diff --git a/policy/modules/admin/dracut.fc b/policy/modules/admin/dracut.fc new file mode 100644 index 0000000000..3f0a4bf1de --- /dev/null +++ b/policy/modules/admin/dracut.fc @@ -0,0 +1,2 @@ +/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) +/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) diff --git a/policy/modules/admin/dracut.if b/policy/modules/admin/dracut.if new file mode 100644 index 0000000000..e05cd1be3f --- /dev/null +++ b/policy/modules/admin/dracut.if @@ -0,0 +1,66 @@ +## Dracut initramfs creation tool + +######################################## +## +## Execute the dracut program in the dracut domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`dracut_domtrans',` + gen_require(` + type dracut_t, dracut_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dracut_exec_t, dracut_t) +') + +######################################## +## +## Execute dracut in the dracut domain, and +## allow the specified role the dracut domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`dracut_run',` + gen_require(` + type dracut_t; + ') + + dracut_domtrans($1) + role $2 types dracut_t; +') + +######################################## +## +## Read/write dracut temporary files +## +## +## +## Domain allowed access. +## +## +# +interface(`dracut_rw_tmp_files',` + gen_require(` + type dracut_tmp_t; + ') + + files_search_var($1) + files_search_tmp($1) + + rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t) +') diff --git a/policy/modules/admin/dracut.te b/policy/modules/admin/dracut.te new file mode 100644 index 0000000000..e0b0b576d2 --- /dev/null +++ b/policy/modules/admin/dracut.te @@ -0,0 +1,207 @@ +policy_module(dracut) + +######################################## +# +# Declarations +# + +type dracut_t; +type dracut_exec_t; +application_domain(dracut_t, dracut_exec_t) + +type dracut_var_log_t; +logging_log_file(dracut_var_log_t) + +type dracut_runtime_t; +files_runtime_file(dracut_runtime_t) + +type dracut_tmp_t; +files_tmp_file(dracut_tmp_t) + +######################################## +# +# Local policy +# + +allow dracut_t self:process { getsched setfscreate }; +# sys_admin needed for fsfreeze use +# sys_chroot needed for ldconfig +allow dracut_t self:capability { dac_override dac_read_search setfcap sys_admin sys_chroot }; +dontaudit dracut_t self:capability sys_resource; +allow dracut_t self:fifo_file rw_fifo_file_perms; +allow dracut_t self:unix_stream_socket create_stream_socket_perms; +allow dracut_t self:alg_socket create_stream_socket_perms; + +allow dracut_t dracut_runtime_t:dir manage_dir_perms; +allow dracut_t dracut_runtime_t:file manage_file_perms; +files_runtime_filetrans(dracut_t, dracut_runtime_t, { dir file }) + +allow dracut_t dracut_tmp_t:dir { manage_dir_perms relabelfrom }; +allow dracut_t dracut_tmp_t:file { manage_file_perms relabel_file_perms }; +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +files_tmp_filetrans(dracut_t, dracut_tmp_t, dir) + +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) +logging_log_filetrans(dracut_t, dracut_var_log_t, file) + +corecmd_exec_bin(dracut_t) +corecmd_exec_shell(dracut_t) +corecmd_mmap_all_executables(dracut_t) +corecmd_delete_all_executables(dracut_t) +corecmd_setattr_all_executables(dracut_t) +corecmd_relabelto_all_executables(dracut_t) + +dev_read_kmsg(dracut_t) +dev_read_rand(dracut_t) +dev_read_sysfs(dracut_t) +dev_rw_lvm_control(dracut_t) +# for ssh-keygen +dev_write_urand(dracut_t) +# findmnt generates these +dev_dontaudit_getattr_all_blk_files(dracut_t) +dev_dontaudit_getattr_all_chr_files(dracut_t) + +domain_use_interactive_fds(dracut_t) +domain_obj_id_change_exemption(dracut_t) + +files_create_kernel_img(dracut_t) +files_search_runtime(dracut_t) + +files_rw_etc_files(dracut_t) +files_create_etc_files(dracut_t) +files_delete_etc_files(dracut_t) +files_rename_etc_files(dracut_t) +files_setattr_etc_files(dracut_t) +files_relabelto_etc_files(dracut_t) +files_mmap_read_kernel_modules(dracut_t) +files_delete_kernel_modules(dracut_t) +files_setattr_kernel_modules(dracut_t) +files_relabelto_kernel_modules_files(dracut_t) +files_read_usr_files(dracut_t) +files_delete_usr_files(dracut_t) +files_setattr_usr_files(dracut_t) +files_relabelto_usr_files(dracut_t) +files_read_usr_src_files(dracut_t) +files_read_etc_runtime_files(dracut_t) +files_delete_etc_runtime_files(dracut_t) +files_setattr_etc_runtime_files(dracut_t) +files_relabelto_etc_runtime_files(dracut_t) +files_relabelfrom_etc_runtime_files(dracut_t) + +files_dontaudit_search_mnt(dracut_t) + +# cgroup