From: jwcart2@tycho.nsa.gov (James Carter)
Date: Wed, 25 Apr 2012 10:25:42 -0400
Subject: [refpolicy] [PATCH 1/4 v2] Create non_auth_file_type attribute and
 interfaces
Message-ID: <1335363942.17855.30.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.


Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 policy/modules/kernel/files.if     |  175 +++++++++++++++++++++++++++++++++--
 policy/modules/kernel/files.te     |    6 ++
 policy/modules/system/authlogin.te |    3 +-
 3 files changed, 172 insertions(+), 12 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..83e95a6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -78,10 +78,10 @@
 #
 interface(`files_type',`
 	gen_require(`
-		attribute file_type, non_security_file_type;
+		attribute file_type, non_security_file_type, non_auth_file_type;
 	')
 
-	typeattribute $1 file_type, non_security_file_type;
+	typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
 ')
 
 ########################################
@@ -99,10 +99,10 @@ interface(`files_type',`
 #
 interface(`files_security_file',`
 	gen_require(`
-		attribute file_type, security_file_type;
+		attribute file_type, security_file_type, non_auth_file_type;
 	')
 
-	typeattribute $1 file_type, security_file_type;
+	typeattribute $1 file_type, security_file_type, non_auth_file_type;
 ')
 
 ########################################
@@ -1275,6 +1275,161 @@ interface(`files_unmount_all_file_type_fs',`
 	allow $1 file_type:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mark the specified type as a file
+##  that is related to authentication.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the authentication-related
+##  file.
+##	</summary>
+## </param>
+#
+interface(`files_auth_file',`
+	gen_require(`
+		attribute file_type, security_file_type, auth_file_type;
+	')
+
+	typeattribute $1 file_type, security_file_type, auth_file_type;
+')
+
+########################################
+## <summary>
+##	Read all non-authentication related
+##  directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_non_auth_dirs',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	allow $1 non_auth_file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	read_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
+##	Read all non-authentication related
+## symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_non_auth_symlinks',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel all non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	allow $1 non_auth_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
+##	rw non-authentication related files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+## <summary>
+##	Manage non-authentication related
+##  files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_auth_files',`
+	gen_require(`
+		attribute non_auth_file_type;
+	')
+
+	manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+	# satisfy the assertions:
+	seutil_create_bin_policy($1)
+	files_manage_kernel_modules($1)
+')
+
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 4dcef63..a587e87 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -29,6 +29,12 @@ attribute security_file_type;
 # and its opposite
 attribute non_security_file_type;
 
+# sensitive authentication files whose accesses should
+# not be dontaudited for uses
+attribute auth_file_type;
+# and its opposite
+attribute non_auth_file_type;
+
 attribute tmpfile;
 attribute tmpfsfile;
 
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 01c7331..6a96393 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
 # Declarations
 #
 
-attribute auth_file_type;
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
@@ -51,7 +50,7 @@ type pam_var_run_t;
 files_pid_file(pam_var_run_t)
 
 type shadow_t;
-auth_file(shadow_t)
+files_auth_file(shadow_t)
 neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-- 
1.7.7.6