291 lines
11 KiB
Plaintext
291 lines
11 KiB
Plaintext
policy_module(aimee-os, 1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type aimee_storinit_t;
|
|
type aimee_storinit_exec_t;
|
|
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
|
|
|
|
type aimee_storinit_runtime_t;
|
|
files_runtime_file(aimee_storinit_runtime_t)
|
|
|
|
type aimee_sysupdate_t;
|
|
type aimee_sysupdate_exec_t;
|
|
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
|
|
|
|
type aimee_sysupdate_tmp_t;
|
|
files_tmp_file(aimee_sysupdate_tmp_t)
|
|
|
|
type aimee_factory_reset_t;
|
|
type aimee_factory_reset_exec_t;
|
|
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
|
|
|
|
type aimee_set_root_password_t;
|
|
type aimee_set_root_password_exec_t;
|
|
userdom_user_application_domain(aimee_set_root_password_t, aimee_set_root_password_exec_t)
|
|
|
|
type aimee_set_root_password_tmp_t;
|
|
files_tmp_file(aimee_set_root_password_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# init-storage local policy
|
|
#
|
|
|
|
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
|
|
allow aimee_storinit_t self:capability { chown fsetid sys_admin };
|
|
allow aimee_storinit_t self:process { setfscreate };
|
|
|
|
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
|
|
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
|
|
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
|
|
|
|
corecmd_exec_bin(aimee_storinit_t)
|
|
|
|
storage_raw_read_fixed_disk(aimee_storinit_t)
|
|
fstools_domtrans(aimee_storinit_t)
|
|
mount_exec(aimee_storinit_t)
|
|
miscfiles_read_localization(aimee_storinit_t)
|
|
mount_list_runtime(aimee_storinit_t)
|
|
dev_read_sysfs(aimee_storinit_t)
|
|
kernel_search_debugfs(aimee_storinit_t)
|
|
kernel_list_unlabeled(aimee_storinit_t)
|
|
fs_getattr_all_fs(aimee_storinit_t)
|
|
fs_mount_all_fs(aimee_storinit_t)
|
|
fs_unmount_all_fs(aimee_storinit_t)
|
|
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
|
|
|
|
gen_require(`
|
|
type mount_runtime_t;
|
|
')
|
|
dontaudit aimee_storinit_t mount_runtime_t:dir write;
|
|
|
|
seutil_read_config(aimee_storinit_t)
|
|
seutil_read_file_contexts(aimee_storinit_t)
|
|
seutil_read_bin_policy(aimee_storinit_t)
|
|
seutil_domtrans_setfiles(aimee_storinit_t)
|
|
|
|
kernel_manage_unlabeled_dirs(aimee_storinit_t)
|
|
|
|
auth_manage_shadow(aimee_storinit_t)
|
|
auth_relabel_shadow(aimee_storinit_t)
|
|
|
|
files_manage_var_dirs(aimee_storinit_t)
|
|
files_relabel_var_dirs(aimee_storinit_t)
|
|
files_manage_var_files(aimee_storinit_t)
|
|
files_manage_var_symlinks(aimee_storinit_t)
|
|
|
|
gen_require(`
|
|
type var_lib_t, var_lock_t, var_run_t;
|
|
type semanage_store_t;
|
|
type semanage_read_lock_t, semanage_trans_lock_t;
|
|
type system_dbusd_var_lib_t;
|
|
type init_var_lib_t;
|
|
type auditd_log_t;
|
|
type tmp_t;
|
|
type etc_t;
|
|
type shadow_t;
|
|
attribute logfile;
|
|
')
|
|
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
|
|
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
|
|
relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
|
|
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
|
|
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
|
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
|
relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
|
|
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
|
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
|
relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
|
|
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
|
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
|
relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
|
|
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
|
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
|
relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
|
|
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
|
|
relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
|
|
manage_files_pattern(aimee_storinit_t, logfile, logfile)
|
|
relabel_files_pattern(aimee_storinit_t, logfile, logfile)
|
|
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
|
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
|
relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
|
|
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
|
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
|
relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
|
|
manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
|
|
relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
|
|
allow aimee_storinit_t shadow_t:file mounton;
|
|
|
|
########################################
|
|
#
|
|
# system-update local policy
|
|
#
|
|
|
|
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
|
|
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
|
|
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
|
|
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
|
|
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
|
|
|
|
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
|
|
|
|
domain_use_interactive_fds(aimee_sysupdate_t)
|
|
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
|
|
corecmd_exec_bin(aimee_sysupdate_t)
|
|
selinux_get_fs_mount(aimee_sysupdate_t)
|
|
seutil_read_config(aimee_sysupdate_t)
|
|
userdom_search_user_home_dirs(aimee_sysupdate_t)
|
|
kernel_read_system_state(aimee_sysupdate_t)
|
|
fstools_exec(aimee_sysupdate_t)
|
|
fstools_manage_runtime_files(aimee_sysupdate_t)
|
|
miscfiles_read_localization(aimee_sysupdate_t)
|
|
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
|
|
dev_read_sysfs(aimee_sysupdate_t)
|
|
files_read_etc_files(aimee_sysupdate_t)
|
|
systemd_read_resolved_runtime(aimee_sysupdate_t)
|
|
systemd_stream_connect_resolved(aimee_sysupdate_t)
|
|
corenet_tcp_connect_http_port(aimee_sysupdate_t)
|
|
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
|
|
files_manage_non_security_dirs(aimee_sysupdate_t)
|
|
files_manage_non_security_files(aimee_sysupdate_t)
|
|
mount_exec(aimee_sysupdate_t)
|
|
mount_list_runtime(aimee_sysupdate_t)
|
|
fs_getattr_all_fs(aimee_sysupdate_t)
|
|
fs_mount_all_fs(aimee_sysupdate_t)
|
|
fs_unmount_all_fs(aimee_sysupdate_t)
|
|
dbus_system_bus_client(aimee_sysupdate_t)
|
|
systemd_dbus_chat_logind(aimee_sysupdate_t)
|
|
logging_send_syslog_msg(aimee_sysupdate_t)
|
|
files_mounton_non_security(aimee_sysupdate_t)
|
|
|
|
gen_require(`
|
|
type sysadm_t;
|
|
role sysadm_r;
|
|
')
|
|
aimee_os_run_system_update(sysadm_t, sysadm_r)
|
|
|
|
# factory-reset local policy
|
|
#
|
|
|
|
allow aimee_factory_reset_t self:capability { sys_admin };
|
|
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
corecmd_exec_bin(aimee_factory_reset_t)
|
|
dev_read_sysfs(aimee_factory_reset_t)
|
|
kernel_read_system_state(aimee_factory_reset_t)
|
|
fstools_exec(aimee_factory_reset_t)
|
|
fstools_manage_runtime_files(aimee_factory_reset_t)
|
|
miscfiles_read_localization(aimee_factory_reset_t)
|
|
storage_raw_rw_fixed_disk(aimee_factory_reset_t)
|
|
|
|
########################################
|
|
#
|
|
# set-root-password local policy
|
|
#
|
|
|
|
gen_require(`
|
|
class passwd { passwd };
|
|
')
|
|
|
|
allow aimee_set_root_password_t self:capability { sys_admin };
|
|
allow aimee_set_root_password_t self:fifo_file rw_fifo_file_perms;
|
|
allow aimee_set_root_password_t self:process setfscreate;
|
|
allow aimee_set_root_password_t self:process { ptrace sigkill sigstop signal };
|
|
allow aimee_set_root_password_t self:passwd passwd;
|
|
|
|
files_tmp_filetrans(aimee_set_root_password_t, aimee_set_root_password_tmp_t, dir)
|
|
manage_dirs_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
|
|
manage_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
|
|
relabel_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
|
|
|
|
domain_use_interactive_fds(aimee_set_root_password_t)
|
|
userdom_use_inherited_user_terminals(aimee_set_root_password_t)
|
|
userdom_search_user_home_dirs(aimee_set_root_password_t)
|
|
corecmd_exec_bin(aimee_set_root_password_t)
|
|
selinux_get_fs_mount(aimee_set_root_password_t)
|
|
seutil_read_config(aimee_set_root_password_t)
|
|
miscfiles_read_localization(aimee_set_root_password_t)
|
|
files_mounton_root(aimee_set_root_password_t)
|
|
aimee_os_set_root_password_exec(aimee_set_root_password_t)
|
|
mount_list_runtime(aimee_set_root_password_t)
|
|
fs_getattr_all_fs(aimee_set_root_password_t)
|
|
fs_mount_all_fs(aimee_set_root_password_t)
|
|
fs_unmount_all_fs(aimee_set_root_password_t)
|
|
files_read_var_lib_files(aimee_set_root_password_t)
|
|
files_manage_etc_files(aimee_set_root_password_t)
|
|
files_relabel_etc_files(aimee_set_root_password_t)
|
|
files_manage_etc_dirs(aimee_set_root_password_t)
|
|
auth_manage_shadow(aimee_set_root_password_t)
|
|
auth_relabel_shadow(aimee_set_root_password_t)
|
|
files_mounton_etc_dirs(aimee_set_root_password_t)
|
|
usermanage_domtrans_passwd(aimee_set_root_password_t)
|
|
dev_read_sysfs(aimee_set_root_password_t)
|
|
aimee_os_manage_set_root_password_tmp_files(aimee_set_root_password_t)
|
|
|
|
gen_require(`
|
|
type mount_t;
|
|
type passwd_t;
|
|
')
|
|
allow aimee_set_root_password_t aimee_set_root_password_tmp_t:dir mounton;
|
|
allow mount_t aimee_set_root_password_tmp_t:dir mounton;
|
|
aimee_os_manage_set_root_password_tmp_files(passwd_t)
|
|
|
|
gen_require(`
|
|
type sysadm_t;
|
|
role sysadm_r;
|
|
')
|
|
aimee_os_run_set_root_password(sysadm_t, sysadm_r)
|
|
|
|
########################################
|
|
#
|
|
# Additional policy rules for Aimee OS-specific behavior
|
|
#
|
|
|
|
# Allow ssh-keygen to create host key files in /var/lib/ssh
|
|
gen_require(`
|
|
type ssh_keygen_t;
|
|
type sshd_key_t, var_lib_t;
|
|
')
|
|
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
|
|
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
|
|
|
|
# Allow login to execute /bin/busybox (via /bin/sh symlink)
|
|
gen_require(`
|
|
type local_login_t;
|
|
')
|
|
corecmd_exec_bin(local_login_t)
|
|
|
|
# Allow root to log in on the serial console
|
|
gen_require(`
|
|
type sysadm_t;
|
|
')
|
|
init_use_fds(sysadm_t)
|