From d800d66b5d1e6f6ab29f6fc63b2c6a7e7a082250 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 12 2012 09:02:21 +0000 Subject: Various changes to tcs policy module Remove redundant domain_type() call Remove redundant files_read_etc_files() call Remove redundant create_socket_perms for unix_stream_socket Only file type transition on directories Add networking rules XML header clean ups tcsd_admin() clean ups Callers need to be able to traverse bin_t directories to be able to run tcsd with a domain transition Partition file context file entries Signed-off-by: Dominick Grift --- diff --git a/tcsd.fc b/tcsd.fc index 1a6527c..e59fd73 100644 --- a/tcsd.fc +++ b/tcsd.fc @@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) -/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) + +/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) + +/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) diff --git a/tcsd.if b/tcsd.if index 595f5a7..c5f77e0 100644 --- a/tcsd.if +++ b/tcsd.if @@ -1,4 +1,4 @@ -## TSS Core Services (TCS) daemon (tcsd) policy +## TSS Core Services daemon. ######################################## ## @@ -6,7 +6,7 @@ ## ## ## -## Domain allowed access. +## Domain allowed to transition. ## ## # @@ -15,6 +15,7 @@ interface(`tcsd_domtrans',` type tcsd_t, tcsd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, tcsd_exec_t, tcsd_t) ') @@ -24,7 +25,7 @@ interface(`tcsd_domtrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed to transition. ## ## # @@ -57,7 +58,8 @@ interface(`tcsd_search_lib',` ######################################## ## -## Manage tcsd lib dirs files. +## Create, read, write, and delete +## tcsd lib directories. ## ## ## @@ -115,8 +117,8 @@ interface(`tcsd_manage_lib_files',` ######################################## ## -## All of the rules required to administrate -## an tcsd environment +## All of the rules required to +## administrate an tcsd environment. ## ## ## @@ -132,9 +134,7 @@ interface(`tcsd_manage_lib_files',` # interface(`tcsd_admin',` gen_require(` - type tcsd_t; - type tcsd_initrc_exec_t; - type tcsd_var_lib_t; + type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; ') allow $1 tcsd_t:process { ptrace signal_perms }; diff --git a/tcsd.te b/tcsd.te index ee9f3c6..ddf43fd 100644 --- a/tcsd.te +++ b/tcsd.te @@ -1,4 +1,4 @@ -policy_module(tcsd, 1.0.0) +policy_module(tcsd, 1.0.1) ######################################## # @@ -7,7 +7,6 @@ policy_module(tcsd, 1.0.0) type tcsd_t; type tcsd_exec_t; -domain_type(tcsd_t) init_daemon_domain(tcsd_t, tcsd_exec_t) type tcsd_initrc_exec_t; @@ -18,27 +17,29 @@ files_type(tcsd_var_lib_t) ######################################## # -# tcsd local policy +# Local policy # allow tcsd_t self:capability { dac_override setuid }; allow tcsd_t self:process { signal sigkill }; -allow tcsd_t self:tcp_socket create_stream_socket_perms; +allow tcsd_t self:tcp_socket { accept listen }; manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) -files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) +files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, dir) -# Accept connections on the TCS port over loopback. corenet_all_recvfrom_unlabeled(tcsd_t) +corenet_all_recvfrom_netlabel(tcsd_t) +corenet_tcp_sendrecv_generic_if(tcsd_t) +corenet_tcp_sendrecv_generic_node(tcsd_t) +corenet_tcp_sendrecv_tcs_port(tcsd_t) corenet_tcp_bind_generic_node(tcsd_t) +corenet_sendrecv_tcs_server_packets(tcsd_t) corenet_tcp_bind_tcs_port(tcsd_t) dev_read_urand(tcsd_t) -# Access /dev/tpm0. dev_rw_tpm(tcsd_t) -files_read_etc_files(tcsd_t) files_read_usr_files(tcsd_t) auth_use_nsswitch(tcsd_t)