LinuxLists.cc - [refpolicy] [PATCH] seutils_domtrans

2010-09-03 22:58:15

Subject: [refpolicy] [PATCH] seutils_domtrans_setsebool was still broken.

Signed-off-by: Dominick Grift <[email protected]>

Implement seutil_domtrans_setsebool and add a call to this interface for the following domains:
rpm_script_t, setroubelshoot_fixit_t, anaconda_t.

My previous attempt was broken. This patch should be independent.

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/admin/anaconda.te | 1 +
policy/modules/admin/rpm.te | 1 +
policy/modules/services/setroubleshoot.te | 1 +
policy/modules/system/selinuxutil.fc | 19 +-----
policy/modules/system/selinuxutil.if | 96 +++++++++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 93 +++++++++++++---------------
6 files changed, 144 insertions(+), 67 deletions(-)

diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 96f68e9..d1ebb91 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)

seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)

userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 95dbcf3..cfee714 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -331,6 +331,7 @@ modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)

userdom_use_all_users_fds(rpm_script_t)

diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 086cd5f..28ba02d 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -152,6 +152,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)

seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)

files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..ca5e13e 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -1,8 +1,3 @@
-# SELinux userland utilities
-
-#
-# /etc
-#
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
@@ -14,21 +9,12 @@
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)

-#
-# /root
-#
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)

-#
-# /sbin
-#
/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)

-#
-# /usr
-#
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)

@@ -42,7 +28,6 @@
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)

-#
-# /var/run
-#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..3f7592a 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -563,6 +563,80 @@ interface(`seutil_exec_setfiles',`
can_exec($1, setfiles_exec_t)
')

+#######################################
+## <summary>
+## All rules required to run semanage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_template',`
+ gen_require(`
+ type semanage_tmp_t, policy_config_t;
+ ')
+
+ allow $1 self:capability { dac_override sys_resource };
+ dontaudit $1 self:capability sys_tty_config;
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+ fs_getattr_all_fs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_terms($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_user_home_content_files($1)
+')
+
########################################
## <summary>
## Do not audit attempts to search the SELinux
@@ -944,6 +1018,8 @@ interface(`seutil_manage_bin_policy',`
typeattribute $1 can_write_binary_policy;
')

+
+
########################################
## <summary>
## Read SELinux policy source files.
@@ -1038,6 +1114,26 @@ interface(`seutil_run_semanage',`

########################################
## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ff5d72d..335da7d 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
type selinux_config_t;
files_type(selinux_config_t)

+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -91,6 +94,10 @@ application_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;

+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)

@@ -417,65 +424,25 @@ optional_policy(`

########################################
#
-# semodule local policy
+# semanage local policy
#

-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;

-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)

-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
+can_exec(semanage_t, semanage_exec_t)

-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
selinux_set_all_booleans(semanage_t)

-term_use_all_terms(semanage_t)
+auth_read_all_files_except_shadow(semanage_t)

-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
-seutil_manage_file_contexts(semanage_t)
-seutil_manage_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
-# netfilter_contexts:
+seutil_manage_config(semanage_t)
+seutil_manage_file_contexts(semanage_t)
+seutil_semanage_template(semanage_t)
+
seutil_manage_default_contexts(semanage_t)

ifdef(`distro_debian',`
@@ -489,6 +456,16 @@ ifdef(`distro_ubuntu',`
')
')

+optional_policy(`
+ setrans_initrc_domtrans(semanage_t)
+ domain_system_change_exemption(semanage_t)
+ consoletype_exec(semanage_t)
+')
+
+optional_policy(`
+ init_spec_domtrans_script(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -498,6 +475,22 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')

+####################################n####
+#
+# setsebool local policy
+#
+
+seutil_semanage_template(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
+
+init_dontaudit_use_fds(setsebool_t)
+
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+
########################################
#
# Setfiles local policy
--
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100904/4d73850d/attachment-0001.bin