diff options
-rw-r--r-- | policy/modules/kernel/devices.if | 56 | ||||
-rw-r--r-- | policy/modules/kernel/files.if | 131 | ||||
-rw-r--r-- | policy/modules/kernel/filesystem.if | 18 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.if | 18 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 34 | ||||
-rw-r--r-- | policy/modules/kernel/terminal.if | 20 |
6 files changed, 277 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 3f0541729..7d99b290d 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',` ######################################## ## <summary> +## Set the attributes on generic +## block devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:blk_file setattr; +') + +######################################## +## <summary> ## Dontaudit setattr on generic block devices. ## </summary> ## <param name="domain"> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` ######################################## ## <summary> +## Set the attributes for generic +## character device files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file setattr; +') + +######################################## +## <summary> ## Dontaudit setattr for generic character device files. ## </summary> ## <param name="domain"> @@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',` ######################################## ## <summary> +## Mount a filesystem on sysfs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allow access. +## </summary> +## </param> +# +interface(`dev_mounton_sysfs',` + gen_require(` + type device_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## +## <summary> ## Associate a file to a sysfs filesystem. ## </summary> ## <param name="file_type"> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 3fc04875c..b5eeaf877 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1786,6 +1786,25 @@ interface(`files_list_root',` ######################################## ## <summary> +## Delete symbolic links in the +## root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## <summary> ## Do not audit attempts to write to / dirs. ## </summary> ## <param name="domain"> @@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',` ######################################## ## <summary> +## Delete character device nodes in +## the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + +######################################## +## <summary> ## Delete files in the root directory. ## </summary> ## <param name="domain"> @@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',` ######################################## ## <summary> +## Execute files in the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + +######################################## +## <summary> ## Remove entries from the root directory. ## </summary> ## <param name="domain"> @@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',` ######################################## ## <summary> +## Manage the root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Get the attributes of a rootfs +## file system. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_rootfs',` + gen_require(` + type root_t; + ') + + allow $1 root_t:filesystem getattr; +') + +######################################## +## <summary> ## Associate to root file system. ## </summary> ## <param name="file_type"> @@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',` ######################################## ## <summary> +## Get the attributes of the +## etc_runtime directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir getattr; +') + +######################################## +## <summary> +## Mount a filesystem on the +## etc_runtime directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_etc_runtime_dirs',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:dir mounton; +') + +######################################## +## <summary> ## Do not audit attempts to set the attributes of the etc_runtime files ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index c85d8059b..23c7f0864 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',` ######################################## ## <summary> +## Delete tmpfs symbolic links. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_delete_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; +') + +######################################## +## <summary> ## Create, read, write, and delete ## auto moutpoints. ## </summary> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 2c7ad0cc6..6887b00d0 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',` ######################################## ## <summary> +## Mount the directories in /proc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_mounton_proc_dirs',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## +## <summary> ## Get the attributes of files in /proc. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7334dc94a..2a6ab8e89 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; # connections with invalidated labels: allow kernel_t unlabeled_t:packet send; +kernel_mounton_proc_dirs(kernel_t) kernel_request_load_module(kernel_t) # Allow unlabeled network traffic @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +dev_mounton_sysfs(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +dev_delete_generic_symlinks(kernel_t) +dev_rw_generic_chr_files(kernel_t) +dev_setattr_generic_blk_files(kernel_t) +dev_setattr_generic_chr_files(kernel_t) +dev_getattr_fs(kernel_t) +dev_getattr_sysfs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) +fs_getattr_tmpfs(kernel_t) +fs_getattr_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_dirs(kernel_t) +fs_manage_tmpfs_files(kernel_t) +fs_manage_tmpfs_sockets(kernel_t) +fs_delete_tmpfs_symlinks(kernel_t) + +selinux_getattr_fs(kernel_t) selinux_load_policy(kernel_t) +term_getattr_pty_fs(kernel_t) term_use_console(kernel_t) +term_use_generic_ptys(kernel_t) # for kdevtmpfs term_setattr_unlink_unallocated_ttys(kernel_t) @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) +files_getattr_rootfs(kernel_t) +files_manage_root_dir(kernel_t) +files_delete_root_files(kernel_t) +files_exec_root_files(kernel_t) +files_delete_root_symlinks(kernel_t) +files_delete_root_chr_files(kernel_t) files_list_root(kernel_t) files_list_etc(kernel_t) +files_getattr_etc_runtime_dirs(kernel_t) +files_mounton_etc_runtime_dirs(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -343,6 +369,7 @@ optional_policy(` ') optional_policy(` + logging_manage_generic_logs(kernel_t) logging_send_syslog_msg(kernel_t) ') @@ -356,6 +383,12 @@ optional_policy(` ') optional_policy(` + plymouthd_read_lib_files(kernel_t) + term_use_ptmx(kernel_t) + term_use_unallocated_ttys(kernel_t) +') + +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; @@ -405,6 +438,7 @@ optional_policy(` optional_policy(` seutil_read_config(kernel_t) seutil_read_bin_policy(kernel_t) + seutil_domtrans_setfiles(kernel_t) ') optional_policy(` diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 86692b04b..05be0475b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` ######################################## ## <summary> +## Get the attributes of the +## /dev/pts directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`term_getattr_pty_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir getattr; +') + +######################################## +## <summary> ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## </summary> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` allow $1 devpts_t:chr_file getattr; ') + ######################################## ## <summary> ## Do not audit attempts to get the attributes |