From patchwork Tue Aug 25 08:37:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 11735153 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C40B414F6 for ; Tue, 25 Aug 2020 08:38:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A24F52071E for ; Tue, 25 Aug 2020 08:38:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=btinternet.com header.i=@btinternet.com header.b="Ic23xeMl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729165AbgHYIiP (ORCPT ); Tue, 25 Aug 2020 04:38:15 -0400 Received: from mailomta22-sa.btinternet.com ([213.120.69.28]:12727 "EHLO sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726905AbgHYIiO (ORCPT ); Tue, 25 Aug 2020 04:38:14 -0400 Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8]) by sa-prd-fep-043.btinternet.com with ESMTP id <20200825083808.MPKL26847.sa-prd-fep-043.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>; Tue, 25 Aug 2020 09:38:08 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1598344688; bh=/LagwUNmVydS69xhHfqyQiV7nB4ff26cXv4LpsqTBLk=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References:MIME-Version; b=Ic23xeMlPeTFrluruvHqIAfLHURo5dUS391yK+8IceWekUYWdOvphjq6MGLqsSG8xjxrz64MS/H74eChKp6zmsUisXgjlrSanvddBuo2CA632T31SdJxJcskiNt1Wg9q0XY+9xH4VMtAbA4SIN9PaOmjJ3DxqIEMtoX1Bwp2uSf6VPugVWbyXm5fzMpsOVyQWh11cUR1rLSvxSfP6MtmyJqwWkWeJfAmr4qPg3/em3BnymLKaN8A3QLUwEEriubxcDe49DJe4igKugRlnN7KcUoUvlRiXpzEzFd5BlPkSNO7gTcxIaxM5LTvNEj6E1c48Y2zi+XGjm/4j4eCILnPUg== Authentication-Results: btinternet.com; none X-Originating-IP: [109.155.130.160] X-OWM-Source-IP: 109.155.130.160 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgeduiedruddvtddgtdejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepgfekgffghffgleekgfellefftedvhfejveehhfekkefgvdehueetgfffffelkedtnecukfhppedutdelrdduheehrddufedtrdduiedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrdduheehrddufedtrdduiedtpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.155.130.160) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9B8A70D599D8D; Tue, 25 Aug 2020 09:38:08 +0100 From: Richard Haines To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines Subject: [PATCH 03/18] avc_rules: Convert to markdown Date: Tue, 25 Aug 2020 09:37:28 +0100 Message-Id: <20200825083743.6508-4-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200825083743.6508-1-richard_c_haines@btinternet.com> References: <20200825083743.6508-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines --- src/avc_rules.md | 115 +++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 59 deletions(-) diff --git a/src/avc_rules.md b/src/avc_rules.md index 7572302..b1535d3 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -1,5 +1,11 @@ # Access Vector Rules +- [Access Vector Rules](#access-vector-rules) + - [*allow*](#allow) + - [*dontaudit*](#dontaudit) + - [*auditallow*](#auditallow) + - [*neverallow*](#neverallow) + The AV rules define what access control privileges are allowed for processes and objects. There are four types of AV rule: *allow*, *dontaudit*, *auditallow*, and *neverallow* as explained in the sections that @@ -26,63 +32,56 @@ rule_name source_type target_type : class perm_set; **Where:** - - - - - - - - - - - - - - - - - - - -
rule_nameThe applicable allow, dontaudit, auditallow, and neverallow rule keyword.

source_type

-

target_type

One or more source / target type, typealias or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces '{}'. Entries can be excluded from the list by using the negative operator '-'.

-

The *target_type* can have the self keyword instead of type, typealias or attribute identifiers. This means that the *target_type* is the same as the *source_type*.

-

The neverallow rule also supports the wildcard operator '*' to specify that all types are to be included and the complement operator '~' to specify all types are to be included except those explicitly listed.

classOne or more object classes. Multiple entries consist of a space separated list enclosed in braces '{}'.
perm_set

The access permissions the source is allowed to access for the target object (also known as the Access Vector). Multiple entries consist of a space separated list enclosed in braces '{}'.

-

The optional wildcard operator '*' specifies that all permissions for the object class can be used.

-

The complement operator '~' is used to specify all permissions except those explicitly listed (although the compiler issues a warning if the dontaudit rule has '~'.

+*rule_name* + +The applicable *allow*, *dontaudit*, *auditallow*, and *neverallow* rule keyword. + +*source_type*, *target_type* + +One or more source / target *type*, *typealias* or *attribute* identifiers. +Multiple entries consist of a space separated list enclosed in braces \'\{\}\'. +Entries can be excluded from the list by using the negative operator \'-\'. +The *target_type* can have the self keyword instead of *type*, *typealias* +or *attribute* identifiers. This means that the *target_type* is the same +as the *source_type*. +The *neverallow* rule also supports the wildcard operator \'\*\' to specify +that all types are to be included and the complement operator \'\~\' to +specify all types are to be included except those explicitly listed. + +*class* + +One or more object classes. Multiple entries consist of a space separated +list enclosed in braces \'\{\}\'. + +*perm_set* + +The access permissions the source is allowed to access for the target +object (also known as the Access Vector). Multiple entries consist of a +space separated list enclosed in braces \'\{\}\'. +The optional wildcard operator \'\*\' specifies that all permissions for +the object *class* can be used. +The complement operator \'\~\' is used to specify all permissions except +those explicitly listed (although the compiler issues a warning if the +*dontaudit* rule has \'\~\'. **The statements are valid in:** - - - - - - - - - - - - - - - - - - - - - - - -
Monolithic PolicyBase PolicyModule Policy
YesYesYes
Conditional Policy if Statementoptional Statementrequire Statement
Yes: allow, dontaudit, auditallow No: neverallowYes: allow, dontaudit, auditallow, neverallowNo: allow, dontaudit, auditallow, neverallow
+Policy Type + +| Monolithic Policy | Base Policy | Module Policy | +| ----------------------- | ----------------------- | ----------------------- | +| Yes | Yes | Yes | + +Conditional Policy Statements + +| *if* Statement | *optional* Statement | *require* Statement | +| ----------------------- | ----------------------- | ----------------------- | +| Yes: *allow*, *dontaudit*, *auditallow* No: *neverallow* | Yes | No | ## *allow* -The allow rule checks whether the operations between the source\_type -and target_type are allowed for the class and permissions defined. It +The allow rule checks whether the operations between the *source_type* +and *target_type* are allowed for the class and permissions defined. It is the most common statement that many of the **Reference Policy** helper macros and interface definitions expand into multiple allow rules. @@ -177,8 +176,7 @@ auditallow ada_t self:process execstack; This rule specifies that an *allow* rule must not be generated for the operation, even if it has been previously allowed. The *neverallow* statement is a compiler enforced action, where the ***checkpolicy**(8)*, -***checkmodule**(8)* 1 -or ***secilc**(8)* 2 +***checkmodule**(8)*[^fn_avc_1] or ***secilc**(8)*[^fn_avc_2] compiler checks if any allow rules have been generated in the policy source, if so it will issue a warning and stop. @@ -201,12 +199,11 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; ``` -
-
    -

  1. neverallow statements are allowed in modules, however to detect these the semanage.conf file must have the 'expand-check=1' entry present.

    2. -

  2. The *--disable-neverallow* option can be used with secilc(8) to disable neverallow rule checking.

    3. -
-
+[^fn_avc_1]: *neverallow* statements are allowed in modules, however to detect +these the *semanage.conf* file must have the 'expand-check=1' entry present. + +[^fn_avc_2]: The *\-\-disable-neverallow* option can be used with ***secilc**(8)* +to disable *neverallow* rule checking.