for virt-detect +fs_getattr_cgroup(dracut_t) +fs_read_cgroup_files(dracut_t) +# tmpfs on /run/modprobe.d +fs_list_tmpfs(dracut_t) +fs_getattr_nsfs_files(dracut_t) +fs_getattr_xattr_fs(dracut_t) +fs_dontaudit_getattr_hugetlbfs_dirs(dracut_t) + +kernel_read_messages(dracut_t) +kernel_read_system_state(dracut_t) +# for virt-detect +kernel_read_kernel_sysctls(dracut_t) +kernel_read_network_state(dracut_t) +kernel_read_vm_overcommit_sysctl(dracut_t) +kernel_dontaudit_getattr_proc(dracut_t) + +storage_dontaudit_read_fixed_disk(dracut_t) + +# create a stripped down shadow file in initrd +auth_manage_shadow(dracut_t) +auth_use_nsswitch(dracut_t) + +# for virt-detect +init_read_state(dracut_t) + +fstools_domtrans(dracut_t) + +libs_exec_ldconfig(dracut_t) +libs_exec_ld_so(dracut_t) +libs_exec_lib_files(dracut_t) +libs_delete_ld_so(dracut_t) +libs_setattr_ld_so(dracut_t) +libs_relabel_ld_so(dracut_t) +libs_delete_lib_files(dracut_t) +libs_setattr_lib_files(dracut_t) +libs_relabelto_lib_files(dracut_t) + +logging_read_syslog_config(dracut_t) +logging_delete_syslog_config_files(dracut_t) +logging_setattr_syslog_config_files(dracut_t) +logging_relabelto_syslog_config_files(dracut_t) +logging_dontaudit_search_runtime_dirs(dracut_t) + +miscfiles_read_generic_certs(dracut_t) +miscfiles_read_localization(dracut_t) + +modutils_exec(dracut_t) +modutils_read_module_config(dracut_t) +modutils_delete_module_config(dracut_t) +modutils_setattr_module_config(dracut_t) +modutils_relabel_module_config(dracut_t) +modutils_read_module_deps(dracut_t) + +seutil_domtrans_setfiles(dracut_t) + +udev_list_rules(dracut_t) +udev_rw_rules_files(dracut_t) +udev_delete_rules_files(dracut_t) +udev_setattr_rules_files(dracut_t) +udev_relabelto_rules_files(dracut_t) + +userdom_search_user_home_dirs(dracut_t) +userdom_use_user_terminals(dracut_t) + +ifdef(`init_systemd',` + sysnet_read_config(dracut_t) + sysnet_delete_config(dracut_t) + sysnet_setattr_config(dracut_t) + sysnet_relabelto_config(dracut_t) + + init_manage_all_unit_files(dracut_t) + init_relabel_all_unit_files(dracut_t) + + systemd_exec_sysusers(dracut_t) + systemd_read_user_units_files(dracut_t) +') + +optional_policy(` + installkernel_list_tmp(dracut_t) + installkernel_create_tmp_files(dracut_t) + installkernel_rw_tmp_files(dracut_t) +') + +optional_policy(` + lvm_exec(dracut_t) + lvm_read_config(dracut_t) +') + +optional_policy(` + portage_exec_gcc_config(dracut_t) + portage_list_config(dracut_t) + portage_read_config(dracut_t) + portage_list_ebuild(dracut_t) + portage_read_ebuild_files(dracut_t) +') + +optional_policy(` + ssh_exec_keygen(dracut_t) + ssh_read_server_keys(dracut_t) + ssh_dontaudit_getattr_home_dirs(dracut_t) +') + +optional_policy(` + xdg_dontaudit_search_data_dirs(dracut_t) +') + +optional_policy(` + zfs_read_config(dracut_t) + zfs_read_zpool_cache(dracut_t) + zfs_delete_zpool_cache(dracut_t) + zfs_setattr_zpool_cache_files(dracut_t) + zfs_relabelto_zpool_cache_files(dracut_t) +') diff --git a/policy/modules/admin/installkernel.fc b/policy/modules/admin/installkernel.fc new file mode 100644 index 0000000000..4a47a5c18f --- /dev/null +++ b/policy/modules/admin/installkernel.fc @@ -0,0 +1,4 @@ +/usr/bin/kernel-install -- gen_context(system_u:object_r:installkernel_exec_t,s0) +/usr/bin/installkernel -- gen_context(system_u:object_r:installkernel_exec_t,s0) +/var/lib/misc/installkernel -- gen_context(system_u:object_r:installkernel_var_lib_t,s0) +/var/log/installkernel\.log -- gen_context(system_u:object_r:installkernel_log_t,s0) diff --git a/policy/modules/admin/installkernel.if b/policy/modules/admin/installkernel.if new file mode 100644 index 0000000000..4a1ed707ab --- /dev/null +++ b/policy/modules/admin/installkernel.if @@ -0,0 +1,101 @@ +## Install kernels and update the bootloader configuration. + +######################################## +## +## Execute installkernel in the installkernel domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`installkernel_domtrans',` + gen_require(` + type installkernel_t, installkernel_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, installkernel_exec_t, installkernel_t) +') + +######################################## +## +## Execute