Home | History | Annotate | Download | only in templates 
      1 # Copyright (C) 2007-2012 Red Hat
      2 # see file 'COPYING' for use and warranty information
      3 #
      4 # policygentool is a tool for the initial generation of SELinux policy
      5 #
      6 #    This program is free software; you can redistribute it and/or
      7 #    modify it under the terms of the GNU General Public License as
      8 #    published by the Free Software Foundation; either version 2 of
      9 #    the License, or (at your option) any later version.
     10 #
     11 #    This program is distributed in the hope that it will be useful,
     12 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
     13 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     14 #    GNU General Public License for more details.
     15 #
     16 #    You should have received a copy of the GNU General Public License
     17 #    along with this program; if not, write to the Free Software
     18 #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
     19 #                                        02111-1307  USA
     20 #
     21 #
     22 ########################### Type Enforcement File #############################
     23 te_daemon_types="""\
     24 policy_module(TEMPLATETYPE, 1.0.0)
     25 
     26 ########################################
     27 #
     28 # Declarations
     29 #
     30 
     31 type TEMPLATETYPE_t;
     32 type TEMPLATETYPE_exec_t;
     33 init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
     34 
     35 permissive TEMPLATETYPE_t;
     36 """
     37 
     38 te_initscript_types="""
     39 type TEMPLATETYPE_initrc_exec_t;
     40 init_script_file(TEMPLATETYPE_initrc_exec_t)
     41 """
     42 
     43 te_dbusd_types="""\
     44 policy_module(TEMPLATETYPE, 1.0.0)
     45 
     46 ########################################
     47 #
     48 # Declarations
     49 #
     50 
     51 type TEMPLATETYPE_t;
     52 type TEMPLATETYPE_exec_t;
     53 domain_type(TEMPLATETYPE_t)
     54 domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
     55 role system_r types TEMPLATETYPE_t;
     56 
     57 permissive TEMPLATETYPE_t;
     58 """
     59 
     60 te_inetd_types="""\
     61 policy_module(TEMPLATETYPE, 1.0.0)
     62 
     63 ########################################
     64 #
     65 # Declarations
     66 #
     67 
     68 type TEMPLATETYPE_t;
     69 type TEMPLATETYPE_exec_t;
     70 inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
     71 
     72 permissive TEMPLATETYPE_t;
     73 """
     74 
     75 te_userapp_types="""\
     76 policy_module(TEMPLATETYPE, 1.0.0)
     77 
     78 ########################################
     79 #
     80 # Declarations
     81 #
     82 
     83 attribute_role TEMPLATETYPE_roles;
     84 roleattribute system_r TEMPLATETYPE_roles;
     85 
     86 type TEMPLATETYPE_t;
     87 type TEMPLATETYPE_exec_t;
     88 application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
     89 role TEMPLATETYPE_roles types TEMPLATETYPE_t;
     90 
     91 permissive TEMPLATETYPE_t;
     92 """
     93 
     94 te_sandbox_types="""\
     95 policy_module(TEMPLATETYPE, 1.0.0)
     96 
     97 ########################################
     98 #
     99 # Declarations
    100 #
    101 
    102 sandbox_x_domain_template(TEMPLATETYPE)
    103 
    104 permissive TEMPLATETYPE_t;
    105 permissive TEMPLATETYPE_client_t;
    106 
    107 """
    108 
    109 te_cgi_types="""\
    110 policy_module(TEMPLATETYPE, 1.0.0)
    111 
    112 ########################################
    113 #
    114 # Declarations
    115 #
    116 
    117 apache_content_template(TEMPLATETYPE)
    118 
    119 permissive httpd_TEMPLATETYPE_script_t;
    120 """
    121 
    122 te_daemon_rules="""\
    123 allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms;
    124 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
    125 """
    126 
    127 te_inetd_rules="""
    128 """
    129 
    130 te_dbusd_rules="""
    131 optional_policy(`
    132 	dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
    133 ')
    134 """
    135 
    136 te_userapp_rules="""
    137 allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms;
    138 allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
    139 """
    140 
    141 te_cgi_rules="""
    142 """
    143 
    144 te_sandbox_rules="""
    145 """
    146 
    147 te_uid_rules="""
    148 auth_use_nsswitch(TEMPLATETYPE_t)
    149 """
    150 
    151 te_syslog_rules="""
    152 logging_send_syslog_msg(TEMPLATETYPE_t)
    153 """
    154 
    155 te_resolve_rules="""
