From: jwcart2@tycho.nsa.gov (James Carter)
Date: Thu, 05 Apr 2012 16:14:37 -0400
Subject: [refpolicy] [PATCH 1/3] Create non_auth_file_type attribute and
 interfaces
Message-ID: <1333656877.4703.40.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- Creates a new attribute called non_auth_file_type.
- Moves auth_file_type attribute declaration from authlogin to files.
- Creates new interfaces to allow file accesses on non_auth_file_type files.


Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/kernel/files.if     |  163 +++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/files.te     |    6 ++
 policy/modules/system/authlogin.te |    3 +-
 3 files changed, 166 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..4570d1a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -78,10 +78,30 @@
 #
 interface(`files_type',`
 	gen_require(`
-		attribute file_type, non_security_file_type;
+		attribute file_type, non_security_file_type, non_auth_file_type;
 	')
 
-	typeattribute $1 file_type, non_security_file_type;
+	typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
+')
+
+########################################
+## <summary>
+##	Mark the specified type as a file
+##  that is related to authentication.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the authentication-related
+##  file.
+##	</summary>
+## </param>
+#
+interface(`files_auth_file',`
+    gen_require(`
+		attribute file_type, security_file_type, auth_file_type;
+	')
+
+	typeattribute $1 file_type, security_file_type, auth_file_type;
 ')
 
 ########################################
@@ -99,10 +119,10 @@ interface(`files_type',`
 #
 interface(`files_security_file',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute file_type, security_file_type, non_auth_file_type;
 	')
 
-	typeattribute $1 file_type, security_file_type;
+	typeattribute $1 file_type, security_file_type, non_auth_file_type;
 ')
 
 ########################################
@@ -669,6 +689,63 @@ interface(`files_read_non_security_files',`
 
 ########################################
 ## <summary>
+##	Read all non-authentication related
+##  directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_non_auth_dirs',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	allow $1 non_auth_file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	read_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read all non-authentication related
+## symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_non_auth_symlinks',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
 ##	Read all directories on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -1026,6 +1103,38 @@ interface(`files_read_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Relabel all non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	allow $1 non_auth_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
 ##	Relabel all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -1064,6 +1173,24 @@ interface(`files_relabel_all_files',`
 
 ########################################
 ## <summary>
+##	rw non-authentication related files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
 ##	rw all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -1090,6 +1217,34 @@ interface(`files_rw_all_files',`
 
 ########################################
 ## <summary>
+##	Manage non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+	# satisfy the assertions:
+	seutil_create_bin_policy($1)
+	files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
 ##	Manage all files on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 4dcef63..a587e87 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -29,6 +29,12 @@ attribute security_file_type;
 # and its opposite
 attribute non_security_file_type;
 
+# sensitive authentication files whose accesses should
+# not be dontaudited for uses
+attribute auth_file_type;
+# and its opposite
+attribute non_auth_file_type;
+
 attribute tmpfile;
 attribute tmpfsfile;
 
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 01c7331..6a96393 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
 # Declarations
 #
 
-attribute auth_file_type;
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
@@ -51,7 +50,7 @@ type pam_var_run_t;
 files_pid_file(pam_var_run_t)
 
 type shadow_t;
-auth_file(shadow_t)
+files_auth_file(shadow_t)
 neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-- 
1.7.7.6