diff -r 4e2ffbd99aeb tools/flask/policy/Makefile --- a/tools/flask/policy/Makefile Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/Makefile Thu Aug 20 11:21:01 2009 -0400 @@ -3,7 +3,7 @@ # # Targets: # -# install - compile and install the policy configuration, and context files. +# install - compile and install the policy configuration. # load - compile, install, and load the policy configuration. # reload - compile, install, and load/reload the policy configuration. # policy - compile the policy configuration locally for testing/development. @@ -20,35 +20,31 @@ # By default, checkpolicy will create the highest # version policy it supports. Setting this will # override the version. -#OUTPUT_POLICY = 20 +# OUTPUT_POLICY = 24 # Policy Type -# strict, targeted, -# strict-mls, targeted-mls, -# strict-mcs, targeted-mcs -TYPE = strict +# xen +# xen-mls +TYPE = xen # Policy Name # If set, this will be used as the policy -# name. Otherwise the policy type will be +# name. Otherwise xenpolicy will be # used for the name. -NAME = xenrefpolicy +# NAME = xenpolicy -# Distribution -# Some distributions have portions of policy -# for programs or configurations specific to the -# distribution. Setting this will enable options -# for the distribution. -# redhat, gentoo, debian, and suse are current options. -# Fedora users should enable redhat. -#DISTRO = +# Number of MLS Sensitivities +# The sensitivities will be s0 to s(MLS_SENS-1). +# Dominance will be in increasing numerical order +# with s0 being lowest. +# MLS_SENS = 16 -# Build monolithic policy. Putting n here -# will build a loadable module policy. -MONOLITHIC=y +# Number of MLS Categories +# The categories will be c0 to c(MLS_CATS-1). +# MLS_CATS = 256 # Uncomment this to disable command echoing -#QUIET:=@ +# QUIET:=@ ######################################## # @@ -60,12 +56,8 @@ BINDIR := $(PREFIX)/bin SBINDIR := $(PREFIX)/sbin CHECKPOLICY := $(BINDIR)/checkpolicy -CHECKMODULE := $(BINDIR)/checkmodule -SEMOD_PKG := $(BINDIR)/semodule_package LOADPOLICY := $(SBINDIR)/flask-loadpolicy -CFLAGS := -Wall - # policy source layout POLDIR := policy MODDIR := $(POLDIR)/modules @@ -74,10 +66,6 @@ ISIDS := $(FLASKDIR)/initial_sids AVS := $(FLASKDIR)/access_vectors -#policy building support tools -SUPPORT := support -FCSORT := tmp/fc_sort - # config file paths GLOBALTUN := $(POLDIR)/global_tunables GLOBALBOOL := $(POLDIR)/global_booleans @@ -86,149 +74,158 @@ BOOLEANS := $(POLDIR)/booleans.conf # install paths -TOPDIR = $(DESTDIR)$(XEN_CONFIG_DIR) -INSTALLDIR = $(TOPDIR)/$(NAME) -SRCPATH = $(INSTALLDIR)/src -USERPATH = $(INSTALLDIR)/users -CONTEXTPATH = $(INSTALLDIR)/contexts + +DESTDIR = /boot +INSTALLDIR = $(DESTDIR) +LOADPATH = $(INSTALLDIR)/$(POLVER) + +# default MLS sensitivity and category settings. +MLS_SENS ?= 16 +MLS_CATS ?= 256 # enable MLS if requested. ifneq ($(findstring -mls,$(TYPE)),) - override M4PARAM += -D enable_mls + M4PARAM += -D enable_mls CHECKPOLICY += -M - CHECKMODULE += -M endif -# enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) - override M4PARAM += -D enable_mcs - CHECKPOLICY += -M - CHECKMODULE += -M +ifeq ($(NAME),) + NAME := xenpolicy endif -# compile targeted policy if requested. -ifneq ($(findstring targeted,$(TYPE)),) - override M4PARAM += -D targeted_policy -endif - -# enable distribution-specific policy -ifneq ($(DISTRO),) - override M4PARAM += -D distro_$(DISTRO) -endif +PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') ifneq ($(OUTPUT_POLICY),) CHECKPOLICY += -c $(OUTPUT_POLICY) + POLVER = $(NAME).$(OUTPUT_POLICY) +else + POLVER +=$(NAME).$(PV) endif -ifeq ($(NAME),) - NAME := $(TYPE) -endif # determine the policy version and current kernel version if possible -PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') -KV := $(shell cat /selinux/policyvers) - -# dont print version warnings if we are unable to determine -# the currently running kernel's policy version -ifeq ($(KV),) - KV := $(PV) -endif - -FC := file_contexts -POLVER := policy.$(PV) +M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) -APPCONF := config/appconfig-$(TYPE) -APPDIR := $(CONTEXTPATH) -APPFILES := $(INSTALLDIR)/booleans -CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media -USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users - ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) -GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in))) -GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in))) -GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in))) - # sort here since it removes duplicates, which can happen # when a generated file is already generated -DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE)) +DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) -# modules.conf