    156 sysnet_dns_name_resolve(TEMPLATETYPE_t)
    157 """
    158 
    159 te_pam_rules="""
    160 auth_domtrans_chk_passwd(TEMPLATETYPE_t)
    161 """
    162 
    163 te_mail_rules="""
    164 mta_send_mail(TEMPLATETYPE_t)
    165 """
    166 
    167 te_dbus_rules="""
    168 optional_policy(`
    169 	dbus_system_bus_client(TEMPLATETYPE_t)
    170 	dbus_connect_system_bus(TEMPLATETYPE_t)
    171 ')
    172 """
    173 
    174 te_kerberos_rules="""
    175 optional_policy(`
    176 	kerberos_use(TEMPLATETYPE_t)
    177 ')
    178 """
    179 
    180 te_manage_krb5_rcache_rules="""
    181 optional_policy(`
    182 	kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
    183 	kerberos_manage_host_rcache(TEMPLATETYPE_t)
    184 ')
    185 """
    186 
    187 te_audit_rules="""
    188 logging_send_audit_msgs(TEMPLATETYPE_t)
    189 """
    190 
    191 te_run_rules="""
    192 optional_policy(`
    193 	gen_require(`
    194 		type USER_t;
    195 		role USER_r;
    196 	')
    197 
    198 	TEMPLATETYPE_run(USER_t, USER_r)
    199 ')
    200 """
    201 
    202 te_fd_rules="""
    203 domain_use_interactive_fds(TEMPLATETYPE_t)
    204 """
    205 
    206 te_etc_rules="""
    207 files_read_etc_files(TEMPLATETYPE_t)
    208 """
    209 
    210 te_localization_rules="""
    211 miscfiles_read_localization(TEMPLATETYPE_t)
    212 """
    213 
    214 ########################### Interface File #############################
    215 
    216 if_heading_rules="""
    217 ## <summary>policy for TEMPLATETYPE</summary>"""
    218 
    219 if_program_rules="""
    220 
    221 ########################################
    222 ## <summary>
    223 ##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
    224 ## </summary>
    225 ## <param name=\"domain\">
    226 ## <summary>
    227 ##	Domain allowed to transition.
    228 ## </summary>
    229 ## </param>
    230 #
    231 interface(`TEMPLATETYPE_domtrans',`
    232 	gen_require(`
    233 		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
    234 	')
    235 
    236 	corecmd_search_bin($1)
    237 	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
    238 ')
    239 
    240 ######################################
    241 ## <summary>
    242 ##	Execute TEMPLATETYPE in the caller domain.
    243 ## </summary>
    244 ## <param name="domain">
    245 ##	<summary>
    246 ##	Domain allowed access.
    247 ##	</summary>
    248 ## </param>
    249 #
    250 interface(`TEMPLATETYPE_exec',`
    251 	gen_require(`
    252 		type TEMPLATETYPE_exec_t;
    253 	')
    254 
    255 	corecmd_search_bin($1)
    256 	can_exec($1, TEMPLATETYPE_exec_t)
    257 ')
    258 """
    259 
    260 if_user_program_rules="""
    261 ########################################
    262 ## <summary>
    263 ##	Execute TEMPLATETYPE in the TEMPLATETYPE domain, and
    264 ##	allow the specified role the TEMPLATETYPE domain.
    265 ## </summary>
    266 ## <param name="domain">
    267 ##	<summary>
    268 ##	Domain allowed to transition
    269 ##	</summary>
    270 ## </param>
    271 ## <param name="role">
    272 ##	<summary>
    273 ##	The role to be allowed the TEMPLATETYPE domain.
    274 ##	</summary>
    275 ## </param>
    276 #
    277 interface(`TEMPLATETYPE_run',`
    278 	gen_require(`
    279 		type TEMPLATETYPE_t;
    280 		attribute_role TEMPLATETYPE_roles;
    281 	')
    282 
    283 	TEMPLATETYPE_domtrans($1)
    284 	roleattribute $2 TEMPLATETYPE_roles;
    285 ')
    286 
    287 ########################################
    288 ## <summary>
    289 ##	Role access for TEMPLATETYPE
    290 ## </summary>
    291 ## <param name="role">
    292 ##	<summary>
    293 ##	Role allowed access
    294 ##	</summary>
    295 ## </param>
    296 ## <param name="domain">
    297 ##	<summary>
    298 ##	User domain for the role
    299 ##	</summary>
    300 ## </param>
    301 #
    302 interface(`TEMPLATETYPE_role',`
    303 	gen_require(`
    304 		type TEMPLATETYPE_t;
    305 		attribute_role TEMPLATETYPE_roles;
    306 	')
    307 
    308 	roleattribute $1 TEMPLATETYPE_roles;
    309 
    310 	TEMPLATETYPE_domtrans($2)
    311 
    312 	ps_process_pattern($2, TEMPLATETYPE_t)
    313 	allow $2 TEMPLATETYPE_t:process { signull signal sigkill };
    314 ')
    315 """
    316 
    317 if_sandbox_rules="""
    318 ########################################
    319 ## <summary>
    320 ##	Execute sandbox in the TEMPLATETYPE_t domain, and
    321 ##	allow the specified role the TEMPLATETYPE_t domain.
    322 ## </summary>
    323 ## <param name="domain">
    324 ##	<summary>
    325 ##	Domain allowed to transition.
