Merge pull request #4173 from masatake/selinux-policy

Parsers for files defining SELinux policy

- SELinuxInterface: new parser 
- SELinuxTypeEnforcement: new parser

Tmain/list-map-extensions.d/stdout-expected.txt

@@ -1,9 +1,9 @@
 ## all|grep LdScript
-#LANGUAGE           EXTENSION
-LdScript            lds
-LdScript            scr
-LdScript            ld
-LdScript            ldi
+#LANGUAGE               EXTENSION
+LdScript                lds
+LdScript                scr
+LdScript                ld
+LdScript                ldi
 ## LdScript
 #EXTENSION
 lds

Tmain/list-subparsers-all.d/stdout-expected.txt

@@ -26,6 +26,7 @@ RSpec                Ruby       base => sub {shared}
 Rake                 Ruby       base <= sub {dedicated}
 RelaxNG              XML        base <> sub {bidirectional}
 S4Class              R          base <> sub {bidirectional}
+SELinuxInterface     M4         base <= sub {dedicated}
 SVG                  XML        base <> sub {bidirectional}
 SystemdUnit          Iniconf    base <= sub {dedicated}
 TclOO                Tcl        base <> sub {bidirectional}

Units/parser-selinux-interface.r/simple.d/args.ctags

@@ -0,0 +1,2 @@
+--sort=no
+--fields=+e

Units/parser-selinux-interface.r/simple.d/expected.tags

@@ -0,0 +1,3 @@
+su_restricted_domain_template	input.if	/^template(`su_restricted_domain_template', `$/;"	t	end:140
+su_role_template	input.if	/^template(`su_role_template',`$/;"	t	end:202
+su_exec	input.if	/^interface(`su_exec',`$/;"	i	end:221

Units/parser-selinux-interface.r/simple.d/input.if

@@ -0,0 +1,223 @@
+###
+### Taoken from selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/admin/su.if
+###
+
+## <summary>Run shells with substitute user and group</summary>
+
+#######################################
+## <summary>
+##	Restricted su domain template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to change the linux user id, to run shells as a different
+##	user.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`su_restricted_domain_template', `
+	gen_require(`
+		type su_exec_t;
+	')
+
+	type $1_su_t;
+	domain_entry_file($1_su_t, su_exec_t)
+	domain_type($1_su_t)
+	domain_interactive_fd($1_su_t)
+	role $3 types $1_su_t;
+
+	allow $2 $1_su_t:process signal;
+
+	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search  fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:key { search write };
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_fifo_file_perms;
+	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+    allow $1_su_t self:netlink_selinux_socket create_socket_perms;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($2, su_exec_t, $1_su_t)
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t,$2)
+	allow $2 $1_su_t:fd use;
+	allow $2 $1_su_t:fifo_file rw_file_perms;
+	allow $2 $1_su_t:process sigchld;
+
+    kernel_getattr_core_if($1_su_t)
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctls($1_su_t)
+	kernel_search_key($1_su_t)
+	kernel_link_key($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
+	files_search_var_lib($1_su_t)
+	files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+	# for the rootok check
+	selinux_compute_access_vector($1_su_t)
+
+	auth_domtrans_chk_passwd($1_su_t)
+	auth_dontaudit_read_shadow($1_su_t)
+	auth_use_nsswitch($1_su_t)
+	auth_rw_faillog($1_su_t)
+
+	domain_use_interactive_fds($1_su_t)
+
+	init_dontaudit_use_fds($1_su_t)
+	init_dontaudit_use_script_ptys($1_su_t)
+	# Write to utmp.
+	init_rw_utmp($1_su_t)
+	init_search_script_keys($1_su_t)
+    init_getattr_initctl($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+
+	ifdef(`distro_redhat',`
+		# RHEL5 and possibly newer releases incl. Fedora
+		auth_domtrans_upd_passwd($1_su_t)
+
+		optional_policy(`
+			locallogin_search_keys($1_su_t)
+		')
+	')
+
+	ifdef(`distro_rhel4',`
+		domain_role_change_exemption($1_su_t)
+		domain_subj_id_change_exemption($1_su_t)
+		domain_obj_id_change_exemption($1_su_t)
+
+		selinux_get_fs_mount($1_su_t)
+		selinux_validate_context($1_su_t)
+		selinux_compute_access_vector($1_su_t)
+		selinux_compute_create_context($1_su_t)
+		selinux_compute_relabel_context($1_su_t)
+		selinux_compute_user_contexts($1_su_t)
+
+		seutil_read_config($1_su_t)
+		seutil_read_default_contexts($1_su_t)
+
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	')
+
+	optional_policy(`
+		cron_read_pipes($1_su_t)
+	')
+
+	optional_policy(`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The role template for the su module.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`su_role_template',`
+	gen_require(`
+		attribute su_domain_type;
+		type su_exec_t;
+		bool secure_mode;
+	')
+
+	type $1_su_t, su_domain_type;
+	userdom_user_application_domain($1_su_t, su_exec_t)
+	domain_interactive_fd($1_su_t)
+	role $2 types $1_su_t;
+
+    allow $1_su_t self:netlink_selinux_socket create_socket_perms;
+
+	allow $3 $1_su_t:process signal;
+	allow $1_su_t $3:key search;
+
+	# Transition from the user domain to this domain.
+	domtrans_pattern($3, su_exec_t, $1_su_t)
+
+	ps_process_pattern($3, $1_su_t)
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t, $3)
+	allow $3 $1_su_t:fd use;
+	allow $3 $1_su_t:fifo_file rw_file_perms;
+	allow $3 $1_su_t:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_dontaudit_getattr_core_if($1_su_t)
+
+	auth_use_pam($1_su_t)
+
+	init_dontaudit_getattr_initctl($1_su_t)
+
+	mls_file_write_all_levels($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+')
+
+#######################################
+## <summary>
+##	Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_exec',`
+	gen_require(`
+		type su_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, su_exec_t)
+')
+
+dummy(`dont_tag_me',`')

