diff options
Diffstat (limited to 'policy/support')
| -rw-r--r-- | policy/support/file_patterns.spt | 556 | ||||
| -rw-r--r-- | policy/support/ipc_patterns.spt | 14 | ||||
| -rw-r--r-- | policy/support/loadable_module.spt | 146 | ||||
| -rw-r--r-- | policy/support/misc_macros.spt | 78 | ||||
| -rw-r--r-- | policy/support/misc_patterns.spt | 58 | ||||
| -rw-r--r-- | policy/support/mls_mcs_macros.spt | 57 | ||||
| -rw-r--r-- | policy/support/obj_perm_sets.spt | 273 |
7 files changed, 1182 insertions, 0 deletions
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt new file mode 100644 index 000000000..8b785c9a3 --- /dev/null +++ b/policy/support/file_patterns.spt @@ -0,0 +1,556 @@ +# +# Directory patterns (dir) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. directory type +# +define(`getattr_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir getattr_dir_perms; +') + +define(`setattr_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir setattr_dir_perms; +') + +define(`search_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir search_dir_perms; +') + +define(`list_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir list_dir_perms; +') + +define(`add_entry_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir add_entry_dir_perms; +') + +define(`del_entry_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir del_entry_dir_perms; +') + +define(`rw_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir { add_entry_dir_perms del_entry_dir_perms }; +') + +define(`create_dirs_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:dir create_dir_perms; +') + +define(`delete_dirs_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:dir delete_dir_perms; +') + +define(`rename_dirs_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:dir rename_dir_perms; +') + +define(`manage_dirs_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:dir manage_dir_perms; +') + +define(`relabelfrom_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabelfrom_dir_perms; +') + +define(`relabelto_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabelto_dir_perms; +') + +define(`relabel_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir relabel_dir_perms; +') + +# +# Regular file patterns (file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file getattr_file_perms; +') + +define(`setattr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file setattr_file_perms; +') + +define(`read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file read_file_perms; +') + +define(`mmap_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_file_perms; +') + +define(`exec_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file exec_file_perms; +') + +define(`append_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file append_file_perms; +') + +define(`write_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file write_file_perms; +') + +define(`rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file rw_file_perms; +') + +define(`create_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:file create_file_perms; +') + +define(`delete_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:file delete_file_perms; +') + +define(`rename_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:file rename_file_perms; +') + +define(`manage_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:file manage_file_perms; +') + +define(`relabelfrom_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabelfrom_file_perms; +') + +define(`relabelto_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabelto_file_perms; +') + +define(`relabel_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file relabel_file_perms; +') + +# +# Symbolic link patterns (lnk_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file getattr_lnk_file_perms; +') + +define(`setattr_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file setattr_lnk_file_perms; +') + +define(`read_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file read_lnk_file_perms; +') + +define(`append_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file append_lnk_file_perms; +') + +define(`write_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file write_lnk_file_perms; +') + +define(`rw_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file rw_lnk_file_perms; +') + +define(`create_lnk_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:lnk_file create_lnk_file_perms; +') + +define(`delete_lnk_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:lnk_file delete_lnk_file_perms; +') + +define(`rename_lnk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:lnk_file rename_lnk_file_perms; +') + +define(`manage_lnk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:lnk_file manage_lnk_file_perms; +') + +define(`relabelfrom_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabelfrom_lnk_file_perms; +') + +define(`relabelto_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabelto_lnk_file_perms; +') + +define(`relabel_lnk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:lnk_file