diff -ruN ./Makefile ../new/Makefile --- ./Makefile Fri Jul 12 11:19:44 2002 +++ ../new/Makefile Thu Aug 1 15:24:46 2002 @@ -24,6 +24,8 @@ INSTALLDIR = /etc/security/selinux LOADPATH = $(INSTALLDIR)/$(POLICYVER) INITRDLOADPATH = $(INSTALLDIR)/initrd-$(POLICYVER) +SRCINSTALLDIR = $(INSTALLDIR)/src +POLICYCONF = $(SRCINSTALLDIR)/policy.conf POLICYFILES = $(addprefix /usr/local/selinux/flask/,security_classes initial_sids access_vectors) ifeq ($(MLS),y) @@ -57,14 +59,22 @@ install: $(LOADPATH) install-initrd: $(INITRDLOADPATH) - -$(LOADPATH): $(POLICYVER) + +$(LOADPATH): $(POLICYCONF) $(CHECKPOLICY) mkdir -p $(INSTALLDIR) - install -m 644 -o root -g root $(POLICYVER) $(LOADPATH) + $(CHECKPOLICY) -o $@ $(POLICYCONF) +# Note: Can't use install, so not sure how to deal with mode, user, and group +# other than by default. $(INITRDLOADPATH): initrd-$(POLICYVER) mkdir -p $(INSTALLDIR) install -m 644 -o root -g root initrd-$(POLICYVER) $(INITRDLOADPATH) + +$(POLICYCONF): policy.conf $(SRCINSTALLDIR) + install -m 644 -o root -g root policy.conf $@ + +$(SRCINSTALLDIR): + mkdir -p $@ reload tmp/load: $(LOADPATH) $(BINDIR)/load_policy $(LOADPATH) @@ -72,8 +82,12 @@ load: tmp/load -policy.conf: $(POLICYFILES) +policy.conf: tmp $(POLICYFILES) m4 -Imacros -s $(POLICYFILES) > policy.conf + +install-src: + mkdir -p $(SRCINSTALLDIR)/policy + cp -R . $(SRCINSTALLDIR)/policy initrd-policy.conf: $(INITRDPOLICYFILES) m4 -Imacros -s $(INITRDPOLICYFILES) > initrd-policy.conf diff -ruN ./attrib.te ../new/attrib.te --- ./attrib.te Wed Jul 3 16:26:19 2002 +++ ../new/attrib.te Thu Aug 1 15:33:58 2002 @@ -211,3 +211,12 @@ # traffic sent to or received from the node. attribute node_type; + +############################## +# Attributes for security policy types: +# + +# The login_contexts attribute idenitifies the files used +# to define default contexts for login types (e.g., login, cron). +attribute login_contexts; + diff -ruN ./domains/program/checkpolicy.te ../new/domains/program/checkpolicy.te --- ./domains/program/checkpolicy.te Wed Dec 31 19:00:00 1969 +++ ../new/domains/program/checkpolicy.te Thu Aug 1 15:31:07 2002 @@ -0,0 +1,57 @@ +# +# Authors: Frank Mayer, mayerf@tresys.com +# + +########################### +# +# checkpolicy_t is the domain type for checkpolicy +# checkpolicy_exec_t if file type for the executable + +type checkpolicy_t, domain; +role sysadm_r types checkpolicy_t; + +type checkpolicy_exec_t, file_type, exec_type; + +########################## +# +# Rules + +domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) + +# able to create and modify binary policy files +allow checkpolicy_t policy_config_t:dir rw_dir_perms; +allow checkpolicy_t policy_config_t:notdevfile_class_set create_file_perms; + +########################### +# constrain what checkpolicy can use as source files (i.e., no +# every_domain macro) +# + +# only allow read of policy source files +allow checkpolicy_t policy_src_t:dir r_dir_perms; +allow checkpolicy_t policy_src_t:notdevfile_class_set r_file_perms; + +# allow test policies to be created in src directories +file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t) + +# directory search permissions for path to source and binary policy files +allow checkpolicy_t root_t:dir search; +allow checkpolicy_t etc_t:dir search; + +# Read the devpts root directory. +allow checkpolicy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te', +`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow checkpolicy_t sysadm_tty_device_t:chr_file { read write ioctl getattr }; +allow checkpolicy_t sysadm_devpts_t:chr_file { read write ioctl getattr }; +uses_shlib(checkpolicy_t) +allow checkpolicy_t self:capability dac_override; + + +########################## +# Allow users to execute checkpolicy without a domain transition +# so it can be used without privilege to write real binary policy file +can_exec(user_t, checkpolicy_exec_t) + diff -ruN ./domains/program/crond.te ../new/domains/program/crond.te --- ./domains/program/crond.te Thu Jul 18 09:08:02 2002 +++ ../new/domains/program/crond.te Thu Aug 1 15:24:46 2002 @@ -29,7 +29,7 @@ type anacron_exec_t, file_type, sysadmfile, exec_type; # Type for the /etc/security/cron_context file. -type cron_context_t, file_type, sysadmfile; +type cron_context_t, file_type, sysadmfile, login_contexts; # Type for temporary files. type crond_tmp_t, file_type, sysadmfile, tmpfile; diff -ruN ./domains/program/load_policy.te ../new/domains/program/load_policy.te --- ./domains/program/load_policy.te Wed Dec 31 19:00:00 1969 +++ ../new/domains/program/load_policy.te Thu Aug 1 15:35:38 2002 @@ -0,0 +1,48 @@ +# +# Authors: Frank Mayer, mayerf@tresys.com +# + +########################### +# load_policy_t is the domain type for load_policy +# load_policy_exec_t is the file type for the executable + + +type load_policy_t, domain; +role sysadm_r types load_policy_t; + +type load_policy_exec_t, file_type, exec_type; + +########################## +# +# Rules + +domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) + +# Reload the policy