setting for base module -MODBASE := base - -# modules.conf setting for module -MODMOD := module +# modules.conf setting for policy configuration +MODENABLED := on # extract settings from modules.conf -BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) -MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) +ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) -HOMEDIR_TEMPLATE = tmp/homedir_template +ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS)) + +ALL_INTERFACES := $(ALL_MODULES:.te=.if) +ALL_TE_FILES := $(ALL_MODULES) + +PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls +POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints + +POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf ######################################## # -# Load appropriate rules +# default action: build policy locally # +default: policy -ifeq ($(MONOLITHIC),y) - include Rules.monolithic -else - include Rules.modular -endif +policy: $(POLVER) + +install: $(LOADPATH) + +load: tmp/load ######################################## # -# Create config files +# Build a binary policy locally # -conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC) - -$(MOD_CONF) $(BOOLEANS): $(POLXML) - @echo "Updating $(MOD_CONF) and $(BOOLEANS)" - $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML) +$(POLVER): policy.conf + @echo "Compiling $(NAME) $(POLVER)" + $(QUIET) $(CHECKPOLICY) $^ -o $@ ######################################## # -# Appconfig files +# Install a binary policy # -install-appconfig: $(APPFILES) - -$(INSTALLDIR)/booleans: $(BOOLEANS) - @mkdir -p $(INSTALLDIR) - $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \ - | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans - $(QUIET) install -m 644 tmp/booleans $@ +$(LOADPATH): policy.conf + @echo "Compiling and installing $(NAME) $(LOADPATH)" + $(QUIET) $(CHECKPOLICY) $^ -o $@ ######################################## # -# Install policy sources +# Load the binary policy # -install-src: - rm -rf $(SRCPATH)/policy.old - -mv $(SRCPATH)/policy $(SRCPATH)/policy.old - mkdir -p $(SRCPATH)/policy - cp -R . $(SRCPATH)/policy +reload tmp/load: $(LOADPATH) $(FCPATH) + @echo "Loading $(NAME) $(LOADPATH)" + $(QUIET) $(LOADPOLICY) $(LOADPATH) + @touch tmp/load ######################################## # -# Clean everything +# Construct a monolithic policy.conf # -bare: clean - rm -f $(POLXML) - rm -f $(SUPPORT)/*.pyc - rm -f $(FCSORT) - rm -f $(MOD_CONF) - rm -f $(BOOLEANS) - rm -fR $(HTMLDIR) -ifneq ($(GENERATED_TE),) - rm -f $(GENERATED_TE) +policy.conf: $(POLICY_SECTIONS) + @echo "Creating $(NAME) policy.conf" +# checkpolicy can use the #line directives provided by -s for error reporting: + $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@ + +tmp/pre_te_files.conf: $(PRE_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) +ifeq ($(ALL_INTERFACES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file) endif -ifneq ($(GENERATED_IF),) - rm -f $(GENERATED_IF) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@ + +tmp/all_te_files.conf: $(ALL_TE_FILES) +ifeq ($(ALL_TE_FILES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file) endif -ifneq ($(GENERATED_FC),) - rm -f $(GENERATED_FC) -endif + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ -.PHONY: install-src install-appconfig conf html bare +tmp/post_te_files.conf: $(POST_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +# extract attributes and put them first. extract post te stuff +# like genfscon and put last. portcon, nodecon, and netifcon +# is delayed since they are generated by m4 +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf + $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf + $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf + $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \ + < tmp/all_te_files.conf > tmp/only_te_rules.conf + +######################################## +# +# Remove the dontaudit rules from the policy.conf +# +enableaudit: policy.conf + @test -d tmp || mkdir -p tmp + @echo "Removing dontaudit rules from policy.conf" + $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit + $(QUIET) mv tmp/policy.audit policy.conf + +######################################## +# +# Clean the built policies. +# +clean: + rm -fR tmp + rm -f policy.conf + rm -f $(POLVER) + +.PHONY: default policy install load reload enableaudit clean diff -r 4e2ffbd99aeb tools/flask/policy/Rules.modular --- a/tools/flask/policy/Rules.modular Wed Aug 19 14:23:30 2009 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,166 +0,0 @@ -######################################## -# -# Rules and Targets for building modular policies -# - -ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS)) -ALL_INTERFACES := $(ALL_MODULES:.te=.if) - -BASE_PKG := base.pp -BASE_FC := base.fc - -BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf - -BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs -BASE_TE_FILES := $(BASE_MODS) -BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints -BASE_FC_FILES := $(BASE_MODS:.te=.fc) - -MOD_MODULES := $(MOD_MODS:.te=.mod) -MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp)) - -# search layer dirs for source files -vpath %.te $(ALL_LAYERS) -vpath %.if $(ALL_LAYERS) -vpath %.fc $(ALL_LAYERS) - -######################################## -# -# default action: create all module packages -# -default: base - -base: $(BASE_PKG) - -modules: $(MOD_PKGS) - -#policy: $(POLVER) -#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users -#load: tmp/load - -######################################## -# -# Create a base module package -# -$(BASE_PKG): tmp/base.mod $(BASE_FC) - @echo "Creating $(NAME) base module package" - $(QUIET) $(SEMOD_PKG) $@ $^ - -######################################## -# -# Compile a base module -# -tmp/base.mod: base.conf - @echo "Compiling $(NAME) base module" - $(QUIET) $(CHECKMODULE) $^ -o $@ - -######################################## -# -# Construct a base module policy.conf -# -base.conf: $(BASE_SECTIONS) - @echo "Creating $(NAME) base module policy.conf" -# checkpolicy can use the #line directives provided by -s for error reporting: - $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp - $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ -# the ordering of these ocontexts matters: - $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true - $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true - -tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES) - @test -d tmp || mkdir -p tmp -# define all available object classes - $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ -# per-userdomain templates - $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@ - $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ - echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ - >> $@ ;\ - done - $(QUIET) echo "')" >> $@ -# define foo.te - $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \ - echo "define(\`$$i')" >> $@ ;\ - done - $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ - -tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) -ifeq ($(ALL_INTERFACES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @test -d tmp || mkdir -p tmp - $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ - -tmp/all_te_files.conf: $(BASE_TE_FILES) -ifeq ($(BASE_TE_FILES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/post_te_files.conf: $(BASE_POST_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -# extract attributes and put them first. extract post te stuff -# like genfscon and put last. portcon, nodecon, and netifcon -# is delayed since they are generated by m4 -tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true - $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf - $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf - $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ - -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ - < tmp/all_te_files.conf > tmp/only_te_rules.conf - -######################################## -# -# Construct base module file contexts -# -$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) -ifeq ($(BASE_FC_FILES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @echo "Creating $(NAME) base module file contexts." - @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp - $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE) - $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp - $(QUIET) $(FCSORT) tmp/$@.tmp $@ - -######################################## -# -# Build module packages -# -tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te - @if test -z "$(filter $^,$(MOD_MODS))"; then \ - echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\ - false ;\ - fi - @echo "Compliling $(NAME) $(@F) module" - $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - -%.pp: tmp/%.mod %.fc - @echo "Creating $(NAME) $(@F) policy package" - $(QUIET) $(SEMOD_PKG) $@ $^ - -######################################## -# -# Clean the sources -# -clean: - rm -fR tmp - rm -f base.conf - rm -f *.pp - rm -f $(BASE_FC) - -.PHONY: default base modules clean diff -r 4e2ffbd99aeb tools/flask/policy/Rules.monolithic --- a/tools/flask/policy/Rules.monolithic Wed Aug 19 14:23:30 2009 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,196 +0,0 @@ -######################################## -# -# Rules and Targets for building monolithic policies -# - -# install