    326 ##	</summary>
    327 ## </param>
    328 ## <param name="role">
    329 ##	<summary>
    330 ##	The role to be allowed the TEMPLATETYPE_t domain.
    331 ##	</summary>
    332 ## </param>
    333 #
    334 interface(`TEMPLATETYPE_transition',`
    335 	gen_require(`
    336 		type TEMPLATETYPE_t;
    337 		type TEMPLATETYPE_client_t;
    338 	')
    339 
    340 	allow $1 TEMPLATETYPE_t:process { signal_perms transition };
    341 	dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh };
    342 	role $2 types TEMPLATETYPE_t;
    343 	role $2 types TEMPLATETYPE_client_t;
    344 
    345 	allow TEMPLATETYPE_t $1:process { sigchld signull };
    346 	allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms;
    347 	allow TEMPLATETYPE_client_t $1:process { sigchld signull };
    348 	allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms;
    349 ')
    350 """
    351 
    352 if_role_change_rules="""
    353 ########################################
    354 ## <summary>
    355 ##	Change to the TEMPLATETYPE role.
    356 ## </summary>
    357 ## <param name="role">
    358 ##	<summary>
    359 ##	Role allowed access.
    360 ##	</summary>
    361 ## </param>
    362 ## <rolecap/>
    363 #
    364 interface(`TEMPLATETYPE_role_change',`
    365 	gen_require(`
    366 		role TEMPLATETYPE_r;
    367 	')
    368 
    369 	allow $1 TEMPLATETYPE_r;
    370 ')
    371 """
    372 
    373 if_initscript_rules="""
    374 ########################################
    375 ## <summary>
    376 ##	Execute TEMPLATETYPE server in the TEMPLATETYPE domain.
    377 ## </summary>
    378 ## <param name="domain">
    379 ##	<summary>
    380 ##	Domain allowed access.
    381 ##	</summary>
    382 ## </param>
    383 #
    384 interface(`TEMPLATETYPE_initrc_domtrans',`
    385 	gen_require(`
    386 		type TEMPLATETYPE_initrc_exec_t;
    387 	')
    388 
    389 	init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
    390 ')
    391 """
    392 
    393 if_dbus_rules="""
    394 ########################################
    395 ## <summary>
    396 ##	Send and receive messages from
    397 ##	TEMPLATETYPE over dbus.
    398 ## </summary>
    399 ## <param name="domain">
    400 ##	<summary>
    401 ##	Domain allowed access.
    402 ##	</summary>
    403 ## </param>
    404 #
    405 interface(`TEMPLATETYPE_dbus_chat',`
    406 	gen_require(`
    407 		type TEMPLATETYPE_t;
    408 		class dbus send_msg;
    409 	')
    410 
    411 	allow $1 TEMPLATETYPE_t:dbus send_msg;
    412 	allow TEMPLATETYPE_t $1:dbus send_msg;
    413 ')
    414 """
    415 
    416 if_begin_admin="""
    417 ########################################
    418 ## <summary>
    419 ##	All of the rules required to administrate
    420 ##	an TEMPLATETYPE environment
    421 ## </summary>
    422 ## <param name="domain">
    423 ##	<summary>
    424 ##	Domain allowed access.
    425 ##	</summary>
    426 ## </param>
    427 ## <param name="role">
    428 ##	<summary>
    429 ##	Role allowed access.
    430 ##	</summary>
    431 ## </param>
    432 ## <rolecap/>
    433 #
    434 interface(`TEMPLATETYPE_admin',`
    435 	gen_require(`
    436 		type TEMPLATETYPE_t;"""
    437 
    438 if_middle_admin="""
    439 	')
    440 
    441 	allow $1 TEMPLATETYPE_t:process { signal_perms };
    442 	ps_process_pattern($1, TEMPLATETYPE_t)
    443 
    444     tunable_policy(`deny_ptrace',`',`
    445         allow $1 TEMPLATETYPE_t:process ptrace;
    446     ')
    447 """
    448 
    449 if_initscript_admin_types="""
    450 		type TEMPLATETYPE_initrc_exec_t;"""
    451 
    452 if_initscript_admin="""
    453 	TEMPLATETYPE_initrc_domtrans($1)
    454 	domain_system_change_exemption($1)
    455 	role_transition $2 TEMPLATETYPE_initrc_exec_t system_r;
    456 	allow $2 system_r;
    457 """
    458 
    459 if_end_admin="""\
    460 	optional_policy(`
    461 		systemd_passwd_agent_exec($1)
    462 		systemd_read_fifo_file_passwd_run($1)
    463 	')
    464 ')
    465 """
    466 
    467 ########################### File Context ##################################
    468 fc_program="""\
    469 EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
    470 """
    471 
    472 fc_user="""\
    473 #  No file context, leave blank
    474 """
    475 
    476 fc_initscript="""\
    477 EXECUTABLE	--	gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
    478 """
    479