relabel_lnk_file_perms; +') + +# +# (Un)named Pipes/FIFO patterns (fifo_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file getattr_fifo_file_perms; +') + +define(`setattr_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file setattr_fifo_file_perms; +') + +define(`read_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file read_fifo_file_perms; +') + +define(`append_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file append_fifo_file_perms; +') + +define(`write_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file write_fifo_file_perms; +') + +define(`rw_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file rw_fifo_file_perms; +') + +define(`create_fifo_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:fifo_file create_fifo_file_perms; +') + +define(`delete_fifo_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:fifo_file delete_fifo_file_perms; +') + +define(`rename_fifo_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:fifo_file rename_fifo_file_perms; +') + +define(`manage_fifo_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:fifo_file manage_fifo_file_perms; +') + +define(`relabelfrom_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabelfrom_fifo_file_perms; +') + +define(`relabelto_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabelto_fifo_file_perms; +') + +define(`relabel_fifo_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:fifo_file relabel_fifo_file_perms; +') + +# +# (Un)named sockets patterns (sock_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file getattr_sock_file_perms; +') + +define(`setattr_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file setattr_sock_file_perms; +') + +define(`read_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file read_sock_file_perms; +') + +define(`write_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file write_sock_file_perms; +') + +define(`rw_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file rw_sock_file_perms; +') + +define(`create_sock_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:sock_file create_sock_file_perms; +') + +define(`delete_sock_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:sock_file delete_sock_file_perms; +') + +define(`rename_sock_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:sock_file rename_sock_file_perms; +') + +define(`manage_sock_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:sock_file manage_sock_file_perms; +') + +define(`relabelfrom_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabelfrom_sock_file_perms; +') + +define(`relabelto_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabelto_sock_file_perms; +') + +define(`relabel_sock_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file relabel_sock_file_perms; +') + +# +# Block device node patterns (blk_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file getattr_blk_file_perms; +') + +define(`setattr_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file setattr_blk_file_perms; +') + +define(`read_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file read_blk_file_perms; +') + +define(`append_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file append_blk_file_perms; +') + +define(`write_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file write_blk_file_perms; +') + +define(`rw_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file rw_blk_file_perms; +') + +define(`create_blk_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:blk_file create_blk_file_perms; +') + +define(`delete_blk_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:blk_file delete_blk_file_perms; +') + +define(`rename_blk_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:blk_file rename_blk_file_perms; +') + +define(`manage_blk_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir rw_dir_perms; + allow $1 $3:blk_file manage_blk_file_perms; +') + +define(`relabelfrom_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabelfrom_blk_file_perms; +') + +define(`relabelto_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabelto_blk_file_perms; +') + +define(`relabel_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file relabel_blk_file_perms; +') + +# +# Character device node patterns (chr_file) +# +# Parameters: +# 1. domain type +# 2. container (directory) type +# 3. file type +# +define(`getattr_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file getattr_chr_file_perms; +') + +define(`setattr_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file setattr_chr_file_perms; +') + +define(`read_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file read_chr_file_perms; +') + +define(`append_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file append_chr_file_perms; +') + +define(`write_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file write_chr_file_perms; +') + +define(`rw_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file