paths -POLICYPATH = $(INSTALLDIR)/policy -LOADPATH = $(POLICYPATH)/$(POLVER) -FCPATH = $(CONTEXTPATH)/files/file_contexts -HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template - -# for monolithic policy use all base and module to create policy -ENABLEMOD := $(BASE_MODS) $(MOD_MODS) - -ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS)) - -ALL_INTERFACES := $(ALL_MODULES:.te=.if) -ALL_TE_FILES := $(ALL_MODULES) -ALL_FC_FILES := $(ALL_MODULES:.te=.fc) - -PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs -POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints - -POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf - -######################################## -# -# default action: build policy locally -# -default: policy - -policy: $(POLVER) - -install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users - -load: tmp/load - -######################################## -# -# Build a binary policy locally -# -$(POLVER): policy.conf - @echo "Compiling $(NAME) $(POLVER)" -ifneq ($(PV),$(KV)) - @echo - @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" - @echo -endif - $(QUIET) $(CHECKPOLICY) $^ -o $@ - -######################################## -# -# Install a binary policy -# -$(LOADPATH): policy.conf - @mkdir -p $(POLICYPATH) - @echo "Compiling and installing $(NAME) $(LOADPATH)" -ifneq ($(PV),$(KV)) - @echo - @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" - @echo -endif - $(QUIET) $(CHECKPOLICY) $^ -o $@ - -######################################## -# -# Load the binary policy -# -reload tmp/load: $(LOADPATH) $(FCPATH) - @echo "Loading $(NAME) $(LOADPATH)" - $(QUIET) $(LOADPOLICY) -q $(LOADPATH) - @touch tmp/load - -######################################## -# -# Construct a monolithic policy.conf -# -policy.conf: $(POLICY_SECTIONS) - @echo "Creating $(NAME) policy.conf" -# checkpolicy can use the #line directives provided by -s for error reporting: - $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp - $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ - -tmp/pre_te_files.conf: $(PRE_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) -# per-userdomain templates: - @test -d tmp || mkdir -p tmp - $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ - $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ - echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ - >> $@ ;\ - done - $(QUIET) echo "')" >> $@ -# define foo.te - $(QUIET) for i in $(notdir $(ALL_MODULES)); do \ - echo "define(\`$$i')" >> $@ ;\ - done -# $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ - -tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) -ifeq ($(ALL_INTERFACES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @test -d tmp || mkdir -p tmp - $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ - -tmp/all_te_files.conf: $(ALL_TE_FILES) -ifeq ($(ALL_TE_FILES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -tmp/post_te_files.conf: $(POST_TE_FILES) - @test -d tmp || mkdir -p tmp - $(QUIET) cat $^ > $@ - -# extract attributes and put them first. extract post te stuff -# like genfscon and put last. portcon, nodecon, and netifcon -# is delayed since they are generated by m4 -tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true - $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf - $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf - $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ - -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ - < tmp/all_te_files.conf > tmp/only_te_rules.conf - -######################################## -# -# Remove the dontaudit rules from the policy.conf -# -enableaudit: policy.conf - @test -d tmp || mkdir -p tmp - @echo "Removing dontaudit rules from policy.conf" - $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit - $(QUIET) mv tmp/policy.audit policy.conf - -######################################## -# -# Construct file_contexts -# -$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) -ifeq ($(ALL_FC_FILES),) - $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") -endif - @echo "Creating $(NAME) file_contexts." - @test -d tmp || mkdir -p tmp - $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp -# $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE) -# $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp -# $(QUIET) $(FCSORT) tmp/$@.tmp $@ - $(QUIET) touch $(HOMEDIR_TEMPLATE) - $(QUIET) touch $@ - -######################################## -# -# Install file_contexts -# -$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users - @echo "Validating $(NAME) file_contexts." -# $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC) - @echo "Installing file_contexts." - @mkdir -p $(CONTEXTPATH)/files - $(QUIET) install -m 644 $(FC) $(FCPATH) - $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) -# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD) - -######################################## -# -# Run policy source checks -# -check: policy.conf $(FC) - $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res - -longcheck: policy.conf $(FC) - $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res - -######################################## -# -# Clean the sources -# -clean: - rm -fR tmp - rm -f policy.conf - rm -f policy.