)?modules(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
ifdef(`distro_debian', `
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
')
-
-/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0)
allow $1 file_context_t:lnk_file { getattr read };
')
-########################################
-## <summary>
-## Read and write the file_contexts files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`seutil_rw_file_contexts',`
- gen_require(`
- type selinux_config_t, file_context_t;
- ')
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file rw_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
-')
-
########################################
#
# seutil_read_bin_policy(domain)
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
+
tunable_policy(`allow_execmem && allow_execstack',`
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
- auditallow $1 self:process execstack;
', `
# These are fairly common but seem to be harmless
# caused by using shared libraries built with old tool chains
- #dontaudit $1 self:process execstack;
+ dontaudit $1 self:process execstack;
')
')
ifdef(`enable_mls',`
- corecmd_exec_shell(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_write_down(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
logging_read_audit_log(secadm_t)
logging_domtrans_auditctl(secadm_t)
+ mls_process_read_up(secadm_t)
userdom_dontaudit_append_staff_home_files(secadm_t)
', `
logging_domtrans_auditctl(sysadm_t)
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)