diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 5066d50..c627f34 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -56,6 +56,7 @@ SETFILES := $(SBINDIR)/setfiles SUPPORT := support GENDOC := $(SUPPORT)/sedoctool.py +FCSORT := $(SUPPORT)/fc_sort XMLLINT := $(BINDIR)/xmllint @@ -261,16 +262,15 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi # Create config files # conf $(MOD_DISABLE) $(TUNABLES): tmp/policy.xml - $(QUIET) touch $(TUNABLES) - @echo "Creating $(MOD_DISABLE)" - @echo "# This file contains a listing of available modules." > $(MOD_DISABLE) - @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE) - @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE) - @echo "" >> $(MOD_DISABLE) - @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \ - echo "#$$i" >> $(MOD_DISABLE) ;\ - done - $(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES) + @echo "Creating $(MOD_DISABLE) and $(TUNABLES)" +# @echo "# This file contains a listing of available modules." > $(MOD_DISABLE) +# @echo "# To prevent a module from being used in policy" >> $(MOD_DISABLE) +# @echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE) +# @echo "" >> $(MOD_DISABLE) +# @for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \ +# echo "#$$i" >> $(MOD_DISABLE) ;\ +# done + $(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES) -m $(MOD_DISABLE) ######################################## # @@ -299,6 +299,7 @@ $(FCPATH): $(FC) $(USERPATH)/system.users $(QUIET) install -m 644 $(FC) $(FCPATH) # $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) # $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) + $(QUIET) $(FCSORT) $(FCPATH) $(FCPATH) ######################################## # @@ -422,6 +423,8 @@ clean: rm -f $(FC) bare: clean + rm -f $(SUPPORT)/*.pyc + rm -f $(FCSORT) rm -f $(MOD_DISABLE) rm -f $(TUNABLES) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index d3fd863..4560712 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -50,7 +50,7 @@ files_ignore_read_rootfs_file(consoletype_t) libraries_use_dynamic_loader(consoletype_t) libraries_use_shared_libraries(consoletype_t) -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` filesystem_use_tmpfs_character_devices(consoletype_t) ') diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 30b7389..eb8b780 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -49,7 +49,7 @@ miscfiles_read_localization(dmesg_t) userdomain_use_admin_terminals(dmesg_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t) -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(dmesg_t) terminal_ignore_use_general_pseudoterminal(dmesg_t) files_ignore_read_rootfs_file(dmesg_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 7e40d50..6defbf2 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -139,13 +139,13 @@ miscfiles_read_localization(bootloader_t) selinux_read_binary_policy(bootloader_t) selinux_read_load_policy_binary(bootloader_t) -tunable_policy(`distro_debian', ` +ifdef(`distro_debian', ` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; allow bootloader_t boot_t:file relabelfrom; ') -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` # for memlock allow bootloader_t self:capability ipc_lock; @@ -190,7 +190,7 @@ allow bootloader_t sysfs_t:dir getattr; allow bootloader_t var_t:dir search; allow bootloader_t var_t:file { getattr read }; -tunable_policy(`distro_debian', ` +ifdef(`distro_debian', ` allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; allow bootloader_t tmpfs_t:dir r_dir_perms; @@ -203,7 +203,7 @@ tunable_policy(`distro_debian', ` can_exec(bootloader_t, usr_t) ') -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t file_t:dir create_dir_perms; allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 535416b..44d6b21 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -62,11 +62,11 @@ define(`terminal_make_physical_terminal',` # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! - tunable_policy(`distro_debian',` + ifdef(`distro_debian',` type_change $1 ttyfile:chr_file $2; ') - tunable_policy(`distro_redhat',` + ifdef(`distro_redhat',` filesystem_tmpfs_associate($2) ') ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 3c7fe1b..8f4b821 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -124,7 +124,7 @@ tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename }; ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(crond_t) terminal_ignore_use_general_pseudoterminal(crond_t) files_ignore_read_rootfs_file(crond_t) @@ -348,7 +348,7 @@ ifdef(`apache.te', ` allow system_crond_t httpd_log_t:file { getattr read }; ') -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` optional_policy(`rpm.te', ` allow system_crond_t rpm_log_t:file create_file_perms; ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index db452c5..643b174 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -27,7 +27,7 @@ type system_mail_t; #, user_mail_domain, nscd_client_domain; domain_make_domain(system_mail_t) role system_r types system_mail_t; -tunable_policy(`targeted_policy',`',` +ifdef(`targeted_policy',`',` optional_policy(`sendmail.te', ` domain_make_entrypoint_file(system_mail_t,sendmail_exec_t) ', ` diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 