$(PV) - rm -f $(FC) - rm -f *.res - -.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean diff -r 4e2ffbd99aeb tools/flask/policy/policy/mcs --- a/tools/flask/policy/policy/mcs Wed Aug 19 14:23:30 2009 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,324 +0,0 @@ -ifdef(`enable_mcs',` -# -# Define sensitivities -# -# Each sensitivity has a name and zero or more aliases. -# -# MCS is single-sensitivity. -# -sensitivity s0; - -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 } - - -# -# Define the categories -# -# Each category has a name and zero or more aliases. -# -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; - - -# -# Each MCS level specifies a sensitivity and zero or more categories which may -# be associated with that sensitivity. -# -level s0:c0.c255; - -# -# Define the MCS policy -# -# mlsconstrain class_set perm_set expression ; -# -# mlsvalidatetrans class_set expression ; -# -# expression : ( expression ) -# | not expression -# | expression and expression -# | expression or expression -# | u1 op u2 -# | r1 role_mls_op r2 -# | t1 op t2 -# | l1 role_mls_op l2 -# | l1 role_mls_op h2 -# | h1 role_mls_op l2 -# | h1 role_mls_op h2 -# | l1 role_mls_op h1 -# | l2 role_mls_op h2 -# | u1 op names -# | u2 op names -# | r1 op names -# | r2 op names -# | t1 op names -# | t2 op names -# | u3 op names (NOTE: this is only available for mlsvalidatetrans) -# | r3 op names (NOTE: this is only available for mlsvalidatetrans) -# | t3 op names (NOTE: this is only available for mlsvalidatetrans) -# -# op : == | != -# role_mls_op : == | != | eq | dom | domby | incomp -# -# names : name | { name_list } -# name_list : name | name_list name -# - - -') dnl end enable_mcs diff -r 4e2ffbd99aeb tools/flask/policy/policy/mls --- a/tools/flask/policy/policy/mls Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/mls Thu Aug 20 11:21:01 2009 -0400 @@ -1,317 +1,27 @@ - ifdef(`enable_mls',` # # Define sensitivities # -# Each sensitivity has a name and zero or more aliases. -# -sensitivity s0; -sensitivity s1; -sensitivity s2; -sensitivity s3; -sensitivity s4; -sensitivity s5; -sensitivity s6; -sensitivity s7; -sensitivity s8; -sensitivity s9; -sensitivity s10; -sensitivity s11; -sensitivity s12; -sensitivity s13; -sensitivity s14; -sensitivity s15; +# Domination of sensitivities is in increasin +# numerical order, with s0 being the lowest -# -# Define the ordering of the sensitivity levels (least to greatest) -# -dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } - +gen_sens(mls_num_sens) # # Define the categories # -# Each category has a name and zero or more aliases. -# -category c0; -category c1; -category c2; -category c3; -category c4; -category c5; -category c6; -category c7; -category c8; -category c9; -category c10; -category c11; -category c12; -category c13; -category c14; -category c15; -category c16; -category c17; -category c18; -category c19; -category c20; -category c21; -category c22; -category c23; -category c24; -category c25; -category c26; -category c27; -category c28; -category c29; -category c30; -category c31; -category c32; -category c33; -category c34; -category c35; -category c36; -category c37; -category c38; -category c39; -category c40; -category c41; -category c42; -category c43; -category c44; -category c45; -category c46; -category c47; -category c48; -category c49; -category c50; -category c51; -category c52; -category c53; -category c54; -category c55; -category c56; -category c57; -category c58; -category c59; -category c60; -category c61; -category c62; -category c63; -category c64; -category c65; -category c66; -category c67; -category c68; -category c69; -category c70; -category c71; -category c72; -category c73; -category c74; -category c75; -category c76; -category c77; -category c78; -category c79; -category c80; -category c81; -category c82; -category c83; -category c84; -category c85; -category c86; -category c87; -category c88; -category c89; -category c90; -category c91; -category c92; -category c93; -category c94; -category c95; -category c96; -category c97; -category c98; -category c99; -category c100; -category c101; -category c102; -category c103; -category c104; -category