From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 292F81387B2 for ; Sun, 19 Jan 2014 19:01:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6B62AE0D08; Sun, 19 Jan 2014 19:01:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 98A78E0D08 for ; Sun, 19 Jan 2014 19:01:41 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2532E33F995 for ; Sun, 19 Jan 2014 19:01:40 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id CAC8D1872C for ; Sun, 19 Jan 2014 19:01:38 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1390157425.04d8dfc736343c9a23530e5971f9048dc57cff2c.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/files.if policy/modules/kernel/files.te policy/modules/kernel/kernel.if policy/modules/kernel/kernel.te X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 04d8dfc736343c9a23530e5971f9048dc57cff2c X-VCS-Branch: master Date: Sun, 19 Jan 2014 19:01:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0965bbec-3464-4664-a344-91c173ae8696 X-Archives-Hash: 3ad752e645882a7d257c7553ff4d54b4 commit: 04d8dfc736343c9a23530e5971f9048dc57cff2c Author: Chris PeBenito tresys com> AuthorDate: Thu Jan 16 16:19:00 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Jan 19 18:50:25 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=04d8dfc7 Merge file_t into unlabeled_t, as they are security equivalent. --- policy/modules/kernel/files.if | 180 +++++++++++---------------------- policy/modules/kernel/files.te | 12 +-- policy/modules/kernel/kernel.if | 219 +++++++++++++++++++++++++++++++++++++++- policy/modules/kernel/kernel.te | 11 +- 4 files changed, 288 insertions(+), 134 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 0d735e0..74959e8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3190,7 +3190,7 @@ interface(`files_etc_filetrans_etc_runtime',` ######################################## ## ## Getattr of directories on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3199,17 +3199,14 @@ interface(`files_etc_filetrans_etc_runtime',` ## # interface(`files_getattr_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir getattr; + refpolicywarn(`$0($*) has been deprecated, use kernel_getattr_unlabeled_dirs() instead.') + kernel_getattr_unlabeled_dirs($1) ') ######################################## ## ## Do not audit attempts to search directories on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3218,17 +3215,14 @@ interface(`files_getattr_isid_type_dirs',` ## # interface(`files_dontaudit_search_isid_type_dirs',` - gen_require(` - type file_t; - ') - - dontaudit $1 file_t:dir search_dir_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_search_unlabeled() instead.') + kernel_dontaudit_search_unlabeled($1) ') ######################################## ## ## List the contents of directories on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3237,17 +3231,14 @@ interface(`files_dontaudit_search_isid_type_dirs',` ## # interface(`files_list_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir list_dir_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_list_unlabeled() instead.') + kernel_list_unlabeled($1) ') ######################################## ## ## Read and write directories on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3256,17 +3247,14 @@ interface(`files_list_isid_type_dirs',` ## # interface(`files_rw_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir rw_dir_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_dirs() instead.') + kernel_rw_unlabeled_dirs($1) ') ######################################## ## ## Delete directories on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3275,17 +3263,14 @@ interface(`files_rw_isid_type_dirs',` ## # interface(`files_delete_isid_type_dirs',` - gen_require(` - type file_t; - ') - - delete_dirs_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_dirs() instead.') + kernel_delete_unlabeled_dirs($1) ') ######################################## ## ## Create, read, write, and delete directories -## on new filesystems that have not yet been labeled. +## on new filesystems that have not yet been labeled. (Deprecated) ## ## ## @@ -3294,17 +3279,14 @@ interface(`files_delete_isid_type_dirs',` ## # interface(`files_manage_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir manage_dir_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_dirs() instead.') + kernel_manage_unlabeled_dirs($1) ') ######################################## ## ## Mount a filesystem on a directory on new filesystems -## that has not yet been labeled. +## that has not yet been labeled. (Deprecated) ## ## ## @@ -3313,17 +3295,14 @@ interface(`files_manage_isid_type_dirs',` ## # interface(`files_mounton_isid_type_dirs',` - gen_require(` - type file_t; - ') - - allow $1 file_t:dir { search_dir_perms mounton }; + refpolicywarn(`$0($*) has been deprecated, use kernel_mounton_unlabeled_dirs() instead.') + kernel_mounton_unlabeled_dirs($1) ') ######################################## ## ## Read files on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3332,17 +3311,14 @@ interface(`files_mounton_isid_type_dirs',` ## # interface(`files_read_isid_type_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:file read_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_read_unlabeled_files() instead.') + kernel_read_unlabeled_files($1) ') ######################################## ## ## Delete files on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3351,17 +3327,14 @@ interface(`files_read_isid_type_files',` ## # interface(`files_delete_isid_type_files',` - gen_require(` - type