installkernel in the installkernel +## domain, and allow the specified +## role the installkernel domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`installkernel_run',` + gen_require(` + type installkernel_t; + ') + + installkernel_domtrans($1) + role $2 types installkernel_t; +') + +######################################## +## +## List the contents of installkernel tmp directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`installkernel_list_tmp',` + gen_require(` + type installkernel_tmp_t; + ') + + allow $1 installkernel_tmp_t:dir list_dir_perms; +') + +######################################## +## +## Create installkernel tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`installkernel_create_tmp_files',` + gen_require(` + type installkernel_tmp_t; + ') + + create_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t) +') + +######################################## +## +## Read and write installkernel tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`installkernel_rw_tmp_files',` + gen_require(` + type installkernel_tmp_t; + ') + + rw_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t) +') diff --git a/policy/modules/admin/installkernel.te b/policy/modules/admin/installkernel.te new file mode 100644 index 0000000000..72c80e638c --- /dev/null +++ b/policy/modules/admin/installkernel.te @@ -0,0 +1,102 @@ +policy_module(installkernel) + +######################################## +# +# Declarations +# + +type installkernel_t; +type installkernel_exec_t; +application_domain(installkernel_t, installkernel_exec_t) + +type installkernel_var_lib_t; +files_type(installkernel_var_lib_t) + +type installkernel_log_t; +logging_log_file(installkernel_log_t) + +type installkernel_tmp_t; +files_tmp_file(installkernel_tmp_t) + +######################################## +# +# Local policy +# + +allow installkernel_t self:process { getcap getsched }; +allow installkernel_t self:capability sys_resource; +allow installkernel_t self:fifo_file rw_inherited_fifo_file_perms; + +can_exec(installkernel_t, installkernel_exec_t) + +corecmd_exec_bin(installkernel_t) +corecmd_exec_shell(installkernel_t) + +# create staging area +allow installkernel_t installkernel_tmp_t:dir manage_dir_perms; +allow installkernel_t installkernel_tmp_t:file { mmap_manage_file_perms relabel_file_perms }; +files_tmp_filetrans(installkernel_t, installkernel_tmp_t, { dir file }) + +# update /var/lib/misc/installkernel +files_search_var_lib(installkernel_t) +allow installkernel_t installkernel_var_lib_t:file manage_file_perms; + +allow installkernel_t installkernel_log_t:file { create_file_perms append_file_perms }; +logging_log_filetrans(installkernel_t, installkernel_log_t, file) + +dev_getattr_sysfs(installkernel_t) +dev_read_sysfs(installkernel_t) + +# boot_t is constrained +domain_obj_id_change_exemption(installkernel_t) + +domain_use_interactive_fds(installkernel_t) + +files_list_boot(installkernel_t) +files_manage_boot_files(installkernel_t) +files_relabelto_boot_files(installkernel_t) +files_getattr_boot_fs(installkernel_t) +# read /etc/kernel +files_read_etc_files(installkernel_t) +# read /etc/machine-id +files_read_etc_runtime_files(installkernel_t) +files_mmap_read_usr_src_files(installkernel_t) +# execute depmod +files_manage_kernel_modules(installkernel_t) + +fs_getattr_xattr_fs(installkernel_t) +fs_getattr_nsfs_files(installkernel_t) + +kernel_read_system_state(installkernel_t) +# read /proc/sys/kernel/osrelease +kernel_read_kernel_sysctls(installkernel_t) +kernel_dontaudit_getattr_proc(installkernel_t) + +storage_raw_read_fixed_disk(installkernel_t) + +auth_use_nsswitch(installkernel_t) + +miscfiles_read_generic_certs(installkernel_t) +miscfiles_read_localization(installkernel_t) + +# read /etc/systemd/network +sysnet_read_config(installkernel_t) + +libs_exec_lib_files(installkernel_t) + +userdom_use_user_terminals(installkernel_t) +userdom_dontaudit_search_user_home_dirs(installkernel_t) + +xdg_dontaudit_search_data_dirs(installkernel_t) + +ifdef(`init_systemd',` + # detect if running in a container + init_search_runtime(installkernel_t) + fs_getattr_cgroup(installkernel_t) + fs_search_cgroup_dirs(installkernel_t) + init_read_state(installkernel_t) +') + +optional_policy(` + dracut_domtrans(installkernel_t) +') diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 7645cec897..2259cd499f 