6c98d27..5b643a1 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -174,7 +174,7 @@ tunable_policy(`direct_sysadm_daemon', ` dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(pam_console_t) terminal_ignore_use_general_pseudoterminal(pam_console_t) files_ignore_read_rootfs_file(pam_console_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 51a481a..5ba29d9 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -57,7 +57,7 @@ logging_send_system_log_message(hwclock_t) miscfiles_read_localization(hwclock_t) -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(hwclock_t) terminal_ignore_use_general_pseudoterminal(hwclock_t) files_ignore_read_rootfs_file(hwclock_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 4656474..178c4b6 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -54,11 +54,11 @@ miscfiles_read_localization(hostname_t) userdomain_use_all_users_file_descriptors(hostname_t) -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` filesystem_use_tmpfs_character_devices(hostname_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(hostname_t) terminal_ignore_use_general_pseudoterminal(hostname_t) files_ignore_read_rootfs_file(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index a80fa32..020d664 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -108,7 +108,7 @@ sysnetwork_read_network_config(hotplug_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` optional_policy(`netutils.te', ` # for arping used for static IP addresses on PCMCIA ethernet netutils_transition(hotplug_t) @@ -117,7 +117,7 @@ tunable_policy(`distro_redhat', ` files_get_system_lock_file_attributes(hotplug_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t) files_ignore_read_rootfs_file(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7a1e77b..65bb7c9 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -139,7 +139,7 @@ selinux_read_config(init_t) miscfiles_read_localization(init_t) -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` filesystem_use_tmpfs_character_devices(init_t) filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file) ') @@ -307,11 +307,11 @@ userdomain_read_all_users_data(initrc_t) # started from init should be placed in their own domain. userdomain_use_admin_terminals(initrc_t) -tunable_policy(`distro_debian', ` +ifdef(`distro_debian', ` filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) ') -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` # this is from kmodule, which should get its own policy: allow initrc_t self:capability sys_admin; @@ -399,7 +399,7 @@ su_restricted_domain(initrc,system) role system_r types initrc_su_t; ') -tunable_policy(`distro_debian', ` +ifdef(`distro_debian', ` allow initrc_t { etc_t device_t }:dir setattr; # for storing state under /dev/shm @@ -407,12 +407,12 @@ tunable_policy(`distro_debian', ` file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file) ') -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` # readahead asks for these allow initrc_t var_lib_nfs_t:file { getattr read }; ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t) allow unconfined_t initrc_t:dbus { acquire_svc send_msg }; allow initrc_t unconfined_t:dbus { acquire_svc send_msg }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 89c8fd2..9949f0f 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -96,7 +96,7 @@ optional_policy(`udev.te', ` udev_read_database(iptables_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(iptables_t) terminal_ignore_use_general_pseudoterminal(iptables_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index c296763..b5b127f 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -235,7 +235,7 @@ ifdef(`monolithic_policy',` ifdef(`distro_debian', `define(`sulogin_no_pam')') ') dnl end monolithic_policy -tunable_policy(`sulogin_no_pam', ` +ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; init_get_process_group(sulogin_t) ', ` diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 1053f7d..beb0e0d 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -274,7 +274,7 @@ tunable_policy(`direct_sysadm_daemon',` dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; ') -tunable_policy(`distro_suse', ` +ifdef(`distro_suse', ` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) ') diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 00e3ac9..a58388f 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -135,12 +135,12 @@ selinux_read_config(lvm_t) selinux_read_file_contexts(lvm_t) selinux_newrole_sigchld(lvm_t) -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` # this is from the initrd: files_modify_isid_type_dir(lvm_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(lvm_t) terminal_ignore_use_general_pseudoterminal(lvm_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 7cf5390..13d3ab2 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -68,7 +68,7 @@ miscfiles_read_localization(mount_t) userdomain_use_all_users_file_descriptors(mount_t) -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` filesystem_use_tmpfs_character_devices(mount_t) allow mount_t tmpfs_t:dir mounton; diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 4c84ad7..17a0c37 