-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eliminate_except_auth.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110826/5bb9ab75/attachment-0001.pl
On 08/26/11 10:29, Daniel J Walsh wrote:
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 633d2fc..8d62407 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
> # for installing kernel packages
> storage_raw_read_fixed_disk(dpkg_t)
>
> -auth_relabel_all_files_except_auth_files(dpkg_t)
> -auth_manage_all_files_except_auth_files(dpkg_t)
> +files_relabel_non_security_files(dpkg_t)
> +files_manage_non_security_files(dpkg_t)
> auth_dontaudit_read_shadow(dpkg_t)
>
> files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>
> auth_dontaudit_getattr_shadow(dpkg_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_auth_files(dpkg_script_t)
> +files_manage_non_security_files(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 7d964bf..ba6e400 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>
> term_list_ptys(rpm_t)
>
> -auth_relabel_all_files_except_auth_files(rpm_t)
> -auth_manage_all_files_except_auth_files(rpm_t)
> +files_relabel_all_files(rpm_t)
> +files_manage_all_files(rpm_t)
> auth_dontaudit_read_shadow(rpm_t)
> auth_use_nsswitch(rpm_t)
>
> @@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
> auth_dontaudit_getattr_shadow(rpm_script_t)
> auth_use_nsswitch(rpm_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_auth_files(rpm_script_t)
> -auth_relabel_shadow(rpm_script_t)
> +files_manage_all_files(rpm_script_t)
> +files_relabel_all_files(rpm_script_t)
>
> corecmd_exec_all_executables(rpm_script_t)
>
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index ebaff2f..de6b197 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>
> # some config files do not have configfile attribute
> # sosreport needs to read various files on system
> -auth_read_all_files_except_auth_files(sosreport_t)
> +files_read_non_security_files(sosreport_t)
> auth_use_nsswitch(sosreport_t)
>
> init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index 045fb86..a51a92d 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>
> term_dontaudit_use_console(sxid_t)
>
> -auth_read_all_files_except_auth_files(sxid_t)
> +files_read_non_security_files(sxid_t)
> auth_dontaudit_getattr_shadow(sxid_t)
>
> init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index deb24b4..225c263 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + list_dirs_pattern($1, non_security_file_type, non_security_file_type)
> read_files_pattern($1, non_security_file_type, non_security_file_type)
> read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
> ## <summary>
> +## Manage all non-security files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_manage_non_security_files',`
> + gen_require(`
> + attribute non_security_file_type;
> + ')
> +
> + manage_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +')
> +
> +########################################
> +## <summary>
> +## Relabel all non-security files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabel_non_security_files',`
> + gen_require(`
> + attribute non_security_file_type;
> + ')
> +
> + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> + allow $1 { non_security_file_type }:dir list_dir_perms;
> + relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> + relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
> +
> + # satisfy the assertions:
> + seutil_relabelto_bin_policy($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read all directories on the filesystem, except
> ## the listed exceptions.
> ## </summary>
> @@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain not to audit.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index eac9961..797f131 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -336,7 +336,7 @@ optional_policy(`
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> auth_read_all_dirs_except_auth_files(kernel_t)
> - auth_read_all_files_except_auth_files(kernel_t)
> + files_read_non_security_files(kernel_t)
> auth_read_all_symlinks_except_auth_files(kernel_t)
> ')
>
> @@ -346,7 +346,7 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_manage_all_files_except_auth_files(kernel_t)
> + files_manage_non_security_files(kernel_t)
> ')
> ')
>
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index 89ddeaa..4b5119b 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
> mls_file_downgrade(secadm_t)
>
> auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_auth_files(secadm_t)
> +files_relabel_non_security_files(secadm_t)
> auth_relabel_shadow(secadm_t)
>
> init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 02ffdfb..69c2d2c 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>
> tunable_policy(`allow_ftpd_full_access',`
> allow ftpd_t self:capability { dac_override dac_read_search };
> - auth_manage_all_files_except_auth_files(ftpd_t)
> + files_manage_non_security_files(ftpd_t)
> ')
>
> tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
> tunable_policy(`sftpd_full_access',`
> allow sftpd_t self:capability { dac_override dac_read_search };
> fs_read_noxattr_fs_files(sftpd_t)
> - auth_manage_all_files_except_auth_files(sftpd_t)
> + files_manage_non_security_files(sftpd_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 941f6e1..68985da 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
>
> tunable_policy(`puppet_manage_all_files',`
> - auth_manage_all_files_except_auth_files(puppet_t)
> + files_manage_non_security_files(puppet_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index c537000..52ec13b 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
> #term_use_ptmx(rgmanager_t)
>
> # needed by resources scripts
> -auth_read_all_files_except_auth_files(rgmanager_t)
> +files_read_non_security_files(rgmanager_t)
> auth_dontaudit_getattr_shadow(rgmanager_t)
> auth_use_nsswitch(rgmanager_t)
>
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index 62fca97..6c6d18b 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
> dev_getattr_all_chr_files(nfsd_t)
>
> fs_read_noxattr_fs_files(nfsd_t)
> - auth_manage_all_files_except_auth_files(nfsd_t)
> + files_manage_non_security_files(nfsd_t)
> ')
>
> tunable_policy(`nfs_export_all_ro',`
> @@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
> fs_read_noxattr_fs_files(nfsd_t)
>
> auth_read_all_dirs_except_auth_files(nfsd_t)
> - auth_read_all_files_except_auth_files(nfsd_t)
> + files_read_non_security_files(nfsd_t)
> ')
>
> ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 1c381e1..51cedbd 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
> fs_read_nfs_files(rsync_t)
> fs_read_cifs_files(rsync_t)
> auth_read_all_dirs_except_auth_files(rsync_t)
> - auth_read_all_files_except_auth_files(rsync_t)
> + files_read_non_security_files(rsync_t)
> auth_read_all_symlinks_except_auth_files(rsync_t)
> auth_tunable_read_shadow(rsync_t)
> ')
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index df830cf..d1f1a15 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
> tunable_policy(`samba_export_all_ro',`
> fs_read_noxattr_fs_files(smbd_t)
> auth_read_all_dirs_except_auth_files(smbd_t)
> - auth_read_all_files_except_auth_files(smbd_t)
> + files_read_non_security_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> auth_read_all_dirs_except_auth_files(nmbd_t)
> - auth_read_all_files_except_auth_files(nmbd_t)
> + files_read_non_security_files(nmbd_t)
> ')
>
> tunable_policy(`samba_export_all_rw',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_manage_all_files_except_auth_files(smbd_t)
> + files_manage_non_security_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_manage_all_files_except_auth_files(nmbd_t)
> + files_manage_non_security_files(nmbd_t)
> userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
> ')
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 94e49e8..fd331b9 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
>
> tunable_policy(`allow_mount_anyfile',`
> auth_read_all_dirs_except_auth_files(mount_t)
> - auth_read_all_files_except_auth_files(mount_t)
> + files_read_non_security_files(mount_t)
> files_mounton_non_security(mount_t)
> ')
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 508b206..52a5442 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
> selinux_compute_relabel_context(restorecond_t)
> selinux_compute_user_contexts(restorecond_t)
>
> -auth_relabel_all_files_except_auth_files(restorecond_t )
> -auth_read_all_files_except_auth_files(restorecond_t)
> +files_relabel_non_security_files(restorecond_t )
> +files_read_non_security_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> locallogin_dontaudit_use_fds(restorecond_t)
Generally speaking, I'm fine with this. However, I'm looking closely to make sure the new calls that are being made are the right ones.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com