|
Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
 |
SELinux Mailing ListRe: Java Legacy problem
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Mon, 21 Feb 2005 08:59:24 -0500
>>This is a case where we may want to give an application more rights then >>user_t. >>The java_user_t should be user_t + (execmem/execmod privs) >> >> > >Maybe we should just ask Sun to fix it? > > > I don't think java can be fixed, I think it is doing this stuff by design. A couple of things to try. How about we rename java_domain to javap_domain (java_plugin). Then we create a java_domain like the following
define(`java_domain',`
Attached latest diffs to make these changes.
diff --exclude-from=exclude -N -u -r nsapolicy/ChangeLog policy-1.21.14/ChangeLog --- nsapolicy/ChangeLog 2005-02-17 10:16:42.000000000 -0500 +++ policy-1.21.14/ChangeLog 2005-02-21 08:58:01.000000000 -0500 @@ -1,6 +1,6 @@ 1.21 2005-02-07
-ifdef(`distro_suse', `
-') +'); ')dnl end hide_broken_symptoms +ifdef(`targeted_policy', ` +allow ldconfig_t lib_t:file r_file_perms;+unconfined_domain(ldconfig_t) +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.21.14/domains/program/unused/amanda.te --- nsapolicy/domains/program/unused/amanda.te 2005-02-10 14:48:39.000000000 -0500 +++ policy-1.21.14/domains/program/unused/amanda.te 2005-02-21 08:58:01.000000000 -0500 @@ -31,7 +31,7 @@ # General declarations ###################### -type amanda_t, domain, privlog; +type amanda_t, domain, privlog, nscd_client_domain ; role system_r types amanda_t;
# type for the amanda executables
+allow amanda_t file_type:dir {getattr read search };
+allow amanda_t file_type:file {getattr read };
+var_log_domain(amanda)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.21.14/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-02-17 10:16:43.000000000 -0500
+++ policy-1.21.14/domains/program/unused/apache.te 2005-02-21 08:58:01.000000000 -0500
@@ -307,6 +307,7 @@ # typealias httpd_log_t alias httpd_runtime_t; allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append }; +dontaudit httpd_t httpd_runtime_t:file ioctl; ') dnl distro_redhat # # Customer reported the following @@ -323,8 +324,9 @@ allow httpd_sys_script_t httpd_squirrelmail_t:file { append read }; # File Type of squirrelmail attachments type squirrelmail_spool_t, file_type, sysadmfile, tmpfile; -allow httpd_t var_spool_t:dir { getattr search }; +allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search }; create_dir_file(httpd_t, squirrelmail_spool_t) +r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
--- nsapolicy/domains/program/unused/cups.te 2005-02-17 10:16:43.000000000 -0500 +++ policy-1.21.14/domains/program/unused/cups.te 2005-02-21 08:58:01.000000000 -0500 @@ -77,6 +77,7 @@
# Use capabilities.
allow cupsd_t self:process setsched; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.21.14/domains/program/unused/dovecot.te --- nsapolicy/domains/program/unused/dovecot.te 2005-02-09 15:01:29.000000000 -0500 +++ policy-1.21.14/domains/program/unused/dovecot.te 2005-02-21 08:58:01.000000000 -0500 @@ -26,6 +26,7 @@
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t cert_t:dir search;
allow dovecot_t dovecot_cert_t:file { getattr read };
allow dovecot_t { self proc_t }:file { getattr read }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/java.te policy-1.21.14/domains/program/unused/java.te --- nsapolicy/domains/program/unused/java.te 2005-02-16 14:34:10.000000000 -0500 +++ policy-1.21.14/domains/program/unused/java.te 2005-02-21 08:58:01.000000000 -0500 @@ -10,5 +10,8 @@ # Allow java to read files in the user home directory bool disable_java false; +# Allow java to read files in the user home directory +bool disable_javap false; + # Everything else is in the java_domain macro in # macros/program/java_macros.te. diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.21.14/domains/program/unused/nscd.te --- nsapolicy/domains/program/unused/nscd.te 2005-02-10 14:48:39.000000000 -0500 +++ policy-1.21.14/domains/program/unused/nscd.te 2005-02-21 08:58:01.000000000 -0500 @@ -72,4 +72,4 @@
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
-allow nscd_t urandom_device_t:chr_file { getattr read };
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.21.14/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-02-09 15:01:29.000000000 -0500
+++ policy-1.21.14/domains/program/unused/ping.te 2005-02-21 08:58:01.000000000 -0500
@@ -11,7 +11,7 @@ # ping_t is the domain for the ping program. # ping_exec_t is the type of the corresponding program. # -type ping_t, domain, privlog; +type ping_t, domain, privlog, nscd_client_domain; role sysadm_r types ping_t; role system_r types ping_t; in_user_role(ping_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.21.14/domains/program/unused/privoxy.te --- nsapolicy/domains/program/unused/privoxy.te 2005-02-09 15:01:29.000000000 -0500 +++ policy-1.21.14/domains/program/unused/privoxy.te 2005-02-21 08:58:01.000000000 -0500 @@ -16,7 +16,7 @@ allow privoxy_t self:capability net_bind_service;
