diff --git a/refpolicy/Changelog b/refpolicy/Changelog index db66471..82a1694 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,6 @@ +- Added modules: + usernetctl + * Tue Jan 17 2006 Chris PeBenito - 20060117 - Adds support for generating corenetwork interfaces based on attributes in addition to types. diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 29e69fa..42a741b 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -29,6 +29,31 @@ interface(`consoletype_domtrans',` ######################################## ## +## Execute consoletype in the consoletype domain, and +## allow the specified role the consoletype domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the consoletype domain. +## +## +## The type of the terminal allow the consoletype domain to use. +## +# +interface(`consoletype_run',` + gen_require(` + type consoletype_t; + ') + + consoletype_domtrans($1) + role $2 types consoletype_t; + allow consoletype_t $3:chr_file rw_term_perms; +') + +######################################## +## ## Execute consoletype in the caller domain. ## ## diff --git a/refpolicy/policy/modules/apps/usernetctl.fc b/refpolicy/policy/modules/apps/usernetctl.fc new file mode 100644 index 0000000..aa07e1e --- /dev/null +++ b/refpolicy/policy/modules/apps/usernetctl.fc @@ -0,0 +1,2 @@ + +/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0) diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if new file mode 100644 index 0000000..ce58e42 --- /dev/null +++ b/refpolicy/policy/modules/apps/usernetctl.if @@ -0,0 +1,66 @@ +## User network interface configuration helper + +######################################## +## +## Execute usernetctl in the usernetctl domain. +## +## +## Domain allowed access. +## +# +interface(`usernetctl_domtrans',` + gen_require(` + type usernetctl_t, usernetctl_exec_t; + ') + + tunable_policy(`user_net_control',` + domain_auto_trans($1,usernetctl_exec_t,usernetctl_t) + + allow $1 usernetctl_t:fd use; + allow usernetctl_t $1:fd use; + allow usernetctl_t $1:fifo_file rw_file_perms; + allow usernetctl_t $1:process sigchld; + ',` + can_exec($1,usernetctl_exec_t) + ') +') + +######################################## +## +## Execute usernetctl in the usernetctl domain, and +## allow the specified role the usernetctl domain. +## +## +## Domain allowed access. +## +## +## The role to be allowed the usernetctl domain. +## +## +## The type of the terminal allow the usernetctl domain to use. +## +# +interface(`usernetctl_run',` + gen_require(` + type usernetctl_t; + ') + + usernetctl_domtrans($1) + role $2 types usernetctl_t; + allow usernetctl_t $3:chr_file rw_term_perms; + + sysnet_run_ifconfig(usernetctl_t,$2,$3) + sysnet_run_dhcpc(usernetctl_t,$2,$3) + + optional_policy(`consoletype',` + consoletype_run(usernetctl_t,$2,$3) + ') + + optional_policy(`iptables',` + iptables_run(usernetctl_t,$2,$3) + ') + + optional_policy(`modutils',` + modutils_run_insmod(usernetctl_t,$2,$3) + ') +') diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te new file mode 100644 index 0000000..ec38a72 --- /dev/null +++ b/refpolicy/policy/modules/apps/usernetctl.te @@ -0,0 +1,70 @@ + +policy_module(usernetctl,1.0.0) + +######################################## +# +# Declarations +# + +type usernetctl_t; +type usernetctl_exec_t; +domain_type(usernetctl_t) +domain_entry_file(usernetctl_t,usernetctl_exec_t) +domain_wide_inherit_fd(usernetctl_t) + +######################################## +# +# Local policy +# + +allow usernetctl_t self:capability { setuid setgid dac_override }; +allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow usernetctl_t self:fd use; +allow usernetctl_t self:fifo_file rw_file_perms; +allow usernetctl_t self:shm create_shm_perms; +allow usernetctl_t self:sem create_sem_perms; +allow usernetctl_t self:msgq create_msgq_perms; +allow usernetctl_t self:msg { send receive }; +allow usernetctl_t self:unix_dgram_socket create_socket_perms; +allow usernetctl_t self:unix_stream_socket create_stream_socket_perms; +allow usernetctl_t self:unix_dgram_socket sendto; +allow usernetctl_t self:unix_stream_socket connectto; + +can_exec(usernetctl_t,usernetctl_exec_t) + +kernel_read_system_state(usernetctl_t) +kernel_read_kernel_sysctl(usernetctl_t) + +corecmd_list_bin(usernetctl_t) +corecmd_exec_bin(usernetctl_t) +corecmd_list_sbin(usernetctl_t) +corecmd_exec_sbin(usernetctl_t) +corecmd_exec_shell(usernetctl_t) + +domain_dontaudit_read_all_domains_state(usernetctl_t) + +files_read_etc_files(usernetctl_t) +files_exec_etc_files(usernetctl_t) +files_read_etc_runtime_files(usernetctl_t) +files_list_pids(usernetctl_t) +files_list_home(usernetctl_t) +files_read_usr_files(usernetctl_t) + +fs_search_auto_mountpoints(usernetctl_t) + +libs_use_ld_so(usernetctl_t) +libs_use_shared_libs(usernetctl_t) + +miscfiles_read_localization(usernetctl_t) + +seutil_read_config(usernetctl_t) + +sysnet_read_config(usernetctl_t) + +optional_policy(`hostname',` + hostname_exec(usernetctl_t) +') + +optional_policy(`nis',` + nis_use_ypbind(usernetctl_t) +') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index a19ab64..cace0a0 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -440,6 +440,10 @@ template(`base_user_template',` usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ') + optional_policy(`usernetctl',` + usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + ') + ifdef(`TODO',` # # Cups daemon running as user tries to write /etc/printcap diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 2d36123..a59de33 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.2.0) +policy_module(userdomain,1.2.1) gen_require(` role sysadm_r, staff_r, user_r, secadm_r;