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` filesystem_use_tmpfs_character_devices(restorecon_t) filesystem_use_tmpfs_block_devices(restorecon_t) filesystem_relabel_tmpfs_block_devices(restorecon_t) @@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t) kernel_compute_selinux_relabel_context(run_init_t) kernel_compute_selinux_reachable_user_contexts(run_init_t) -tunable_policy(`targeted_policy',`',` +ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; @@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',` ifdef(`TODO',` -tunable_policy(`distro_gentoo', ` +ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_make_entrypoint_file(run_init_t,initrc_exec_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 4c84ad7..17a0c37 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t) # this is to satisfy the assertion: authlogin_relabel_to_shadow_passwords(restorecon_t) -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` filesystem_use_tmpfs_character_devices(restorecon_t) filesystem_use_tmpfs_block_devices(restorecon_t) filesystem_relabel_tmpfs_block_devices(restorecon_t) @@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t) kernel_compute_selinux_relabel_context(run_init_t) kernel_compute_selinux_reachable_user_contexts(run_init_t) -tunable_policy(`targeted_policy',`',` +ifdef(`targeted_policy',`',` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; @@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',` ifdef(`TODO',` -tunable_policy(`distro_gentoo', ` +ifdef(`distro_gentoo', ` # Gentoo integrated run_init+open_init_pty-runscript: domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_make_entrypoint_file(run_init_t,initrc_exec_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 27d68bf..f7ad7bd 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -140,7 +140,7 @@ ifdef(`distro_redhat', ` files_execute_system_config_script(dhcpc_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t) @@ -205,7 +205,7 @@ allow hotplug_t dhcpc_t:process signal_perms; allow hotplug_t dhcpc_var_run_t:file { getattr read }; allow hotplug_t dhcp_etc_t:file rw_file_perms; allow dhcpc_t hotplug_etc_t:dir { getattr search }; -tunable_policy(`distro_redhat', ` +ifdef(`distro_redhat', ` logging_syslogd_transition(dhcpc_t) ') ')dnl end hotplug.te diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index b12a556..40e2b34 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -113,13 +113,13 @@ selinux_restorecon_transition(udev_t) sysnetwork_ifconfig_transition(udev_t) -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` filesystem_manage_tmpfs_block_devices(udev_t) filesystem_manage_tmpfs_character_devices(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_transition(udev_t) -') dnl end ifdef distro_redhat +') optional_policy(`authlogin.te',` authlogin_pam_console_read_runtime_data(udev_t) @@ -156,12 +156,11 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write }; dbusd_client(system, udev) -# Ifdefs -tunable_policy(`distro_redhat',` +ifdef(`distro_redhat',` allow udev_t tmpfs_t:sock_file create_file_perms; allow udev_t tmpfs_t:lnk_file create_lnk_perms; allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto }; -') dnl end ifdef distro_redhat +') tunable_policy(`hide_broken_symptoms',` dontaudit restorecon_t udev_t:unix_dgram_socket { read write }; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 9aae29c..877af67 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -99,7 +99,10 @@ role_change(sysadm, staff) # only staff_r can change to sysadm_r role_change(staff, sysadm) -tunable_policy(`user_canbe_sysadm',` +# this should be tunable_policy, but +# currently type_change and RBAC allow +# do not work in conditionals +ifdef(`user_canbe_sysadm',` role_change(user,sysadm) ') diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt index a70719d..ad26530 100644 --- a/refpolicy/policy/support/loadable_module.spt +++ b/refpolicy/policy/support/loadable_module.spt @@ -9,9 +9,9 @@ # For adding the module statement # define(`policy_module',` -ifdef(`monolithic_policy',`',` -module $1 $2; -') + ifdef(`monolithic_policy',`',` + module $1 $2; + ') ') ############################## @@ -19,42 +19,46 @@ module $1 $2; # For use in interfaces, to optionally insert a requires block # define(`requires_block_template',` -ifdef(`monolithic_policy',`',` -require { -$1 -} -') dnl end ifdef monolithic_policy -') dnl end requires_block_template + ifdef(`monolithic_policy',`',` + require { + $1 + } + ') +') ############################## # # Optional policy handling # define(`optional_policy',` -ifdef(`monolithic_policy',` -ifdef(`$1',$2,$3) -',` -optional { -$2 -} else { -$3 -} -') dnl end ifdef monolithic_policy -') dnl end optional_policy + ifdef(`monolithic_policy',` + ifdef(`$1',$2,$3) + ',` + optional { + $2 + } else { + $3 + } + ') +') ############################## # # Tunable policy handling # define(`tunable_policy',` -ifdef(`monolithic_policy',` -ifdef(`$1',$2,$3) -',` -optional { -require { $1 } -$2 -} else { -$3 -} -') dnl end ifdef monolithic_policy -') dnl end tunable_policy + ifdef(`monolithic_policy',` + if (`$1') { + $2 + } else { + $3 + } + ',` + optional { + require { `$1' } + $2 + } else { + $3 + } + ') +')