rw_chr_file_perms; +') + +define(`create_chr_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:chr_file create_chr_file_perms; +') + +define(`delete_chr_files_pattern',` + allow $1 $2:dir del_entry_dir_perms; + allow $1 $3:chr_file delete_chr_file_perms; +') + +define(`rename_chr_files_pattern',` + allow $1 $2:dir rw_dir_perms; + allow $1 $3:chr_file rename_chr_file_perms; +') + +define(`manage_chr_files_pattern',` + allow $1 self:capability mknod; + allow $1 $2:dir rw_dir_perms; + allow $1 $3:chr_file manage_chr_file_perms; +') + +define(`relabelfrom_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabelfrom_chr_file_perms; +') + +define(`relabelto_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabelto_chr_file_perms; +') + +define(`relabel_chr_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:chr_file relabel_chr_file_perms; +') + +# +# File type_transition patterns +# +# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename]) +# +define(`filetrans_add_pattern',` + allow $1 $2:dir { list_dir_perms add_entry_dir_perms }; + type_transition $1 $2:$4 $3 $5; +') + +# +# filetrans_pattern(domain,dirtype,newtype,class(es),[filename]) +# +define(`filetrans_pattern',` + allow $1 $2:dir rw_dir_perms; + type_transition $1 $2:$4 $3 $5; +') + +define(`admin_pattern',` + manage_dirs_pattern($1,$2,$2) + manage_files_pattern($1,$2,$2) + manage_lnk_files_pattern($1,$2,$2) + manage_fifo_files_pattern($1,$2,$2) + manage_sock_files_pattern($1,$2,$2) + + relabel_dirs_pattern($1,$2,$2) + relabel_files_pattern($1,$2,$2) + relabel_lnk_files_pattern($1,$2,$2) + relabel_fifo_files_pattern($1,$2,$2) + relabel_sock_files_pattern($1,$2,$2) +') diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt new file mode 100644 index 000000000..310f9ef8c --- /dev/null +++ b/policy/support/ipc_patterns.spt @@ -0,0 +1,14 @@ +# +# unix domain socket patterns +# +define(`stream_connect_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file write_sock_file_perms; + allow $1 $4:unix_stream_socket connectto; +') + +define(`dgram_send_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:sock_file write_sock_file_perms; + allow $1 $4:unix_dgram_socket sendto; +') diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt new file mode 100644 index 000000000..03906bc44 --- /dev/null +++ b/policy/support/loadable_module.spt @@ -0,0 +1,146 @@ +######################################## +# +# Macros for switching between source policy +# and loadable policy module support +# + +############################## +# +# For adding the module statement +# +define(`policy_module',` + ifndef(`self_contained_policy',` + module $1 $2; + + require { + role system_r; + all_kernel_class_perms + + ifdef(`enable_mcs',` + decl_sens(0,0) + decl_cats(0,decr(mcs_num_cats)) + ') + + ifdef(`enable_mls',` + decl_sens(0,decr(mls_num_sens)) + decl_cats(0,decr(mls_num_cats)) + ') + } + ') +') + +############################## +# +# For use in interfaces, to optionally insert a require block +# +define(`gen_require',` + ifdef(`self_contained_policy',` + ifdef(`__in_optional_policy',` + require { + $1 + } # end require + ') + ',` + require { + $1 + } # end require + ') +') + +# helper function, since m4 wont expand macros +# if a line is a comment (#): +define(`policy_m4_comment',` +##### $2 depth: $1 +')dnl + +############################## +# +# In the future interfaces should be in loadable modules +# +# template(name,rules) +# +define(`template',` dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + `define(`$1',` dnl + pushdef(`policy_call_depth',incr(policy_call_depth)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + $2 dnl + popdef(`policy_call_depth') dnl + policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + '') +') + +############################## +# +# In the future interfaces should be in loadable modules +# +# interface(name,rules) +# +define(`interface',` dnl + ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl + `define(`$1',` dnl + pushdef(`policy_call_depth',incr(policy_call_depth)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + $2 + popdef(`policy_call_depth') dnl + policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + '') +') + +define(`policy_call_depth',0) + +############################## +# +# Optional policy handling +# +define(`optional_policy',` + optional {`'pushdef(`__in_optional_policy') + $1 + ifelse(`$2',`',`',`} else { + $2 + ')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional') +') + +############################## +# +# Determine if we should use the default +# tunable value as specified by the policy +# or if the override value should be used +# +define(`dflt_or_overr',`ifdef(`$1',$1,$2)') + +############################## +# +# Extract booleans out of an expression. +# This needs to be reworked so expressions +# with parentheses can work. + +define(`declare_required_symbols',` +ifelse(regexp($1, `\w'), -1, `', `dnl +bool