[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [SPAM] [PATCH] tools/flask/policy: Updates to policy and policy build infrastructure



The original xen policy infrastructure was based off of an early version of
refpolicy. Because of this there was a lot of cruft that does not apply
to building a policy for xen. This patch does several things. First it
cleans up the makefile as to remove many unnecessary build targets. Second
it fixes an issue that the policy build process wasn't handling interface
files properly. Third it pulls in the MLS suppport functions from current
ref policy and makes use of them. Finally it updates the xen policy with
new rules to address changes in xen since the policy was last worked on, 
and provides several new abstractions for creating domains.

 tools/flask/policy/Makefile                       |  245 ++++++++--------
 tools/flask/policy/Rules.modular                  |  166 -----------
 tools/flask/policy/Rules.monolithic               |  196 -------------
 tools/flask/policy/policy/mcs                     |  324 ---------------------
 tools/flask/policy/policy/mls                     |  325 +---------------------
 tools/flask/policy/policy/modules.conf            |   12 
 tools/flask/policy/policy/modules/xen/xen.if      |   61 ++++
 tools/flask/policy/policy/modules/xen/xen.te      |   76 +----
 tools/flask/policy/policy/support/misc_macros.spt |   42 ++
 tools/flask/policy/policy/support/mls_macros.spt  |   55 +++
 tools/flask/policy/policy/systemuser              |   19 -
 tools/flask/policy/policy/users                   |   36 --

Signed-off-by: David P. Quigley <dpquigl@xxxxxxxxxxxxx>

diff -r 4e2ffbd99aeb tools/flask/policy/Makefile
--- a/tools/flask/policy/Makefile       Wed Aug 19 14:23:30 2009 +0100
+++ b/tools/flask/policy/Makefile       Thu Aug 20 11:21:01 2009 -0400
@@ -3,7 +3,7 @@
 #
 # Targets:
 # 
-# install       - compile and install the policy configuration, and context 
files.
+# install       - compile and install the policy configuration.
 # load          - compile, install, and load the policy configuration.
 # reload        - compile, install, and load/reload the policy configuration.
 # policy        - compile the policy configuration locally for 
testing/development.
@@ -20,35 +20,31 @@
 # By default, checkpolicy will create the highest
 # version policy it supports.  Setting this will
 # override the version.
-#OUTPUT_POLICY = 20
+# OUTPUT_POLICY = 24
 
 # Policy Type
-# strict, targeted,
-# strict-mls, targeted-mls,
-# strict-mcs, targeted-mcs
-TYPE = strict
+# xen
+# xen-mls
+TYPE = xen 
 
 # Policy Name
 # If set, this will be used as the policy
-# name.  Otherwise the policy type will be
+# name.  Otherwise xenpolicy will be
 # used for the name.
-NAME = xenrefpolicy
+# NAME = xenpolicy
 
-# Distribution
-# Some distributions have portions of policy
-# for programs or configurations specific to the
-# distribution.  Setting this will enable options
-# for the distribution.
-# redhat, gentoo, debian, and suse are current options.
-# Fedora users should enable redhat.
-#DISTRO = 
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+# MLS_SENS = 16
 
-# Build monolithic policy.  Putting n here
-# will build a loadable module policy.
-MONOLITHIC=y
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+# MLS_CATS = 256
 
 # Uncomment this to disable command echoing
-#QUIET:=@
+# QUIET:=@
 
 ########################################
 #
@@ -60,12 +56,8 @@
 BINDIR := $(PREFIX)/bin
 SBINDIR := $(PREFIX)/sbin
 CHECKPOLICY := $(BINDIR)/checkpolicy
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMOD_PKG := $(BINDIR)/semodule_package
 LOADPOLICY := $(SBINDIR)/flask-loadpolicy
 
-CFLAGS := -Wall
-
 # policy source layout
 POLDIR := policy
 MODDIR := $(POLDIR)/modules
@@ -74,10 +66,6 @@
 ISIDS := $(FLASKDIR)/initial_sids
 AVS := $(FLASKDIR)/access_vectors
 
-#policy building support tools
-SUPPORT := support
-FCSORT := tmp/fc_sort
-
 # config file paths
 GLOBALTUN := $(POLDIR)/global_tunables
 GLOBALBOOL := $(POLDIR)/global_booleans
@@ -86,149 +74,158 @@
 BOOLEANS := $(POLDIR)/booleans.conf
 
 # install paths
-TOPDIR = $(DESTDIR)$(XEN_CONFIG_DIR)
-INSTALLDIR = $(TOPDIR)/$(NAME)
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
+
+DESTDIR = /boot
+INSTALLDIR = $(DESTDIR)
+LOADPATH = $(INSTALLDIR)/$(POLVER)
+
+# default MLS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 256
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-       override M4PARAM += -D enable_mls
+       M4PARAM += -D enable_mls
        CHECKPOLICY += -M
-       CHECKMODULE += -M
 endif
 
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
-       override M4PARAM += -D enable_mcs
-       CHECKPOLICY += -M
-       CHECKMODULE += -M
+ifeq ($(NAME),)
+       NAME := xenpolicy
 endif
 