Units/parser-selinux-type-enforcement.r/modules.d/args.ctags

@@ -0,0 +1 @@
+--sort=no

Units/parser-selinux-type-enforcement.r/modules.d/expected.tags

@@ -0,0 +1,2 @@
+bind	input.te	/^module bind 1.0.0;$/;"	m
+bootloader	input-0.te	/^policy_module(bootloader, 1.14.0)$/;"	m

Units/parser-selinux-type-enforcement.r/modules.d/input-0.te

@@ -0,0 +1,2 @@
+# selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/admin/bootloader.te
+policy_module(bootloader, 1.14.0)

Units/parser-selinux-type-enforcement.r/modules.d/input.te

@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux-notebook/blob/main/src/modular_policy_statements.md#modular-policy-support-statements
+module bind 1.0.0;

Units/parser-selinux-type-enforcement.r/simple.d/args.ctags

@@ -0,0 +1 @@
+--sort=no

Units/parser-selinux-type-enforcement.r/simple.d/expected.tags

@@ -0,0 +1,26 @@
+dbus	input.te	/^policy_module(dbus, 1.19.0)$/;"	m
+dbusd_unconfined	input.te	/^attribute dbusd_unconfined;$/;"	T
+system_bus_type	input.te	/^attribute system_bus_type;$/;"	T
+dbusd_etc_t	input.te	/^type dbusd_etc_t;$/;"	t
+dbusd_exec_t	input.te	/^type dbusd_exec_t;$/;"	t
+system_dbusd_exec_t	input.te	/^typealias dbusd_exec_t alias system_dbusd_exec_t;$/;"	a
+session_dbusd_tmp_t	input.te	/^type session_dbusd_tmp_t;$/;"	t
+user_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+staff_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+sysadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+auditadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
+secadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
+system_r	input.te	/^role system_r types system_bus_type;$/;"	r
+git_sys_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	t
+git_system_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	a
+kmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	t
+update_modules_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+depmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+insmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+system_r	input.te	/^role system_r types anaconda_t;$/;"	r
+install_roles	input.te	/^attribute_role install_roles;$/;"	R
+antivirus_can_scan_system	input.te	/^gen_tunable(antivirus_can_scan_system, false)$/;"	b
+secure_mode_insmod	input.te	/^gen_bool(secure_mode_insmod, false)$/;"	b
+allow_daemons_use_tty	input.te	/^bool allow_daemons_use_tty true;$/;"	b
+xguest_u	input.te	/^gen_user(xguest_u, user, xguest_r, s0, s0)$/;"	u
+sysadm_u	input.te	/^user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255;$/;"	u

Units/parser-selinux-type-enforcement.r/simple.d/input.te

@@ -0,0 +1,58 @@
+#
+# Derrived from policy/modules/contrib/dbus.te
+#
+policy_module(dbus, 1.19.0)
+
+gen_require(`
+	class dbus all_dbus_perms;
+')
+
+##############################
+#
+# Delcarations
+#
+
+attribute dbusd_unconfined;
+attribute system_bus_type;
+
+type dbusd_etc_t;
+files_config_file(dbusd_etc_t)
+
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+userdom_user_tmp_file(session_dbusd_tmp_t)
+
+# ...
+
+########################################
+#
+# system_bus_type rules
+#
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+# The next one should not be tagged.
+gen_require(`
+    type ssh_keygen_t;
+')
+
+
+type git_sys_content_t alias git_system_content_t;
+type kmod_t alias { update_modules_t depmod_t insmod_t };
+
+role system_r types anaconda_t;
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+gen_tunable(antivirus_can_scan_system, false)
+gen_bool(secure_mode_insmod, false)
+
+bool allow_daemons_use_tty true;
+
+gen_user(xguest_u, user, xguest_r, s0, s0)
+user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255;

docs/news/HEAD.rst

@@ -33,6 +33,8 @@ New parsers
 
 * TOML *peg/packcc*
 * Cargo *TOML based subparser*
+* SELinuxIntefae *M4 based subparser*
+* SELinuxTypeEnforcement *optlib*
 
 Changes about parser specific kinds, roles, fields, and extras
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

main/parsers_p.h

@@ -170,6 +170,8 @@
 	S4ClassParser, \
 	SchemeParser, \
 	SCSSParser, \
+	SELinuxInterfaceParser, \
+	SELinuxTypeEnforcementParser, \
 	ShParser, \
 	SlangParser, \
 	SmlParser, \