regexp($1, `\(\w+\)', `\1'); +declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl +') dnl +') + +############################## +# +# Tunable declaration +# +define(`gen_tunable',` + bool $1 dflt_or_overr(`$1'_conf,$2); +') + +############################## +# +# Tunable policy handling +# +define(`tunable_policy',` + gen_require(` + declare_required_symbols(`$1') + ') + if (`$1') { + $2 + ifelse(`$3',`',`',`} else { + $3 + ')} +') diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt new file mode 100644 index 000000000..4ca5688c3 --- /dev/null +++ b/policy/support/misc_macros.spt @@ -0,0 +1,78 @@ + +######################################## +# +# Helper macros +# + +# +# shiftn(num,list...) +# +# shift the list num times +# +define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') + +# +# ifndef(expr,true_block,false_block) +# +# m4 does not have this. +# +define(`ifndef',`ifdef(`$1',`$3',`$2')') + +# +# __endline__ +# +# dummy macro to insert a newline. used for +# errprint, so the close parentheses can be +# indented correctly. +# +define(`__endline__',` +') + +######################################## +# +# refpolwarn(message) +# +# print a warning message +# +define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)') + +######################################## +# +# refpolerr(message) +# +# print an error message. does not +# make anything fail. +# +define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)') + +######################################## +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +# +define(`gen_user',`dnl +ifdef(`users_extra',`dnl +ifelse(`$2',,,`user $1 prefix $2;') +',`dnl +user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')'); +')dnl +') + +######################################## +# +# gen_context(context,mls_sensitivity,[mcs_categories]) +# +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl + +######################################## +# +# can_exec(domain,executable) +# +define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') + +######################################## +# +# gen_bool(name,default_value) +# +define(`gen_bool',` + bool $1 dflt_or_overr(`$1'_conf,$2); +') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt new file mode 100644 index 000000000..e79d54501 --- /dev/null +++ b/policy/support/misc_patterns.spt @@ -0,0 +1,58 @@ +# +# Specified domain transition patterns +# +define(`domain_transition_pattern',` + allow $1 $2:file { getattr open read execute }; + allow $1 $3:process transition; + dontaudit $1 $3:process { noatsecure siginh rlimitinh }; +') + +# compatibility: +define(`domain_trans',`domain_transition_pattern($*)') + +define(`spec_domtrans_pattern',` + allow $1 self:process setexec; + domain_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:process sigchld; +') + +# +# Automatic domain transition patterns +# +define(`domain_auto_transition_pattern',` + domain_transition_pattern($1,$2,$3) + type_transition $1 $2:process $3; +') + +# compatibility: +define(`domain_auto_trans',`domain_auto_transition_pattern($*)') + +define(`domtrans_pattern',` + domain_auto_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:process sigchld; +') + +# +# Dynamic transition pattern +# +define(`dyntrans_pattern',` + allow $1 self:process setcurrent; + allow $1 $2:process dyntransition; + allow $2 $1:process sigchld; +') + +# +# Other process permissions +# +define(`ps_process_pattern',` + allow $1 $2:dir list_dir_perms; + allow $1 $2:file read_file_perms; + allow $1 $2:lnk_file read_lnk_file_perms; + allow $1 $2:process getattr; +') diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt new file mode 100644 index 000000000..7593e20d0 --- /dev/null +++ b/policy/support/mls_mcs_macros.spt @@ -0,0 +1,57 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') +define(`mcs_systemlow',`s0') +define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)') +define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt new file mode 100644 index 000000000..6e9131723 --- /dev/null +++ b/policy/support/obj_perm_sets.spt @@ -0,0 +1,273 @@ +######################################## +# +# Support macros for sets of object classes and permissions +# +# This file should only have object class and permission set macros - they +# can only reference object classes and/or permissions. + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +######################################## +# +# Macros for sets of permissions +# + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') + +######################################## +# +# New permission sets +# + +# +# Directory (dir) +# +define(`getattr_dir_perms',`{ getattr }') +define(`setattr_dir_perms',`{ setattr }') +define(`search_dir_perms',`{ getattr search open }') +define(`list_dir_perms',`{ getattr search open read lock ioctl }') +define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') +define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') +define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') +define(`create_dir_perms',`{ getattr create }') +define(`rename_dir_perms',`{ getattr rename }') +define(`delete_dir_perms',`{ getattr rmdir }') +define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') +define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') +define(`relabelto_dir_perms',`{ getattr relabelto }') +define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') + +# +# Regular file (file) +# +define(`getattr_file_perms',`{ getattr }') +define(`setattr_file_perms',`{ setattr }') +define(`read_file_perms',`{ getattr open read lock ioctl }') +define(`mmap_file_perms',`{ getattr open read execute ioctl }') +define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') +define(`append_file_perms',`{ getattr open append lock ioctl }') +define(`write_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_file_perms',`{ getattr create open }') +define(`rename_file_perms',`{ getattr rename }') +define(`delete_file_perms',`{ getattr unlink }') +define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_file_perms',`{ getattr relabelfrom }') +define(`relabelto_file_perms',`{ getattr relabelto }') +define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Symbolic link (lnk_file) +# +define(`getattr_lnk_file_perms',`{ getattr }') +define(`setattr_lnk_file_perms',`{ setattr }') +define(`read_lnk_file_perms',`{ getattr read }') +define(`append_lnk_file_perms',`{ getattr append lock ioctl }') +define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`create_lnk_file_perms',`{ create getattr }') +define(`rename_lnk_file_perms',`{ getattr rename }') +define(`delete_lnk_file_perms',`{ getattr unlink }') +define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_lnk_file_perms',`{ getattr relabelto }') +define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Pipes/FIFOs (fifo_file) +# +define(`getattr_fifo_file_perms',`{ getattr }') +define(`setattr_fifo_file_perms',`{ setattr }') +define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') +define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') +define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_fifo_file_perms',`{ getattr create open }') +define(`rename_fifo_file_perms',`{ getattr rename }') +define(`delete_fifo_file_perms',`{ getattr unlink }') +define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') +define(`relabelto_fifo_file_perms',`{ getattr relabelto }') +define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Sockets (sock_file) +# +define(`getattr_sock_file_perms',`{ getattr }') +define(`setattr_sock_file_perms',`{ setattr }') +define(`read_sock_file_perms',`{ getattr open read }') +define(`write_sock_file_perms',`{ getattr write open append }') +define(`rw_sock_file_perms',`{ getattr open read write append }') +define(`create_sock_file_perms',`{ getattr create open }') +define(`rename_sock_file_perms',`{ getattr rename }') +define(`delete_sock_file_perms',`{ getattr unlink }') +define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') +define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') +define(`relabelto_sock_file_perms',`{ getattr relabelto }') +define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Block device nodes (blk_file) +# +define(`getattr_blk_file_perms',`{ getattr }') +define(`setattr_blk_file_perms',`{ setattr }') +define(`read_blk_file_perms',`{ getattr open read lock ioctl }') +define(`append_blk_file_perms',`{ getattr open append lock ioctl }') +define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_blk_file_perms',`{ getattr create }') +define(`rename_blk_file_perms',`{ getattr rename }') +define(`delete_blk_file_perms',`{ getattr unlink }') +define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_blk_file_perms',`{ getattr relabelto }') +define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Character device nodes (chr_file) +# +define(`getattr_chr_file_perms',`{ getattr }') +define(`setattr_chr_file_perms',`{ setattr }') +define(`read_chr_file_perms',`{ getattr open read lock ioctl }') +define(`append_chr_file_perms',`{ getattr open append lock ioctl }') +define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_chr_file_perms',`{ getattr create }') +define(`rename_chr_file_perms',`{ getattr rename }') +define(`delete_chr_file_perms',`{ getattr unlink }') +define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') +define(`relabelto_chr_file_perms',`{ getattr relabelto }') +define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') + +######################################## +# +# Special permission sets +# + +# +# Use (read and write) terminals +# +define(`rw_term_perms', `{ getattr open read write append ioctl }') + +# +# Sockets +# +define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') +define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + +# +# Keys +# +define(`manage_key_perms', `{ create link read search setattr view write } ') |