# Use the network.
allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.21.14/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-02-17 10:16:44.000000000 -0500
+++ policy-1.21.14/domains/program/unused/samba.te 2005-02-21 08:58:01.000000000 -0500
@@ -176,12 +176,7 @@
# Terminal
-allow smbmount_t devtty_t:chr_file rw_file_perms; -allow smbmount_t devpts_t:dir r_dir_perms; -allow smbmount_t devpts_t:chr_file rw_file_perms; -allow smbmount_t sysadm_tty_device_t:chr_file rw_file_perms; -allow smbmount_t sysadm_devpts_t:chr_file rw_file_perms; -#FIXME: what about user_tty_device_t, user_devpts_t?+access_terminal(smbmount_t, sysadm) allow smbmount_t userdomain:fd use; allow smbmount_t local_login_t:fd use; ') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.21.14/domains/program/unused/utempter.te --- nsapolicy/domains/program/unused/utempter.te 2005-02-09 15:01:28.000000000 -0500 +++ policy-1.21.14/domains/program/unused/utempter.te 2005-02-21 08:58:01.000000000 -0500 @@ -12,7 +12,7 @@ # executed by xterm to update utmp and wtmp. # utempter_exec_t is the type of the utempter binary. # -type utempter_t, domain; +type utempter_t, domain, nscd_client_domain; in_user_role(utempter_t) role sysadm_r types utempter_t; uses_shlib(utempter_t) diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/amanda.fc policy-1.21.14/file_contexts/program/amanda.fc --- nsapolicy/file_contexts/program/amanda.fc 2005-02-09 15:01:30.000000000 -0500 +++ policy-1.21.14/file_contexts/program/amanda.fc 2005-02-21 08:58:01.000000000 -0500 @@ -538,6 +538,7 @@ #Required when starting with /lib/tls/libc-
allow $1_t { texrel_shlib_t shlib_t }:file execmod;
allow $1_t ld_so_t:file execmod;
+allow $1_t ld_so_cache_t:file execmod;
} ') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.21.14/macros/program/games_domain.te --- nsapolicy/macros/program/games_domain.te 2005-02-10 14:48:42.000000000 -0500 +++ policy-1.21.14/macros/program/games_domain.te 2005-02-21 08:58:01.000000000 -0500 @@ -30,7 +30,6 @@
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
allow $1_games_t xdm_var_lib_t:file { getattr read };
-allow $1_games_t xdm_t:fifo_file rw_file_perms;
')dnl end if xdm.te
can_unix_connect($1_t, $1_games_t)
--- nsapolicy/macros/program/gpg_macros.te 2005-02-17 10:16:46.000000000 -0500 +++ policy-1.21.14/macros/program/gpg_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -44,6 +44,7 @@ allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
access_terminal($1_gpg_t, $1)
# Inherit and use descriptors
--- nsapolicy/macros/program/java_macros.te 2005-02-16 14:34:31.000000000 -0500 +++ policy-1.21.14/macros/program/java_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -1,117 +1,134 @@ # -# Macros for java/java (or other browser) domains. +# Authors: Dan Walsh <dwalsh@redhat.com> # - # -# Authors: Dan Walsh <dwalsh@redhat.com> and Timothy Fraser +# Macros for java domains. # - # -# java_domain(domain_prefix, user) +# java_domain(domain_prefix) # -# Define a derived domain for the java/java program when executed by -# a web browser. +# Define a derived domain for the java program when executed by +# a user. # # The type declaration for the executable type for this program is # provided separately in domains/program/java.te. # + define(`java_domain',` type $1_java_t, domain, privlog , nscd_client_domain, transitionbool; +legacy_domain($1_java) +base_user_domain($1_java) +domain_auto_trans($1_t, java_exec_t, $1_java_t) +') + +# +# Macros for javap (java plugin) domains. +# +# +# javap_domain(domain_prefix, user) +# +# Define a derived domain for the javap program when executed by +# a web browser. +# +# The type declaration for the executable type for this program is +# provided separately in domains/program/java.te. +# +define(`javap_domain',` +type $1_javap_t, domain, privlog , nscd_client_domain, transitionbool;
# The user role is authorized for this domain.
-role $2_r types $1_java_t;
-allow $1_java_t sound_device_t:chr_file rw_file_perms; +allow $1_javap_t sound_device_t:chr_file rw_file_perms; # Unrestricted inheritance from the caller.
-allow $1_t $1_java_t:process { noatsecure siginh rlimitinh };
-allow $1_java_t $1_t:process signull;
+allow $1_t $1_javap_t:process { noatsecure siginh rlimitinh };
+allow $1_javap_t $1_t:process signull;
-can_unix_connect($1_java_t, $1_t)
-allow $1_java_t $1_t:unix_stream_socket { read write };
+can_unix_connect($1_javap_t, $1_t)
+allow $1_javap_t $1_t:unix_stream_socket { read write }; # This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_java_t)
-can_ypbind($1_java_t)
-allow $1_java_t self:process { fork signal_perms getsched setsched };
-allow $1_java_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow $1_java_t self:fifo_file rw_file_perms;
-allow $1_java_t etc_runtime_t:file { getattr read };
-allow $1_java_t fs_t:filesystem getattr;
-read_locale($1_java_t)
-r_dir_file($1_java_t, { proc_t proc_net_t })
-allow $1_java_t self:dir search;
-allow $1_java_t self:lnk_file read;
-allow $1_java_t self:file { getattr read };
-
-read_sysctl($1_java_t)
-
-tmp_domain($1_java)
-r_dir_file($1_java_t,{ fonts_t usr_t etc_t })
-
-# Search bin directory under java for java executable
-allow $1_java_t bin_t:dir search;
-can_exec($1_java_t, java_exec_t)
+can_network_client($1_javap_t)
+can_ypbind($1_javap_t)
+allow $1_javap_t self:process { fork signal_perms getsched setsched };
+allow $1_javap_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow $1_javap_t self:fifo_file rw_file_perms;
+allow $1_javap_t etc_runtime_t:file { getattr read };
+allow $1_javap_t fs_t:filesystem getattr;
+r_dir_file($1_javap_t, { proc_t proc_net_t })
+allow $1_javap_t self:dir search;
+allow $1_javap_t self:lnk_file read;
+allow $1_javap_t self:file { getattr read };
+
+read_sysctl($1_javap_t)
+
+tmp_domain($1_javap)
+r_dir_file($1_javap_t,{ fonts_t usr_t etc_t })
+
+# Search bin directory under javap for javap executable
+allow $1_javap_t bin_t:dir search;
+can_exec($1_javap_t, javap_exec_t)
