commit: 17ca057ac3505f29f480bddba7f54e48dccb875b Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Wed Aug 6 12:22:19 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Thu Aug 7 06:58:27 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17ca057a
Module for tmpfiles --- policy/modules/system/tmpfiles.fc | 7 ++ policy/modules/system/tmpfiles.if | 164 ++++++++++++++++++++++++++++++++++++++ policy/modules/system/tmpfiles.te | 91 +++++++++++++++++++++ 3 files changed, 262 insertions(+) diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc new file mode 100644 index 0000000..12fd30a --- /dev/null +++ b/policy/modules/system/tmpfiles.fc @@ -0,0 +1,7 @@ + +/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0) +/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0) + +/lib/rc/bin/checkpath -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) +/lib/rc/sh/tmpfiles.sh -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) + diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if new file mode 100644 index 0000000..dce932a --- /dev/null +++ b/policy/modules/system/tmpfiles.if @@ -0,0 +1,164 @@ +## <summary>Policy for tmpfiles</summary> + +######################################## +## <summary> +## Read files in /run/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tmpfiles_read_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + files_search_pids($1) + allow $1 tmpfiles_var_run_t:dir list_dir_perms; + allow $1 tmpfiles_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Create files in /run/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_create_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + tmpfiles_read_var_run($1) + + # create new files with the tmpfiles_var_run_t type + filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file) + create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) +') + +######################################## +## <summary> +## Write to files in /run/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_write_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + tmpfiles_read_var_run($1) + write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) +') + +######################################## +## <summary> +## Manage files in /run/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_manage_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + tmpfiles_read_var_run($1) + + # create new files with the tmpfiles_var_run_t type + filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file) + manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) +') + +######################################## +## <summary> +## Read files in /etc/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`tmpfiles_read_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + files_search_etc($1) + allow $1 tmpfiles_conf_t:dir list_dir_perms; + allow $1 tmpfiles_conf_t:file read_file_perms; +') + +######################################## +## <summary> +## Create files in /etc/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_create_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + tmpfiles_read_conf($1) + filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file) + create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) +') + +######################################## +## <summary> +## Write to files in /etc/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_write_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + tmpfiles_read_conf($1) + write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) +') + +######################################## +## <summary> +## Manage files in /etc/tmpfiles.d/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tmpfiles_manage_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + tmpfiles_read_conf($1) + filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file) + manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) +') + diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te new file mode 100644 index 0000000..11fb70b --- /dev/null +++ b/policy/modules/system/tmpfiles.te @@ -0,0 +1,91 @@ +policy_module(tmpfiles, 1.0.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether tmpfiles can manage +## all non auth and non security files. +## Without this, it is only allowed things +## in /dev, /run, /var and /tmp. +## </p> +## </desc> +gen_tunable(tmpfiles_manage_all, false) + + +type tmpfiles_t; +type tmpfiles_exec_t; +init_daemon_domain(tmpfiles_t, tmpfiles_exec_t) + +type tmpfiles_conf_t; +files_config_file(tmpfiles_conf_t) + +type tmpfiles_var_run_t; +files_pid_file(tmpfiles_var_run_t) + + +######################################## +# +# Local policy +# + +init_exec_rc(tmpfiles_t) +corecmd_exec_shell(tmpfiles_t) +corecmd_exec_bin(tmpfiles_t) +allow tmpfiles_t self:process getsched; +allow tmpfiles_t self:fifo_file rw_fifo_file_perms; + +# needs to check if selinux is enabled +seutil_libselinux_linked(tmpfiles_t) +selinux_get_enforce_mode(tmpfiles_t) + +# creates files / dirs +allow tmpfiles_t self:capability { mknod chown fowner fsetid }; +allow tmpfiles_t self:unix_dgram_socket create_socket_perms; +files_manage_var_dirs(tmpfiles_t) +files_manage_var_files(tmpfiles_t) +files_manage_generic_tmp_dirs(tmpfiles_t) +files_manage_generic_tmp_files(tmpfiles_t) +files_manage_all_pids(tmpfiles_t) +dev_create_generic_chr_files(tmpfiles_t) +dev_create_all_chr_files(tmpfiles_t) + +tunable_policy(`tmpfiles_manage_all',` + files_manage_non_security_dirs(tmpfiles_t) + files_manage_non_security_file_type(tmpfiles_t) + #files_manage_non_auth_files(tmpfiles_t) +') + +# relabel / chmod files +seutil_read_file_contexts(tmpfiles_t) +seutil_domtrans_setfiles(tmpfiles_t) + +dev_getattr_generic_chr_files(tmpfiles_t) +dev_getattr_all_chr_files(tmpfiles_t) +dev_getattr_generic_blk_files(tmpfiles_t) +dev_getattr_all_blk_files(tmpfiles_t) +files_getattr_tmp_dirs(tmpfiles_t) +files_getattr_generic_locks(tmpfiles_t) + +dev_setattr_generic_dirs(tmpfiles_t) +dev_setattr_generic_chr_files(tmpfiles_t) +dev_setattr_all_chr_files(tmpfiles_t) +dev_setattr_all_blk_files(tmpfiles_t) +files_setattr_all_tmp_dirs(tmpfiles_t) +files_setattr_lock_dirs(tmpfiles_t) +files_setattr_pid_dirs(tmpfiles_t) + +dev_relabel_generic_dev_dirs(tmpfiles_t) +dev_relabelfrom_generic_chr_files(tmpfiles_t) +files_relabel_all_tmp_dirs(tmpfiles_t) +files_relabel_all_tmp_files(tmpfiles_t) +files_relabel_all_lock_dirs(tmpfiles_t) + +tunable_policy(`tmpfiles_manage_all',` + dev_relabel_all_dev_nodes(tmpfiles_t) + files_relabel_non_auth_files(tmpfiles_t) +') +