file_t; - ') - - delete_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_files() instead.') + kernel_delete_unlabeled_files($1) ') ######################################## ## ## Delete symbolic links on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3370,17 +3343,14 @@ interface(`files_delete_isid_type_files',` ## # interface(`files_delete_isid_type_symlinks',` - gen_require(` - type file_t; - ') - - delete_lnk_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_symlinks() instead.') + kernel_delete_unlabeled_symlinks($1) ') ######################################## ## ## Delete named pipes on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3389,17 +3359,14 @@ interface(`files_delete_isid_type_symlinks',` ## # interface(`files_delete_isid_type_fifo_files',` - gen_require(` - type file_t; - ') - - delete_fifo_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_pipes() instead.') + kernel_delete_unlabeled_pipes($1) ') ######################################## ## ## Delete named sockets on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3408,17 +3375,14 @@ interface(`files_delete_isid_type_fifo_files',` ## # interface(`files_delete_isid_type_sock_files',` - gen_require(` - type file_t; - ') - - delete_sock_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_sockets() instead.') + kernel_delete_unlabeled_sockets($1) ') ######################################## ## ## Delete block files on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3427,17 +3391,14 @@ interface(`files_delete_isid_type_sock_files',` ## # interface(`files_delete_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - delete_blk_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_blk_files() instead.') + kernel_delete_unlabeled_blk_files($1) ') ######################################## ## ## Do not audit attempts to write to character -## files that have not yet been labeled. +## files that have not yet been labeled. (Deprecated) ## ## ## @@ -3446,17 +3407,14 @@ interface(`files_delete_isid_type_blk_files',` ## # interface(`files_dontaudit_write_isid_chr_files',` - gen_require(` - type file_t; - ') - - dontaudit $1 file_t:chr_file write; + refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_write_unlabeled_chr_files() instead.') + kernel_dontaudit_write_unlabeled_chr_files($1) ') ######################################## ## ## Delete chr files on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3465,17 +3423,14 @@ interface(`files_dontaudit_write_isid_chr_files',` ## # interface(`files_delete_isid_type_chr_files',` - gen_require(` - type file_t; - ') - - delete_chr_files_pattern($1, file_t, file_t) + refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_chr_files() instead.') + kernel_delete_unlabeled_chr_files($1) ') ######################################## ## ## Create, read, write, and delete files -## on new filesystems that have not yet been labeled. +## on new filesystems that have not yet been labeled. (Deprecated) ## ## ## @@ -3484,17 +3439,14 @@ interface(`files_delete_isid_type_chr_files',` ## # interface(`files_manage_isid_type_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:file manage_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_files() instead.') + kernel_manage_unlabeled_files($1) ') ######################################## ## ## Create, read, write, and delete symbolic links -## on new filesystems that have not yet been labeled. +## on new filesystems that have not yet been labeled. (Deprecated) ## ## ## @@ -3503,17 +3455,14 @@ interface(`files_manage_isid_type_files',` ## # interface(`files_manage_isid_type_symlinks',` - gen_require(` - type file_t; - ') - - allow $1 file_t:lnk_file manage_lnk_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_symlinks() instead.') + kernel_manage_unlabeled_symlinks($1) ') ######################################## ## ## Read and write block device nodes on new filesystems -## that have not yet been labeled. +## that have not yet been labeled. (Deprecated) ## ## ## @@ -3522,17 +3471,14 @@ interface(`files_manage_isid_type_symlinks',` ## # interface(`files_rw_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:blk_file rw_blk_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_blk_files() instead.') + kernel_rw_unlabeled_blk_files($1) ') ######################################## ## ## Create, read, write, and delete block device nodes -## on new filesystems that have not yet been labeled. +## on new filesystems that have not yet been labeled. (Deprecated) ## ## ## @@ -3541,17 +3487,14 @@ interface(`files_rw_isid_type_blk_files',` ## # interface(`files_manage_isid_type_blk_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:blk_file manage_blk_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_blk_files() instead.') + kernel_manage_unlabeled_blk_files($1) ') ######################################## ## ## Create, read, write, and delete character device nodes -## on new filesystems that have not yet been labeled. +## on new filesystems that have not yet been labeled. (Deprecated) ## ## ## @@ -3560,11 +3503,8 @@ interface(`files_manage_isid_type_blk_files',` ## # interface(`files_manage_isid_type_chr_files',` - gen_require(` - type file_t; - ') - - allow $1 file_t:chr_file manage_chr_file_perms; + refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_chr_files() instead.') + kernel_manage_unlabeled_chr_files($1) ') ######################################## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..769a7f2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.18.1) +policy_module(files, 