# Allow connections to X server.
ifdef(`xdm.te', `
-allow $1_java_t xdm_xserver_tmp_t:dir search; -allow $1_java_t xdm_t:fifo_file rw_file_perms; -allow $1_java_t xdm_tmp_t:dir search; -allow $1_java_t xdm_tmp_t:sock_file write; +allow $1_javap_t xdm_xserver_tmp_t:dir search; +allow $1_javap_t xdm_t:fifo_file rw_file_perms;+allow $1_javap_t xdm_tmp_t:dir search; +allow $1_javap_t xdm_tmp_t:sock_file write; ')
ifdef(`startx.te', `
# for /tmp/.X0-lock
-allow $1_java_t $2_xserver_tmp_t:sock_file rw_file_perms; -can_unix_connect($1_java_t, $2_xserver_t) +allow $1_javap_t $2_xserver_tmp_t:sock_file rw_file_perms; +can_unix_connect($1_javap_t, $2_xserver_t)')dnl end startx
-can_unix_connect($1_java_t, xdm_xserver_t)
-allow xdm_xserver_t $1_java_t:fd use;
-allow xdm_xserver_t $1_java_t:shm { associate getattr read unix_read };
-dontaudit xdm_xserver_t $1_java_t:shm { unix_write write };
+can_unix_connect($1_javap_t, xdm_xserver_t)
+allow xdm_xserver_t $1_javap_t:fd use;
+allow xdm_xserver_t $1_javap_t:shm { associate getattr read unix_read }; +dontaudit xdm_xserver_t $1_javap_t:shm { unix_write write }; ')dnl end xserver -allow $1_java_t self:shm create_shm_perms; +allow $1_javap_t self:shm create_shm_perms;
-legacy_domain($1_java)
-uses_shlib($1_java_t)
-read_locale($1_java_t)
-rw_dir_file($1_java_t, $1_rw_t)
-
-allow $1_java_t ld_so_cache_t:file execute;
-allow $1_java_t lib_t:file execute;
-allow $1_java_t locale_t:file execute;
-allow $1_java_t $1_java_tmp_t:file execute;
-
-allow $1_java_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-
-allow $1_java_t home_root_t:dir { getattr search };
-file_type_auto_trans($1_java_t, $2_home_dir_t, $1_rw_t)
-allow $1_java_t $2_home_xauth_t:file { getattr read };
-allow $1_java_t $2_tmp_t:sock_file write;
-allow $1_java_t $2_t:fd use;
-
-allow $1_java_t var_t:dir getattr;
-allow $1_java_t var_lib_t:dir { getattr search };
-
-dontaudit $1_java_t fonts_t:file execute;
-dontaudit $1_java_t sound_device_t:chr_file execute;
-dontaudit $1_java_t $2_devpts_t:chr_file { read write };
-dontaudit $1_java_t sysadm_devpts_t:chr_file { read write };
-dontaudit $1_java_t devtty_t:chr_file { read write };
-dontaudit $1_java_t tmpfs_t:file { execute read write };
-dontaudit $1_java_t $1_rw_t:file { execute setattr };
+uses_shlib($1_javap_t)
+read_locale($1_javap_t)
+rw_dir_file($1_javap_t, $1_rw_t)
+
+allow $1_javap_t ld_so_cache_t:file execute;
+allow $1_javap_t lib_t:file execute;
+allow $1_javap_t locale_t:file execute;
+allow $1_javap_t $1_javap_tmp_t:file execute;
+
+allow $1_javap_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
+
+allow $1_javap_t home_root_t:dir { getattr search };
+file_type_auto_trans($1_javap_t, $2_home_dir_t, $1_rw_t)
+allow $1_javap_t $2_home_xauth_t:file { getattr read };
+allow $1_javap_t $2_tmp_t:sock_file write;
+allow $1_javap_t $2_t:fd use;
+
+allow $1_javap_t var_t:dir getattr;
+allow $1_javap_t var_lib_t:dir { getattr search };
+
+dontaudit $1_javap_t fonts_t:file execute;
+dontaudit $1_javap_t sound_device_t:chr_file execute;
+dontaudit $1_javap_t $2_devpts_t:chr_file { read write };
+dontaudit $1_javap_t sysadm_devpts_t:chr_file { read write };
+dontaudit $1_javap_t devtty_t:chr_file { read write };
+dontaudit $1_javap_t tmpfs_t:file { execute read write };
+dontaudit $1_javap_t $1_rw_t:file { execute setattr };
')
--- nsapolicy/macros/program/mozilla_macros.te 2005-02-17 10:16:46.000000000 -0500 +++ policy-1.21.14/macros/program/mozilla_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -84,6 +84,7 @@ dontaudit $1_mozilla_t $1_home_t:dir setattr; dontaudit $1_mozilla_t $1_home_t:file setattr; } +allow $1_mozilla_t $1_tmp_t:sock_file rw_file_perms; file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t) file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_rw_t)