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -249,6 +249,25 @@ interface(`portage_run_fetch',` roleattribute $2 portage_fetch_roles; ') +######################################## +## +## Execute gcc-config in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_exec_gcc_config',` + gen_require(` + type gcc_config_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, gcc_config_exec_t) +') + ######################################## ## ## Execute gcc-config in the gcc config domain. @@ -353,6 +372,103 @@ interface(`portage_dontaudit_read_config',` dontaudit $1 portage_conf_t:lnk_file read_lnk_file_perms; ') +######################################## +## +## List the contents of portage config directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_list_config',` + gen_require(` + type portage_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, portage_conf_t, portage_conf_t) +') + +######################################## +## +## Read portage config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_read_config',` + gen_require(` + type portage_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, portage_conf_t, portage_conf_t) + read_files_pattern($1, portage_conf_t, portage_conf_t) + read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) +') + +######################################## +## +## Memory map and read portage config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_mmap_read_config',` + gen_require(` + type portage_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, portage_conf_t, portage_conf_t) + mmap_read_files_pattern($1, portage_conf_t, portage_conf_t) + read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) +') + +######################################## +## +## List the contents of portage ebuild directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_list_ebuild',` + gen_require(` + type portage_ebuild_t; + ') + + list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) +') + +######################################## +## +## Read portage ebuild files. +## +## +## +## Domain allowed access. +## +## +# +interface(`portage_read_ebuild_files',` + gen_require(` + type portage_ebuild_t; + ') + + read_files_pattern($1, portage_ebuild_t, portage_ebuild_t) +') + ######################################## ## ## Do not audit attempts to search the diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 08ed91f19c..bb7792e645 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -700,6 +700,27 @@ interface(`corecmd_getattr_all_executables',` getattr_files_pattern($1, bin_t, exec_type) ') +######################################## +## +## Set the attributes of all executable files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corecmd_setattr_all_executables',` + gen_require(` + attribute exec_type; + type bin_t; + ') + + corecmd_list_bin($1) + setattr_files_pattern($1, bin_t, exec_type) +') + ######################################## ## ## Read all executable files. @@ -780,6 +801,27 @@ interface(`corecmd_dontaudit_exec_all_executables',` dontaudit $1 exec_type:file { execute execute_no_trans }; ') +######################################## +## +## Delete all executable files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corecmd_delete_all_executables',` + gen_require(` + attribute exec_type; + type bin_t; + ') + + corecmd_list_bin($1) + delete_files_pattern($1, bin_t, exec_type) +') + ######################################## ## ## Create, read, write, and all executable files. @@ -823,6 +865,25 @@ interface(`corecmd_relabel_all_executables',` relabel_files_pattern($1, bin_t, exec_type) ') +######################################## +## +## Relabelto all executable file types. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corecmd_relabelto_all_executables',` + gen_require(` + attribute exec_type; + ') + + allow $1 exec_type:file relabelto; +') + ######################################## ## ## Mmap all executables as executable. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e55bf337e3..f86058de5a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2724,6 +2724,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') +######################################## +## +## Relabel to files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_boot_files',` + gen_require(` + type boot_t; + ') + + relabelto_files_pattern($1, boot_t, boot_t) +') + ###################################### ## ## Read symbolic links in the /boot directory. @@ -3463,6 +3481,24 @@ interface(`files_dontaudit_manage_etc_files',` dontaudit $1 etc_t:file manage_file_perms; ') +######################################## +## +## Create system configuration files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_etc_files',` + gen_require(` + type etc_t; + ') + + create_files_pattern($1, etc_t, etc_t) +') + ######################################## ## ## Delete system configuration files in /etc. @@ -3480,6 +3516,41 @@ interface(`files_delete_etc_files',` delete_files_pattern($1, etc_t, etc_t) ') +######################################## +## +## Rename system configuration files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rename_etc_files',` + gen_require(` + type etc_t; + ') + + rename_files_pattern($1, etc_t, etc_t) +') + +######################################## +## +## Set the attributes of etc_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file setattr; +') ######################################## ## @@ -3519,6 +3590,24 @@ interface(`files_watch_etc_files', ` allow $1 etc_t:file watch; ') +######################################## +## +## Relabel files to etc_t. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file relabelto; +') + ######################################## ## ## Get etc_t service status. @@ -3868,8 +3957,8 @@ interface(`files_read_etc_runtime_files',` ') allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_runtime_t) - read_lnk_files_pattern($1, etc_t, etc_runtime_t) + read_files_pattern($1, etc_runtime_t, etc_runtime_t) + read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t) ') ######################################## @@ -3988,6 +4077,24 @@ interface(`files_rw_etc_runtime_files',` rw_files_pattern($1, etc_t, etc_runtime_t) ') +######################################## +## +## Delete etc_runtime_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file delete_file_perms; +') + ######################################## ## ## Create, read, write, and delete files in @@ -4009,6 +4116,24 @@ interface(`files_manage_etc_runtime_files',` manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) ') +######################################## +## +## Set the attributes on etc_runtime_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file setattr; +') + ######################################## ## ## Relabel to etc_runtime_t files. @@ -4027,6 +4152,24 @@ interface(`files_relabelto_etc_runtime_files',` allow $1 etc_runtime_t:file relabelto; ') +######################################## +## +## Relabel from etc_runtime_t files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file relabelfrom; +') + ######################################## ## ## Create, etc runtime objects with an automatic @@ -4673,6 +4816,24 @@ interface(`files_delete_kernel_modules',` delete_files_pattern($1, modules_object_t, modules_object_t) ') +######################################## +## +## Set the attributes on kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:file setattr; +') + ######################################## ## ## Create, read, write, and delete @@ -4766,6 +4927,24 @@ interface(`files_kernel_modules_filetrans',` filetrans_pattern($1, modules_object_t, $2, $3, $4) ') +######################################## +## +## Relabel files to the kernel module type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_kernel_modules_files',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:file relabelto; +') + ######################################## ## ## Load kernel module files. @@ -5583,6 +5762,24 @@ interface(`files_getattr_usr_files',` getattr_files_pattern($1, usr_t, usr_t) ') +######################################## +## +## Set the attributes of files in the /usr directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_usr_files',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:file setattr; +') + ######################################## ## ## Map generic files in /usr. @@ -5861,6 +6058,27 @@ interface(`files_read_usr_src_files',` allow $1 src_t:dir list_dir_perms; ') +######################################## +## +## Memory map and read files in /usr/src. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mmap_read_usr_src_files',` + gen_require(` + type usr_t, src_t; + ') + + allow $1 usr_t:dir search_dir_perms; + mmap_read_files_pattern($1, { usr_t src_t }, src_t) + read_lnk_files_pattern($1, { usr_t src_t }, src_t) + allow $1 src_t:dir list_dir_perms; +') + ######################################## ## ## Execute programs in /usr/src in the caller domain. diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b380912fb6..0d5431df17 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -3641,6 +3641,25 @@ interface(`fs_getattr_hugetlbfs',` allow $1 hugetlbfs_t:filesystem getattr; ') +######################################## +## +## Do not audit attempts to get the +## attributes of directories on a hugetlbfs. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_getattr_hugetlbfs_dirs',` + gen_require(` + type hugetlbfs_t; + ') + + dontaudit $1 hugetlbfs_t:dir getattr_dir_perms; +') + ######################################## ## ## Remount a hugetlbfs filesystem. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3a82425685..9af741123c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -422,6 +422,10 @@ optional_policy(` dpkg_run(sysadm_t, sysadm_r) ') +optional_policy(` + dracut_run(sysadm_t, sysadm_r) +') + optional_policy(` drbd_admin(sysadm_t, sysadm_r) ') @@ -555,6 +559,10 @@ optional_policy(` ipsec_admin(sysadm_t, sysadm_r) ') +optional_policy(` + installkernel_run(sysadm_t, sysadm_r) +') + optional_policy(` iptables_admin(sysadm_t, sysadm_r) iptables_run(sysadm_t, sysadm_r) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 39fd112947..fc0bca87cc 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -459,7 +459,7 @@ template(`ssh_role_template',` cockpit_rw_session_pipes($1_ssh_agent_t) cockpit_send_signal($1_ssh_agent_t) ') - + optional_policy(` nis_use_ypbind($1_ssh_agent_t) ') @@ -758,6 +758,25 @@ interface(`ssh_agent_exec',` can_exec($1, ssh_agent_exec_t) ') +######################################## +## +## Do not audit attempts to get the attributes +## of ssh home directory (~/.ssh). +## +## +## +## Domain to not audit. +## +## +# +interface(`ssh_dontaudit_getattr_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + dontaudit $1 ssh_home_t:dir getattr_dir_perms; +') + ######################################## ## ## Set the attributes of ssh home directory (~/.ssh) @@ -816,6 +835,24 @@ interface(`ssh_read_user_home_files',` userdom_search_user_home_dirs($1) ') +######################################## +## +## Execute the ssh key generator in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_exec_keygen',` + gen_require(` + type ssh_keygen_exec_t; + ') + + can_exec($1, ssh_keygen_exec_t) +') + ######################################## ## ## Execute the ssh key generator in the ssh keygen domain. diff --git a/policy/modules/services/zfs.if b/policy/modules/services/zfs.if index 1b2841be95..7b0d358537 100644 --- a/policy/modules/services/zfs.if +++ b/policy/modules/services/zfs.if @@ -104,6 +104,80 @@ interface(`zfs_read_config',` read_lnk_files_pattern($1, zfs_config_t, zfs_config_t) ') +######################################## +## +## Read the zpool cache. +## +## +## +## Domain allowed access. +## +## +# +interface(`zfs_read_zpool_cache',` + gen_require(` + type zfs_zpool_cache_t; + ') + + files_search_etc($1) + zfs_search_config($1) + read_files_pattern($1, zfs_zpool_cache_t, zfs_zpool_cache_t) +') + +######################################## +## +## Delete the zpool cache file. +## +## +## +## Domain allowed access. +## +## +# +interface(`zfs_delete_zpool_cache',` + gen_require(` + type zfs_zpool_cache_t; + ') + + delete_files_pattern($1, zfs_zpool_cache_t, zfs_zpool_cache_t) +') + +######################################## +## +## Set the attributes on the zpool cache file. +## +## +## +## Domain allowed access. +## +## +# +interface(`zfs_setattr_zpool_cache_files',` + gen_require(` + type zfs_zpool_cache_t; + ') + + allow $1 zfs_zpool_cache_t:file setattr; +') + +######################################## +## +## Relabel files to the zpool cache type. +## +## +## +## Domain allowed access. +## +## +# +interface(`zfs_relabelto_zpool_cache_files',` + gen_require(` + type zfs_zpool_cache_t; + ') + + allow $1 zfs_zpool_cache_t:file relabelto; +') + ######################################## ## ## Create the zpool cache with an diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 105ad32f7e..9a8a9b8d5d 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -149,6 +149,42 @@ interface(`libs_exec_ld_so',` exec_files_pattern($1, lib_t, ld_so_t) ') +######################################## +## +## Delete the dynamic link/loader. +## +## +## +## Domain allowed access. +## +## +# +interface(`libs_delete_ld_so',` + gen_require(` + type ld_so_t; + ') + + delete_files_pattern($1, ld_so_t, ld_so_t) +') + +######################################## +## +## Set the attributes on the dynamic link/loader. +## +## +## +## Domain allowed access. +## +## +# +interface(`libs_setattr_ld_so',` + gen_require(` + type ld_so_t; + ') + + allow $1 ld_so_t:file setattr; +') + ######################################## ## ## Create, read, write, and delete the @@ -313,6 +349,42 @@ interface(`libs_watch_lib_dirs',` allow $1 lib_t:dir watch; ') +######################################## +## +## Delete library files. +## +## +## +## Domain allowed access. +## +## +# +interface(`libs_delete_lib_files',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:file delete_file_perms; +') + +######################################## +## +## Set the attributes on library files. +## +## +## +## Domain to not audit. +## +## +# +interface(`libs_setattr_lib_files',` + gen_require(` + type lib_t; + ') + + allow $1 lib_t:file setattr; +') + ######################################## ## ## dontaudit attempts to setattr on library files diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 499da83ba8..04110c0dbb 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -827,6 +827,82 @@ interface(`logging_read_syslog_config',` allow $1 syslog_conf_t:file read_file_perms; ') +######################################## +## +## Delete syslog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_delete_syslog_config_files',` + gen_require(` + type syslog_conf_t; + ') + + delete_files_pattern($1, syslog_conf_t, syslog_conf_t) +') + +######################################## +## +## Set the attributes on syslog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_setattr_syslog_config_files',` + gen_require(` + type syslog_conf_t; + ') + + allow $1 syslog_conf_t:file setattr; +') + +######################################## +## +## Relabelto syslog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_relabelto_syslog_config_files',` + gen_require(` + type syslog_conf_t; + ') + + allow $1 syslog_conf_t:file relabelto; +') + +######################################## +## +## Do not audit attempts to search syslog +## runtime directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`logging_dontaudit_search_runtime_dirs',` + gen_require(` + type syslogd_runtime_t; + ') + + dontaudit $1 syslogd_runtime_t:dir search_dir_perms; +') + ######################################## ## ## Watch syslog runtime dirs. diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 09e782c6f3..ae9dc6cd4c 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -103,6 +103,25 @@ interface(`modutils_delete_module_config',` delete_files_pattern($1, modules_conf_t, modules_conf_t) ') +######################################## +## +## Set the attributes on a file with the configuration +## options used when loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_setattr_module_config',` + gen_require(` + type modules_conf_t; + ') + + allow $1 modules_conf_t:file setattr; +') + ######################################## ## ## Manage files with the configuration options used when @@ -122,6 +141,25 @@ interface(`modutils_manage_module_config',` manage_files_pattern($1, modules_conf_t, modules_conf_t) ') +######################################## +## +## Relabel to and from a file with the configuration +## options used when loading modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_relabel_module_config',` + gen_require(` + type modules_conf_t; + ') + + relabel_files_pattern($1, modules_conf_t, modules_conf_t) +') + ######################################## ## ## Execute any modutil, diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 271cdb1d4b..fb3bcbf9b0 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -146,6 +146,10 @@ optional_policy(` apt_use_ptys(kmod_t) ') +optional_policy(` + dracut_rw_tmp_files(kmod_t) +') + optional_policy(` firstboot_dontaudit_rw_pipes(kmod_t) firstboot_dontaudit_rw_stream_sockets(kmod_t) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 906b08a462..9d4586b210 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -493,6 +493,25 @@ interface(`sysnet_create_config',` allow $1 net_conf_t:file create_file_perms; ') +####################################### +## +## Delete network config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_delete_config',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + delete_files_pattern($1, net_conf_t, net_conf_t) +') + ####################################### ## ## Relabel network config files. @@ -512,6 +531,25 @@ interface(`sysnet_relabel_config',` allow $1 net_conf_t:file relabel_file_perms; ') +####################################### +## +## Relabelto network config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sysnet_relabelto_config',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file relabelto; +') + ####################################### ## ## Create files in /etc with the type used for diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 809fde402d..42d0b111c3 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -3077,6 +3077,26 @@ interface(`systemd_status_all_user_sessions',` allow $1 systemd_user_session_type:system status; ') +######################################## +## +## Execute systemd-sysusers in the +## caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_exec_sysusers', ` + gen_require(` + type systemd_sysusers_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, systemd_sysusers_exec_t) +') + ######################################## ## ## Execute systemd-sysusers in the diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index e83e0cb95d..2245961510 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -180,6 +180,134 @@ interface(`udev_dontaudit_rw_dgram_sockets',` dontaudit $1 udev_t:unix_dgram_socket { read write }; ') +######################################## +## +## List the contents of udev rules directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_list_rules',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:dir list_dir_perms; +') + +######################################## +## +## Read udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_read_rules_files',` + gen_require(` + type udev_rules_t; + ') + + files_search_etc($1) # /etc/udev/rules.d + udev_search_runtime($1) # /run/udev/rules.d + read_files_pattern($1, udev_rules_t, udev_rules_t) +') + +######################################## +## +## Read and write udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_rw_rules_files',` + gen_require(` + type udev_rules_t; + ') + + rw_files_pattern($1, udev_rules_t, udev_rules_t) +') + +######################################## +## +## Create udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_create_rules_files',` + gen_require(` + type udev_rules_t; + ') + + create_files_pattern($1, udev_rules_t, udev_rules_t) +') + +######################################## +## +## Delete udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_delete_rules_files',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:file delete_file_perms; +') + +######################################## +## +## Rename udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_rename_rules_files',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:file rename_file_perms; +') + +######################################## +## +## Set the attributes on udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_setattr_rules_files',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:file setattr; +') + ######################################## ## ## Manage udev rules files @@ -242,6 +370,24 @@ interface(`udev_relabel_rules_files',` files_search_etc($1) ') +######################################## +## +## Relabelto udev rules files. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_relabelto_rules_files',` + gen_require(` + type udev_rules_t; + ') + + allow $1 udev_rules_t:file relabelto; +') + ######################################## ## ## Search through udev runtime dirs. diff --git a/testing/sechecker.ini b/testing/sechecker.ini index 01a8854502..3ab00fb6ae 100644 --- a/testing/sechecker.ini +++ b/testing/sechecker.ini @@ -103,6 +103,7 @@ exempt_source = acpi_t dockerd_t # Container engine (namespacing) dockerd_user_t # Container engine (namespacing) dphysswapfile_t # Configure swap files + dracut_t # Needed to use fsfreeze when building an initrd entropyd_t # Add entropy to the system fapolicyd_t fsadm_t