c105; -category c106; -category c107; -category c108; -category c109; -category c110; -category c111; -category c112; -category c113; -category c114; -category c115; -category c116; -category c117; -category c118; -category c119; -category c120; -category c121; -category c122; -category c123; -category c124; -category c125; -category c126; -category c127; -category c128; -category c129; -category c130; -category c131; -category c132; -category c133; -category c134; -category c135; -category c136; -category c137; -category c138; -category c139; -category c140; -category c141; -category c142; -category c143; -category c144; -category c145; -category c146; -category c147; -category c148; -category c149; -category c150; -category c151; -category c152; -category c153; -category c154; -category c155; -category c156; -category c157; -category c158; -category c159; -category c160; -category c161; -category c162; -category c163; -category c164; -category c165; -category c166; -category c167; -category c168; -category c169; -category c170; -category c171; -category c172; -category c173; -category c174; -category c175; -category c176; -category c177; -category c178; -category c179; -category c180; -category c181; -category c182; -category c183; -category c184; -category c185; -category c186; -category c187; -category c188; -category c189; -category c190; -category c191; -category c192; -category c193; -category c194; -category c195; -category c196; -category c197; -category c198; -category c199; -category c200; -category c201; -category c202; -category c203; -category c204; -category c205; -category c206; -category c207; -category c208; -category c209; -category c210; -category c211; -category c212; -category c213; -category c214; -category c215; -category c216; -category c217; -category c218; -category c219; -category c220; -category c221; -category c222; -category c223; -category c224; -category c225; -category c226; -category c227; -category c228; -category c229; -category c230; -category c231; -category c232; -category c233; -category c234; -category c235; -category c236; -category c237; -category c238; -category c239; -category c240; -category c241; -category c242; -category c243; -category c244; -category c245; -category c246; -category c247; -category c248; -category c249; -category c250; -category c251; -category c252; -category c253; -category c254; -category c255; +# Generate declarations +gen_cats(mls_num_cats) # # Each MLS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # -level s0:c0.c255; -level s1:c0.c255; -level s2:c0.c255; -level s3:c0.c255; -level s4:c0.c255; -level s5:c0.c255; -level s6:c0.c255; -level s7:c0.c255; -level s8:c0.c255; -level s9:c0.c255; -level s10:c0.c255; -level s11:c0.c255; -level s12:c0.c255; -level s13:c0.c255; -level s14:c0.c255; -level s15:c0.c255; +# Generate levels from all sensitivities +# with all categories +gen_levels(mls_num_sens,mls_num_cats) # # Define the MLS policy @@ -350,5 +60,24 @@ # name_list : name | name_list name # +# +# MLS policy for the domain class +# + +# new domain labels must be dominated by the calling subject clearance +# and sensitivity level changes require privilege +mlsconstrain domain transition + (( h1 dom h2 ) and (( l1 eq l2 ) or (t1 == mls_priv))); + +# all the domain "read" ops +mlsconstrain domain { getvcpuaffinity getdomaininfo getvcpuinfo getvcpucontext getaddrsize getextvcpucontext } + ((l1 dom l2) or (t1 == mls_priv)); + +# all the domain "write" ops +mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus destroy setvcpuaffinity scheduler setdomainmaxmem setdomainhandle setdebugging hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext } + ((l1 eq l2) or (t1 == mls_priv)); + +# This is incomplete - similar constraints must be written for all classes +# and permissions for which MLS enforcement is desired. ') dnl end enable_mls diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules.conf --- a/tools/flask/policy/policy/modules.conf Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/modules.conf Thu Aug 20 11:21:01 2009 -0400 @@ -1,14 +1,8 @@ # # This file contains a listing of available modules. # To prevent a module from being used in policy -# creation, set the module name to "off". -# -# For monolithic policies, modules set to "base" and "module" -# will be built into the policy. -# -# For modular policies, modules set to "base" will be -# included in the base module. "module" will be compiled -# as individual loadable modules. +# creation, set the module name to "off" otherwise +# set the module name on "on". # # Layer: xen @@ -17,5 +11,5 @@ # # Policy for xen. # -xen = base +xen = on diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules/xen/xen.if --- a/tools/flask/policy/policy/modules/xen/xen.if Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/modules/xen/xen.if Thu Aug 20 11:21:01 2009 -0400 @@ -1,1 +1,62 @@ +############################################################################### # +# create_domain(priv_dom, domain, channel) +# +################################################################################ +define(`create_domain', ` + type $2, domain_type; + allow $1 $2:domain {create max_vcpus setdomainmaxmem + setaddrsize getdomaininfo hypercall + setvcpucontext scheduler unpause + getvcpuinfo getaddrsize getvcpuaffinity}; + allow $1 $2:shadow {enable}; + allow $1 $2:mmu {map_read map_write adjust physmap}; + allow $2 $2:mmu {adjust physmap}; + allow $1 $3:event {create}; +') + +############################################################################### +# +# create_hvm_dom(priv_dom, domain, channel) +# +################################################################################ +define(`create_hvm_dom', ` + create_domain($1, $2, $3) + allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel }; + allow $2 $2:hvm setparam; +') + +############################################################################### +# +# create_pv_dom(priv_dom, domain, channel, iodomain) +# +################################################################################ +define(`create_pv_dom', ` + create_domain($1, $2, $3) + allow $1 $2:mmu {memorymap pinpage}; + allow $2 $2:mmu {map_read map_write pinpage}; + allow $2 $4:mmu {map_read}; + + allow $2 $2:grant {query setup}; + allow $1 $2:grant {map_read unmap}; +') +################################################################################ +# +# manage_domain(priv_dom, domain) +# +################################################################################ +define(`manage_domain', ` + allow $1 $2:domain {pause destroy}; +') + +################################################################################ +# +# create_channel(caller, peer, channel) +# +################################################################################ +define(`create_channel', ` + type $3, event_type; + type_transition $1 $2:event $3; + allow $1 $3:event {create}; + allow $3 $2:event {bind}; +') diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules/xen/xen.te --- a/tools/flask/policy/policy/modules/xen/xen.te Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/modules/xen/xen.te Thu Aug 20 11:21:01 2009 -0400 @@ -2,10 +2,11 @@ attribute domain_type; attribute resource_type; attribute event_type; +attribute mls_priv; -type xen_t, xen_type, domain_type; +type xen_t, xen_type, domain_type, mls_priv; -type dom0_t, domain_type; +type dom0_t, domain_type, mls_priv; type domio_t, domain_type; @@ -22,47 +23,6 @@ ################################################################################ # -# create_domain(priv_dom, domain, channel) -# -################################################################################ -define(`create_domain', ` - type $2, domain_type; - allow $1 $2:domain {create max_vcpus setdomainmaxmem - setaddrsize getdomaininfo hypercall - setvcpucontext scheduler unpause - getvcpuinfo getaddrsize getvcpuaffinity}; - allow $1 $2:shadow {enable}; - allow $1 $2:mmu {map_read map_write memorymap adjust pinpage}; - allow $2 $2:mmu {map_read map_write adjust pinpage}; - allow $2 domio_t:mmu {map_read}; - allow $2 $2:grant {query setup}; - allow $1 $2:grant {map_read unmap}; - allow $1 $3:event {create}; -') - -################################################################################ -# -# manage_domain(priv_dom, domain) -# -################################################################################ -define(`manage_domain', ` - allow $1 $2:domain {pause destroy}; -') - -################################################################################ -# -# create_channel(caller, peer, channel) -# -################################################################################ -define(`create_channel', ` - type $3, event_type; - type_transition $1 $2:event $3; - allow $1 $3:event {create}; - allow $3 $2:event {bind}; -') - -################################################################################ -# # Boot the hypervisor and dom0 # ################################################################################ @@ -85,7 +45,9 @@ allow xen_t iomem_t:resource {add_iomem remove_iomem}; allow dom0_t iomem_t:resource {use}; allow xen_t pirq_t:resource {add_irq remove_irq}; -allow dom0_t pirq_t:resource {use}; +allow dom0_t pirq_t:resource { add_irq remove_irq use}; +allow dom0_t dom0_t:resource { add remove }; +allow dom0_t xen_t:xen firmware; allow dom0_t security_t:security {compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool @@ -99,7 +61,7 @@ # Create and manage a domU w/ dom0 IO # ################################################################################ -create_domain(dom0_t, domU_t, evchnU-0_t) +create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t) create_channel(domU_t, domU_t, evchnU-U_t) allow domU_t evchnU-U_t:event {send}; @@ -118,6 +80,27 @@ ################################################################################ # +# Create and manage an HVM domU w/ dom0 IO +# +################################################################################ +create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t) +allow dom0_t evchn0-HU_t:event {send}; + +create_channel(domHU_t, domHU_t, evchnHU-HU_t) +allow domHU_t evchnU-U_t:event {send}; + +create_channel(dom0_t, domHU_t, evchn0-HU_t) +allow dom0_t evchn0-U_t:event {send}; + +create_channel(domHU_t, dom0_t, evchnHU-0_t) +allow domHU_t evchnU-0_t:event {send}; + +allow dom0_t dom0_t:event {send}; + +manage_domain(dom0_t, domHU_t) + +################################################################################ +# # # ################################################################################ @@ -134,6 +117,3 @@ sid device gen_context(system_u:object_r:device_t,s0) role system_r types { xen_type domain_type }; -role user_r types { xen_type domain_type }; -role sysadm_r types { xen_type domain_type }; -role staff_r types { xen_type domain_type }; diff -r 4e2ffbd99aeb tools/flask/policy/policy/support/misc_macros.spt --- a/tools/flask/policy/policy/support/misc_macros.spt Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/support/misc_macros.spt Thu Aug 20 11:21:01 2009 -0400 @@ -11,17 +11,53 @@ # define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') +# +# ifndef(expr,true_block,false_block) +# +# m4 does not have this. +# +define(`ifndef',`ifdef(`$1',`$3',`$2')') + +# +# __endline__ +# +# dummy macro to insert a newline. used for +# errprint, so the close parentheses can be +# indented correctly. +# +define(`__endline__',` +') + ######################################## # -# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +# refpolwarn(message) # -define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');') +# print a warning message +# +define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)') + +######################################## +# +# refpolerr(message) +# +# print an error message. does not +# make anything fail. +# +define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)') + +######################################## +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range) +# +define(`gen_user',`dnl +user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'; +') ######################################## # # gen_context(context,mls_sensitivity,[mcs_categories]) # -define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'') ######################################## # diff -r 4e2ffbd99aeb tools/flask/policy/policy/support/mls_macros.spt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/support/mls_macros.spt Thu Aug 20 11:21:01 2009 -0400 @@ -0,0 +1,55 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') +define(`mls_allcats',`c0.c`'decr(mls_num_cats)') diff -r 4e2ffbd99aeb tools/flask/policy/policy/systemuser --- a/tools/flask/policy/policy/systemuser Wed Aug 19 14:23:30 2009 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,19 +0,0 @@ -################################## -# -# System User configuration. -# - -# -# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) -# - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127) - -# Normal users should not be added to this file, -# but instead added to the users file. diff -r 4e2ffbd99aeb tools/flask/policy/policy/users --- a/tools/flask/policy/policy/users Wed Aug 19 14:23:30 2009 +0100 +++ b/tools/flask/policy/policy/users Thu Aug 20 11:21:01 2009 -0400 @@ -1,39 +1,17 @@ - ################################## # -# Core User configuration. +# System User configuration. # # -# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# gen_user(username, role_set, mls_defaultlevel, mls_range) # # -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. # -ifdef(`targeted_policy',` -gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127) -',` -gen_user(user_u, user_r, s0, s0 - s9:c0.c127) -') +gen_user(system_u,, system_r, s0, s0 - mls_systemhigh) -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -ifdef(`targeted_policy',` - gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127) -',` - ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127) - ',` - gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127) - ') -')