@@ -111,8 +112,9 @@
#
+ifdef(`java.te', ` +javap_domain($1_mozilla, $1) +')
# Mplayer plugin
-ifdef(`xdm.te', `
-allow $1_mozilla_t xdm_t:fifo_file { write read };
-allow $1_mozilla_t xdm_tmp_t:dir search;
-allow $1_mozilla_t xdm_tmp_t:file { getattr read };
-allow $1_mozilla_t xdm_tmp_t:sock_file write;
-')dnl end if xdm.te
if (allow_execmem) { allow $1_mozilla_t self:process { execmem }; } diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.21.14/macros/program/mplayer_macros.te --- nsapolicy/macros/program/mplayer_macros.te 2005-02-14 14:49:20.000000000 -0500 +++ policy-1.21.14/macros/program/mplayer_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -45,6 +45,7 @@ uses_shlib($1_$2_t) read_locale($1_$2_t) access_terminal($1_$2_t, $1) +allow $1_$2_t { $1_devpts_t $1_tty_device_t }:chr_file ioctl;
# Required for win32 binary loader
-# Additional rules for search /tmp/.X11-unix -ifdef(`xdm.te', ` -allow $1_mplayer_t xdm_tmp_t:dir search; -')dnl end if xdm.te - # Audio allow $1_mplayer_t sound_device_t:chr_file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.21.14/macros/program/ssh_macros.te --- nsapolicy/macros/program/ssh_macros.te 2005-02-17 10:16:46.000000000 -0500 +++ policy-1.21.14/macros/program/ssh_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -124,6 +124,7 @@
# Write to the user domain tty.
# Allow the user shell to signal the ssh program.
allow $1_t $1_ssh_t:process signal;
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
+allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
+allow $1_ssh_t { xdm_tmp_t }:sock_file write;
')
')dnl end if xserver diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.21.14/macros/program/tvtime_macros.te --- nsapolicy/macros/program/tvtime_macros.te 2005-02-09 15:01:31.000000000 -0500 +++ policy-1.21.14/macros/program/tvtime_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -33,9 +33,6 @@
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t usr_t:file { getattr read };
-ifdef(`xdm.te', `
-allow $1_tvtime_t xdm_tmp_t:dir search; -') ')dnl end tvtime_domain diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.21.14/macros/program/x_client_macros.te --- nsapolicy/macros/program/x_client_macros.te 2005-02-17 10:16:46.000000000 -0500 +++ policy-1.21.14/macros/program/x_client_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -179,7 +179,7 @@ allow $1_$2_t xdm_xserver_tmpfs_t:file r_file_perms;
can_unix_connect($1_$2_t, xdm_xserver_t)
-allow $1_$2_t xdm_xserver_tmp_t:dir search;
+allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
allow $1_$2_t { xdm_xserver_tmp_t xdm_tmp_t }:sock_file { read write };
allow $1_$2_t xdm_t:fd use;
dontaudit $1_$2_t xdm_t:tcp_socket { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.21.14/macros/user_macros.te --- nsapolicy/macros/user_macros.te 2005-02-17 10:16:46.000000000 -0500 +++ policy-1.21.14/macros/user_macros.te 2005-02-21 08:58:01.000000000 -0500 @@ -47,6 +47,7 @@ ifdef(`apache.te', `apache_domain($1)') ifdef(`slocate.te', `locate_domain($1)') ifdef(`lockdev.te', `lockdev_domain($1)') +ifdef(`java.te', `java_domain($1)')
can_kerberos($1_t)
