From: domg472@gmail.com (Dominick Grift) Date: Mon, 24 Jan 2011 15:15:07 +0100 Subject: [refpolicy] [PATCH/RFC 6/19]: patch set to update the git reference policy In-Reply-To: <1295829845.3862.65.camel@tesla.lan> References: <1295829845.3862.65.camel@tesla.lan> Message-ID: <4D3D896B.7060301@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 01:44 AM, Guido Trentalancia wrote: > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-new/policy/modules/kernel/files.if > --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100 > +++ refpolicy-git-18012011-new/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100 > @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',` > > ######################################## > ## > +## Set the attributes of the /bin directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_setattr_bin_dirs',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir setattr; > +') nitpick: either use setattr_dir_perms or setattr_dirs_pattern() > + > +######################################## > +## > +## Search the content of /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_search_bin',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir search_dir_perms; > +') > + > +######################################## > +## > +## Get the attributes of files in /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + getattr_files_pattern($1, bin_t, bin_t) > +') > + > +######################################## > +## > +## Read generic files in /bin. > +## > +## > +##

> +## Allow the specified domain to read generic > +## files in /bin. These files are various program > +## files that do not have more specific SELinux types. > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_read_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir list_dir_perms; > + read_files_pattern($1, bin_t, bin_t) > + read_lnk_files_pattern($1, bin_t, bin_t) > +') Listing bin_t directories is not strictly required to read bin files. Also this is in the wrong place and have a wrong name: look in corecommands instead. > + > +######################################## > +## > +## Execute generic programs in /bin in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_exec_bin_files',` > + gen_require(` > + type bin_t; > + ') > + > + allow $1 bin_t:dir list_dir_perms; > + exec_files_pattern($1, bin_t, bin_t) > + read_lnk_files_pattern($1, bin_t, bin_t) > +') > + Use corecmd_exec_bin instead. > +######################################## > +## > +## Read symbolic links in /bin. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_bin_symlinks',` > + gen_require(` > + type bin_t; > + ') > + > + read_lnk_files_pattern($1, bin_t, bin_t) > +') use corecmd_read_bin_symlinks instead > + > +######################################## > +## > ## Set the attributes of the /usr directory. > ## > ## > @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',` > > ######################################## > ## > -## Search the content of /etc. > +## Search the content of /usr. > ## > ## > ## > @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',` > ') > > ######################################## > +## > +## Get the attributes of the /var/log directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_getattr_var_log_dirs',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + getattr_dirs_pattern($1, var_t, var_log_t) > +') Wrong name and location. use logging_getattr_log_dirs. do not use type directly that are not declared in this module: files_search_var($1) > + > +######################################## > +## > +## Search the /var/log directory. > +## > +## > +##

> +## Search the /var/log directory. This is > +## necessary to access files or directories under > +## /var/log that have a private type. For example, a > +## domain accessing a private log file in the > +## /var/log directory: > +##

> +##

> +## allow mydomain_t mylogfile_t:file read_file_perms; > +## files_search_var_log(mydomain_t) > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_search_var_log',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + search_dirs_pattern($1, var_t, var_log_t) > +') use logging_search_logs > + > +######################################## > +## > +## Do not audit attempts to search the > +## contents of /var/log. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`files_dontaudit_search_var_log',` > + gen_require(` > + type var_log_t; > + ') > + > + dontaudit $1 var_log_t:dir search_dir_perms; > +') > + wrong name and module. this is a logging thing not files > +######################################## > +## > +## List the contents of the /var/log directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_list_var_log',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + list_dirs_pattern($1, var_t, var_log_t) > +') wrong name and module. This is a logging thing not files > + > +########################################### > +## > +## Read-write /var/log directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_rw_var_log_dirs',` > + gen_require(` > + type var_log_t; > + ') > + > + rw_dirs_pattern($1, var_log_t, var_log_t) > +') wrong name and module. This is a logging thing not files Also this interface doesnt make sense. logging_list_logs() and as for the write, it should probably use logging_log_filetrans() > + > +########################################### > +## > +## Append to files in the /var/log directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_var_log_append',` > + gen_require(` > + type var_log_t; > + ') > + > + append_files_pattern($1, var_log_t, var_log_t) > +') logging_append_generic_log_files (but this file probably shouldnt be a generic log file in the first place..) > + > +######################################## > +## > +## Create objects in the /var/log directory > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +# > +interface(`files_var_log_filetrans',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + allow $1 var_t:dir search_dir_perms; > + filetrans_pattern($1, var_log_t, $2, $3) > +') use logging_log_filetrans() > + > +######################################## > +## > +## Read generic files in /var/log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_var_log_files',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + allow $1 var_log_t:dir list_dir_perms; > + read_files_pattern($1, { var_t var_log_t }, var_log_t) > +') > + use logging_read_generic_log_files() > +######################################## > +## > +## Read generic symbolic links in /var/log > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_read_var_log_symlinks',` > + gen_require(` > + type var_t, var_log_t; > + ') > + > + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t) > +') logging_search_logs() > + > +######################################## > ## > ## Search the locks directory (/var/lock). > ## > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-new/policy/modules/kernel/kernel.if > --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100 > +++ refpolicy-git-18012011-new/policy/modules/kernel/kernel.if 2011-01-19 18:48:36.830593580 +0100 > @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro > > ######################################## > ## > +## Allows to search the base > +## directory of sysctls. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`kernel_search_sysctl',` > + gen_require(` > + type sysctl_t; > + ') > + > + allow $1 sysctl_t:dir search; > +') Should not be needed. > + > +######################################## > +## > ## Do not audit attempts by caller to search > ## the base directory of sysctls. > ## > @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',` > ') > > ######################################## > +## > +## Allow caller to search filesystem sysctls. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_search_fs_sysctl',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_fs_t; > + ') > + > + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) > +') > + > +######################################## > ## > ## Read filesystem sysctls. > ## > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09iWsACgkQMlxVo39jgT9+jQCdGgSKrdKqTybxvkodB+vRK4gH WiUAoKwcofCW8PYvpOm89+fxlrB2IoGG =20Pp -----END PGP SIGNATURE-----