configuration (sysadm_t no longer has this ability) +allow load_policy_t security_t:security load_policy; + + +########################### +# constrain from where load_policy can load a policy, specifically +# policy_config_t files (which also means no every_domain() macro) +# + +# only allow read of policy config files +allow load_policy_t policy_config_t:dir r_dir_perms; +allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms; + +# directory search permissions for path to binary policy files +allow load_policy_t root_t:dir search; +allow load_policy_t etc_t:dir search; + +# Read the devpts root directory (needed?) +allow load_policy_t devpts_t:dir r_dir_perms; +ifdef(`sshd.te', +`allow load_policy_t sshd_devpts_t:dir r_dir_perms;') + +# Other access +allow load_policy_t sysadm_tty_device_t:chr_file { read write ioctl getattr }; +allow load_policy_t sysadm_devpts_t:chr_file { read write ioctl getattr }; +uses_shlib(load_policy_t) +allow load_policy_t self:capability dac_override; + diff -ruN ./domains/program/login.te ../new/domains/program/login.te --- ./domains/program/login.te Thu Jul 18 09:08:02 2002 +++ ../new/domains/program/login.te Thu Aug 1 15:32:35 2002 @@ -92,6 +92,9 @@ allow local_login_t var_run_t:dir rw_dir_perms; allow local_login_t var_run_t:file create_file_perms; +# allow read access to default_contexts in /etc/security +allow local_login_t default_context_t:file r_file_perms; + ################################# # @@ -142,3 +145,7 @@ ifdef(`rlogind.te', `allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };') allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto }; + +# allow read access to default_context in /etc/security +allow remote_login_t default_context_t:file r_file_perms; + diff -ruN ./domains/program/sshd.te ../new/domains/program/sshd.te --- ./domains/program/sshd.te Thu Jul 18 09:08:02 2002 +++ ../new/domains/program/sshd.te Thu Aug 1 15:32:31 2002 @@ -131,3 +131,9 @@ allow sshd_t mail_spool_t:dir search; allow sshd_t mail_spool_t:lnk_file read; allow sshd_t mail_spool_t:file getattr; + + +# Allow read access to login context +allow sshd_login_t default_context_t:file r_file_perms; +allow sshd_t default_context_t:file r_file_perms; + diff -ruN ./file_contexts/program/checkpolicy.fc ../new/file_contexts/program/checkpolicy.fc --- ./file_contexts/program/checkpolicy.fc Wed Dec 31 19:00:00 1969 +++ ../new/file_contexts/program/checkpolicy.fc Thu Aug 1 15:24:46 2002 @@ -0,0 +1,3 @@ +# checkpolicy +/usr/local/selinux/bin/checkpolicy system_u:object_r:checkpolicy_exec_t +/usr/local/bin/checkpolicy system_u:object_r:checkpolicy_exec_t diff -ruN ./file_contexts/program/load_policy.fc ../new/file_contexts/program/load_policy.fc --- ./file_contexts/program/load_policy.fc Wed Dec 31 19:00:00 1969 +++ ../new/file_contexts/program/load_policy.fc Thu Aug 1 15:24:46 2002 @@ -0,0 +1,3 @@ +# load_policy +/usr/local/selinux/bin/load_policy system_u:object_r:load_policy_exec_t +/usr/local/bin/load_policy system_u:object_r:load_policy_exec_t diff -ruN ./file_contexts/types.fc ../new/file_contexts/types.fc --- ./file_contexts/types.fc Fri Jul 26 10:35:05 2002 +++ ../new/file_contexts/types.fc Thu Aug 1 15:24:46 2002 @@ -144,6 +144,8 @@ /etc/mrtg(/.*)? system_u:object_r:etc_mrtg_t /etc/selinux(/.*)? system_u:object_r:policy_src_t /etc/security/selinux(/.*)? system_u:object_r:policy_config_t +/etc/security/selinux/src(|/.*) system_u:object_r:policy_src_t +/etc/security/default_context.* system_u:object_r:default_context_t # # /lib diff -ruN ./macros/admin_macros.te ../new/macros/admin_macros.te --- ./macros/admin_macros.te Wed Jul 3 16:26:23 2002 +++ ../new/macros/admin_macros.te Thu Aug 1 15:24:46 2002 @@ -63,8 +63,13 @@ # Run admin programs that require different permissions in their own domain. # These rules were moved into the appropriate program domain file. -# Reload the policy configuration. -allow $1_t security_t:security load_policy; +# added by mayerf@tresys.com +# The following rules are temporary until such time that a complete +# policy management infrastructure is in place so that an administrator +# cannot directly manipulate policy files with arbitrary programs. +# +allow $1_t policy_src_t:notdevfile_class_set create_file_perms; +allow $1_t policy_src_t:dir create_dir_perms; # Relabel all files. allow $1_t file_type:dir { getattr read search relabelfrom relabelto }; diff -ruN ./types/security.te ../new/types/security.te --- ./types/security.te Thu Dec 20 18:24:58 2001 +++ ../new/types/security.te Thu Aug 1 15:24:46 2002 @@ -21,13 +21,19 @@ # policy_config_t is the type of /ss_policy, # the security server policy configuration. # -type policy_config_t, file_type, sysadmfile; +type policy_config_t, file_type; # # policy_src_t is the type of the policy source # files. # -type policy_src_t, file_type, sysadmfile; +type policy_src_t, file_type; + +# +# default_context_t is the type applied to +# /etc/security/default_context +# +type default_context_t, file_type, sysadmfile, login_contexts; # # file_labels_t is the type of the persistent