1.18.2) ######################################## # @@ -75,16 +75,6 @@ files_type(etc_runtime_t) typealias etc_runtime_t alias firstboot_rw_t; # -# file_t is the default type of a file that has not yet been -# assigned an extended attribute (EA) value (when using a filesystem -# that supports EAs). -# -type file_t; -files_mountpoint(file_t) -kernel_rootfs_mountpoint(file_t) -sid file gen_context(system_u:object_r:file_t,s0) - -# # home_root_t is the type for the directory where user home directories # are created # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 54f1b0b..18cef42 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2282,6 +2282,42 @@ interface(`kernel_sigchld_unlabeled',` ######################################## ## +## Get the attributes of unlabeled directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_getattr_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir getattr_dir_perms; +') + +######################################## +## +## Do not audit attempts to search unlabeled directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_search_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:dir search_dir_perms; +') + +######################################## +## ## List unlabeled directories. ## ## @@ -2356,6 +2392,78 @@ interface(`kernel_rw_unlabeled_dirs',` ######################################## ## +## Delete unlabeled directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_delete_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir delete_dir_perms; +') + +######################################## +## +## Create, read, write, and delete unlabeled directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_manage_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir manage_dir_perms; +') + +######################################## +## +## Mount a filesystem on an unlabeled directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mounton_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir { search_dir_perms mounton }; +') + +######################################## +## +## Read unlabeled files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_unlabeled_files',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:file read_file_perms; +') + +######################################## +## ## Read and write unlabeled files. ## ## @@ -2374,6 +2482,42 @@ interface(`kernel_rw_unlabeled_files',` ######################################## ## +## Delete unlabeled files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_delete_unlabeled_files',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:file delete_file_perms; +') + +######################################## +## +## Create, read, write, and delete unlabeled files. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_manage_unlabeled_files',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:file manage_file_perms; +') + +######################################## +## ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## @@ -2412,6 +2556,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',` ######################################## ## +## Create, read, write, and delete unlabeled symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_manage_unlabeled_symlinks',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## ## Do not audit attempts by caller to get the ## attributes of unlabeled symbolic links. ## @@ -2501,7 +2663,25 @@ interface(`kernel_rw_unlabeled_blk_files',` type unlabeled_t; ') - allow $1 unlabeled_t:blk_file getattr; + allow $1 unlabeled_t:blk_file rw_blk_file_perms; +') + +######################################## +## +## Create, read, write, and delete unlabeled block device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_manage_unlabeled_blk_files',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:blk_file manage_blk_file_perms; ') ######################################## @@ -2525,6 +2705,43 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` ######################################## ## +## Do not audit attempts to +## write unlabeled character devices. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_write_unlabeled_chr_files',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:file write; +') + +######################################## +## +## Create, read, write, and delete unlabeled character device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_manage_unlabeled_chr_files',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:chr_file manage_chr_file_perms; +') + +######################################## +## ## Allow caller to relabel unlabeled directories. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index a39d803..1437180 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.17.2) +policy_module(kernel, 1.17.3) ######################################## # @@ -162,8 +162,15 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # Objects that have no known labeling information or that # have labels that are no longer valid are treated as having this type. # -type unlabeled_t; +# Mountpoint permissions are for the case when a file has been assigned +# an extended attribute for the first time (old file_t). Directories +# where filesystems are mounted may never get relabeled. +# +type unlabeled_t alias file_t; +kernel_rootfs_mountpoint(unlabeled_t) +files_mountpoint(unlabeled_t) fs_associate(unlabeled_t) +sid file gen_context(system_u:object_r:unlabeled_t,s0) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # These initial sids are no longer used, and can be removed: