Hi, I'm trying to create a restricted user domain with the targeted policy, e.g.: full_user_role(test) This turned up quite a number of issues. First, I had to suck in user.te from the strict policy to get the booleans. I stripped it down to just the essentials; it may make sense to add some of it back. Secondly, unconfined_t isn't completely unconfined; in particular it can't transition to arbitrary domains. So sshd (which runs as unconfined_t) can't enter the new user domain. So I added a bit to full_user_role which allows unconfined_t to transition to new user domains (via a shell) in the targeted policy. Third, there were a few missing ifdefs (likely applicable in strict policy too). Fourth, the user domain needs access to user_home_dir_t:dir. The fifth issue is access to /dev/pts. The comment above the patch should explain things. Is there a better solution here?
diff -uNr /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/domains/user.te /etc/selinux/targeted/src/policy/domains/user.te
--- /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/domains/user.te 1969-12-31 19:00:00.000000000 -0500
+++ /etc/selinux/targeted/src/policy/domains/user.te 2004-08-13 22:58:08.000000000 -0400
@@ -0,0 +1,26 @@
+#DESC User - Domains for ordinary users.
+#
+#################################
+
+# Booleans for user domains.
+
+# Allow users to read system messages.
+bool user_dmesg false;
+
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols
+bool user_tcp_server false;
+
+# Allow users to rw usb devices
+bool user_rw_usb false;
+
+# Allow regular users direct mouse access
+bool user_direct_mouse false;
+
+# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
+bool user_rw_noexattrfile false;
+
+# Allow reading of default_t files.
+bool read_default_t false;
+
diff -uNr /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/base_user_macros.te /etc/selinux/targeted/src/policy/macros/base_user_macros.te
--- /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/base_user_macros.te 2004-08-14 10:59:21.188378360 -0400
+++ /etc/selinux/targeted/src/policy/macros/base_user_macros.te 2004-08-14 11:05:18.504058120 -0400
@@ -23,6 +23,12 @@
role $1_r types $1_t;
allow system_r $1_r;
+# In targeted policy, ssh runs in an unconfined domain.
+# Allow it to transition to the new user domain via the shell.
+ifdef(`targeted_policy',`
+domain_trans(unconfined_t, shell_exec_t, $1_t)
+')
+
r_dir_file($1_t, usercanread)
#
diff -uNr /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/program/apache_macros.te /etc/selinux/targeted/src/policy/macros/program/apache_macros.te
--- /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/program/apache_macros.te 2004-08-14 10:59:21.192377752 -0400
+++ /etc/selinux/targeted/src/policy/macros/program/apache_macros.te 2004-08-13 23:03:29.000000000 -0400
@@ -139,7 +139,9 @@
#########################################
create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
+ifdef(`crond.te',`
create_dir_file($1_crond_t, httpd_$1_content_t)
+')
allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
ifdef(`mozilla.te', `
r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
diff -uNr /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/user_macros.te /etc/selinux/targeted/src/policy/macros/user_macros.te
--- /tmp/rpms/selinux-policy-targeted/etc/selinux/targeted/src/policy/macros/user_macros.te 2004-08-14 10:59:21.207375472 -0400
+++ /etc/selinux/targeted/src/policy/macros/user_macros.te 2004-08-14 14:14:37.064294496 -0400
@@ -36,6 +36,13 @@
# Type and access for pty devices.
can_create_pty($1, `, userpty_type, user_tty_type')
+# In the targeted policy, derived domains are not used for
+# ptys, and thus a userdomain needs access to the generic
+# devpts_t type.
+ifdef(`targeted_policy',`
+allow $1_t devpts_t:chr_file { getattr ioctl read write };
+')
+
#Type for tty devices.
type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type;
@@ -154,6 +161,7 @@
allow $1_t proc_t:{ file lnk_file } r_file_perms;
base_file_read_access($1_t)
+allow $1_t user_home_dir_t:dir { search getattr };
can_exec($1_t, usr_t)
@@ -189,7 +197,9 @@
allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
# for running depmod as part of the kernel packaging process
+ifdef(`modutil.te',`
allow $1_t modules_conf_t:file { getattr read };
+')
# Read man directories and files.
allow $1_t man_t:dir r_dir_perms;
Attachment:
signature.asc
Description: This is a digitally signed message part