--- nsapolicy/Makefile 2005-02-17 15:52:02.000000000 -0500 +++ policy-1.21.14/Makefile 2005-02-21 08:58:01.000000000 -0500 @@ -21,21 +21,25 @@ SBINDIR = $(PREFIX)/sbin LOADPOLICY = $(SBINDIR)/load_policy CHECKPOLICY = $(BINDIR)/checkpolicy +GENHOMEDIRCON = $(SBINDIR)/genhomedircon SETFILES = $(SBINDIR)/setfiles VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') KERNVERS := $(shell cat /selinux/policyvers) POLICYVER := policy.$(VERS) +TOPDIR = $(DESTDIR)/etc/selinux ifeq ($(MLS),y) -INSTALLDIR = $(DESTDIR)/etc/selinux/mls +TYPE=mls else -INSTALLDIR = $(DESTDIR)/etc/selinux/strict +TYPE=strict endif +INSTALLDIR = $(TOPDIR)/$(TYPE) POLICYPATH = $(INSTALLDIR)/policy SRCPATH = $(INSTALLDIR)/src USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts LOADPATH = $(POLICYPATH)/$(POLICYVER) FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) POLICYFILES += $(USER_FILES) POLICYFILES += constraints -POLICYFILES += initial_sid_contexts fs_use genfs_contexts net_contexts -CONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts +POLICYFILES += $(DEFCONTEXTFILES) +CONTEXTFILES = $(DEFCONTEXTFILES) +POLICY_DIRS = domains/program domains/misc UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
grep -v dontaudit policy.conf > policy.audit mv policy.audit policy.conf
-policy.conf: $(POLICYFILES)
mkdir -p tmp - m4 $(M4PARAM) -Imacros -s $^ > $@.tmp + m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp mv $@.tmp $@
install-src:
@mkdir -p $(CONTEXTPATH)/files install -m 644 $(FC) $(FCPATH) + install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) + @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD) $(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd @echo "Building file_contexts ..." @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp - @grep -v "^/root" $@.tmp > $@.root - @/usr/sbin/genhomedircon . $@.root > $@ - @grep "^/root" $@.tmp >> $@ - @-rm $@.tmp $@.root + @grep -v -e HOME -e ROLE $@.tmp > $@ + @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE) + @-rm $@.tmp
# Create a tags-file for the policy:
--- nsapolicy/targeted/domains/unconfined.te 2005-02-09 15:01:45.000000000 -0500 +++ policy-1.21.14/targeted/domains/unconfined.te 2005-02-21 08:58:01.000000000 -0500 @@ -9,6 +9,8 @@ role user_r types unconfined_t; role sysadm_r types unconfined_t; unconfined_domain(unconfined_t) +allow domain unconfined_t:fd use; +allow domain unconfined_t:process sigchld;
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
user_typealias(sysadm) user_typealias(staff) user_typealias(user) +attribute user_file_type; +attribute staff_file_type; +attribute sysadm_file_type;
allow unconfined_t unlabeled_t:filesystem *;
allow unlabeled_t self:filesystem associate;
# Allow execution of anonymous mappings, e.g. executable stack.
-bool allow_execmem false;
# Support Share libraries with Text Relocation
-bool allow_execmod false;
# Support SAMBA home directories
+if (allow_execmod) {
+allow unconfined_t { ld_so_t shlib_t }:file execmod;
+allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
+}
+
ifdef(`samba.te', `samba_domain(user)')
# Allow system to run with NIS
--- nsapolicy/tunables/distro.tun 2005-02-09 15:01:31.000000000 -0500 +++ policy-1.21.14/tunables/distro.tun 2005-02-21 08:58:01.000000000 -0500 @@ -5,7 +5,7 @@ # appropriate ifdefs.
-dnl define(`distro_redhat')
dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.21.14/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2005-02-09 15:01:31.000000000 -0500 +++ policy-1.21.14/tunables/tunable.tun 2005-02-21 08:58:01.000000000 -0500 @@ -1,27 +1,27 @@ # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount')
# Allow rpm to run unconfined.
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
# Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 21 Feb 2005 - 09:03:14 EST |
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |
Top NSA Banner
2008 National Security Agency
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map