diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
########################################
## <summary>
+## Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the content of /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /bin.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /bin. These files are various program
+## files that do not have more specific SELinux types.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ read_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ exec_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
########################################
## <summary>
-## Search the content of /etc.
+## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
')
########################################
+## <summary>
+## Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Search the /var/log directory.
+## </summary>
+## <desc>
+## <p>
+## Search the /var/log directory. This is
+## necessary to access files or directories under
+## /var/log that have a private type. For example, a
+## domain accessing a private log file in the
+## /var/log directory:
+## </p>
+## <p>
+## allow mydomain_t mylogfile_t:file read_file_perms;
+## files_search_var_log(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Read-write /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
## <summary>
## Search the locks directory (/var/lock).
## </summary>
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if 2011-01-19 18:48:36.830593580 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
########################################
## <summary>
+## Allows to search the base
+## directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
+## <summary>
+## Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
## <summary>
## Read filesystem sysctls.
## </summary>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
> --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
> @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
>
> ########################################
> ## <summary>
> +## Set the attributes of the /bin directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_setattr_bin_dirs',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir setattr;
> +')
nitpick: either use setattr_dir_perms or setattr_dirs_pattern()
> +
> +########################################
> +## <summary>
> +## Search the content of /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_search_bin',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of files in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + getattr_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /bin.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read generic
> +## files in /bin. These files are various program
> +## files that do not have more specific SELinux types.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_read_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + read_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
Listing bin_t directories is not strictly required to read bin files.
Also this is in the wrong place and have a wrong name: look in
corecommands instead.
> +
> +########################################
> +## <summary>
> +## Execute generic programs in /bin in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + exec_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
Use corecmd_exec_bin instead.
> +########################################
> +## <summary>
> +## Read symbolic links in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
use corecmd_read_bin_symlinks instead
> +
> +########################################
> +## <summary>
> ## Set the attributes of the /usr directory.
> ## </summary>
> ## <param name="domain">
> @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
>
> ########################################
> ## <summary>
> -## Search the content of /etc.
> +## Search the content of /usr.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_var_log_dirs',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + getattr_dirs_pattern($1, var_t, var_log_t)
> +')
Wrong name and location. use logging_getattr_log_dirs.
do not use type directly that are not declared in this module:
files_search_var($1)
> +
> +########################################
> +## <summary>
> +## Search the /var/log directory.
> +## </summary>
> +## <desc>
> +## <p>
> +## Search the /var/log directory. This is
> +## necessary to access files or directories under
> +## /var/log that have a private type. For example, a
> +## domain accessing a private log file in the
> +## /var/log directory:
> +## </p>
> +## <p>
> +## allow mydomain_t mylogfile_t:file read_file_perms;
> +## files_search_var_log(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_search_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + search_dirs_pattern($1, var_t, var_log_t)
> +')
use logging_search_logs
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to search the
> +## contents of /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_log',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + dontaudit $1 var_log_t:dir search_dir_perms;
> +')
> +
wrong name and module. this is a logging thing not files
> +########################################
> +## <summary>
> +## List the contents of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_list_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + list_dirs_pattern($1, var_t, var_log_t)
> +')
wrong name and module. This is a logging thing not files
> +
> +###########################################
> +## <summary>
> +## Read-write /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_rw_var_log_dirs',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + rw_dirs_pattern($1, var_log_t, var_log_t)
> +')
wrong name and module. This is a logging thing not files
Also this interface doesnt make sense.
logging_list_logs()
and as for the write, it should probably use logging_log_filetrans()
> +
> +###########################################
> +## <summary>
> +## Append to files in the /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_append',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + append_files_pattern($1, var_log_t, var_log_t)
> +')
logging_append_generic_log_files (but this file probably shouldnt be a
generic log file in the first place..)
> +
> +########################################
> +## <summary>
> +## Create objects in the /var/log directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_filetrans',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_t:dir search_dir_perms;
> + filetrans_pattern($1, var_log_t, $2, $3)
> +')
use logging_log_filetrans()
> +
> +########################################
> +## <summary>
> +## Read generic files in /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_files',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_log_t:dir list_dir_perms;
> + read_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
use logging_read_generic_log_files()
> +########################################
> +## <summary>
> +## Read generic symbolic links in /var/log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_symlinks',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
logging_search_logs()
> +
> +########################################
> ## <summary>
> ## Search the locks directory (/var/lock).
> ## </summary>
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
> --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
> +++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if 2011-01-19 18:48:36.830593580 +0100
> @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
>
> ########################################
> ## <summary>
> +## Allows to search the base
> +## directory of sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`kernel_search_sysctl',`
> + gen_require(`
> + type sysctl_t;
> + ')
> +
> + allow $1 sysctl_t:dir search;
> +')
Should not be needed.
> +
> +########################################
> +## <summary>
> ## Do not audit attempts by caller to search
> ## the base directory of sysctls.
> ## </summary>
> @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
> ')
>
> ########################################
> +## <summary>
> +## Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_fs_t;
> + ')
> +
> + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read filesystem sysctls.
> ## </summary>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09iWsACgkQMlxVo39jgT9+jQCdGgSKrdKqTybxvkodB+vRK4gH
WiUAoKwcofCW8PYvpOm89+fxlrB2IoGG
=20Pp
-----END PGP SIGNATURE-----
Hello Dominick !
On Mon, 24/01/2011 at 15.15 +0100, Dominick Grift wrote:
> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if
> > --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
> > @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if
> > --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if 2011-01-19 18:48:36.830593580 +0100
> > @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
All those unneeded interfaces in the kernel module are now gone. I was
trying to re-invent the wheel in some way !
This completes the set of changes that you proposed.
Regards,
Guido