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
-       override M4PARAM += -D targeted_policy
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
-       override M4PARAM += -D distro_$(DISTRO)
-endif
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
 
 ifneq ($(OUTPUT_POLICY),)
        CHECKPOLICY += -c $(OUTPUT_POLICY)
+       POLVER = $(NAME).$(OUTPUT_POLICY)
+else
+       POLVER +=$(NAME).$(PV)
 endif
 
-ifeq ($(NAME),)
-       NAME := $(TYPE)
-endif
 
 # determine the policy version and current kernel version if possible
-PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-KV := $(shell cat /selinux/policyvers)
-
-# dont print version warnings if we are unable to determine
-# the currently running kernel's policy version
-ifeq ($(KV),)
-       KV := $(PV)
-endif
-
-FC := file_contexts
-POLVER := policy.$(PV)
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D 
hide_broken_symptoms
 
 M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 
-APPCONF := config/appconfig-$(TYPE)
-APPDIR := $(CONTEXTPATH)
-APPFILES := $(INSTALLDIR)/booleans
-CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
-
 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) 
-maxdepth 0 -type d))
 
-GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.te.in)))
-GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.if.in)))
-GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.fc.in)))
-
 # sort here since it removes duplicates, which can happen
 # when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) 
$(GENERATED_TE))
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) 
 
-# modules.conf setting for base module
-MODBASE := base
-
-# modules.conf setting for module
-MODMOD := module
+# modules.conf setting for policy configuration
+MODENABLED := on
 
 # extract settings from modules.conf
-BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == 
"$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find 
-iname $(mod).te)))
-MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == 
"$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find 
-iname $(mod).te)))
+ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 
== "$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell 
find -iname $(mod).te)))
 
-HOMEDIR_TEMPLATE = tmp/homedir_template
+ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
+
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
+POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf 
tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf 
tmp/all_post.conf
 
 ########################################
 #
-# Load appropriate rules
+# default action: build policy locally
 #
+default: policy
 
-ifeq ($(MONOLITHIC),y)
-       include Rules.monolithic
-else
-       include Rules.modular
-endif
+policy: $(POLVER)
+
+install: $(LOADPATH)
+
+load: tmp/load
 
 ########################################
 #
-# Create config files
+# Build a binary policy locally
 #
-conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
-
-$(MOD_CONF) $(BOOLEANS): $(POLXML)
-       @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
-       $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) 
-x ../$(POLXML)
+$(POLVER): policy.conf
+       @echo "Compiling $(NAME) $(POLVER)"
+       $(QUIET) $(CHECKPOLICY) $^ -o $@
 
 ########################################
 #
-# Appconfig files
+# Install a binary policy
 #
-install-appconfig: $(APPFILES)
-
-$(INSTALLDIR)/booleans: $(BOOLEANS)
-       @mkdir -p $(INSTALLDIR)
-       $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
-               | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
-       $(QUIET) install -m 644 tmp/booleans $@
+$(LOADPATH): policy.conf
+       @echo "Compiling and installing $(NAME) $(LOADPATH)"
+       $(QUIET) $(CHECKPOLICY) $^ -o $@
 
 ########################################
 #
-# Install policy sources
+# Load the binary policy
 #
-install-src:
-       rm -rf $(SRCPATH)/policy.old
-       -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
-       mkdir -p $(SRCPATH)/policy
-       cp -R . $(SRCPATH)/policy
+reload tmp/load: $(LOADPATH) $(FCPATH)
+       @echo "Loading $(NAME) $(LOADPATH)"
+       $(QUIET) $(LOADPOLICY) $(LOADPATH)
+       @touch tmp/load
 
 ########################################
 #
-# Clean everything
+# Construct a monolithic policy.conf
 #
-bare: clean
-       rm -f $(POLXML)
-       rm -f $(SUPPORT)/*.pyc
-       rm -f $(FCSORT)
-       rm -f $(MOD_CONF)
-       rm -f $(BOOLEANS)
-       rm -fR $(HTMLDIR)
-ifneq ($(GENERATED_TE),)
-       rm -f $(GENERATED_TE)
+policy.conf: $(POLICY_SECTIONS)
+       @echo "Creating $(NAME) policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+       $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a 
modules.conf file)
 endif
-ifneq ($(GENERATED_IF),)
-       rm -f $(GENERATED_IF)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+ifeq ($(ALL_TE_FILES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) please create a 
modules.conf file)
 endif
-ifneq ($(GENERATED_FC),)
-       rm -f $(GENERATED_FC)
-endif
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
 
-.PHONY: install-src install-appconfig conf html bare
+tmp/post_te_files.conf: $(POST_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: 
tmp/all_te_files.conf tmp/post_te_files.conf
+       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
+       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
+                       < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: policy.conf
+       @test -d tmp || mkdir -p tmp
+       @echo "Removing dontaudit rules from policy.conf"
+       $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
+       $(QUIET) mv tmp/policy.audit policy.conf
+
+########################################
+#
+# Clean the built policies. 
+#
+clean:
+       rm -fR tmp
+       rm -f policy.conf
+       rm -f $(POLVER)
+
+.PHONY: default policy install load reload enableaudit clean
diff -r 4e2ffbd99aeb tools/flask/policy/Rules.modular
--- a/tools/flask/policy/Rules.modular  Wed Aug 19 14:23:30 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,166 +0,0 @@
-########################################
-#
-# Rules and Targets for building modular policies
-#
-
-ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-
-BASE_PKG := base.pp
-BASE_FC := base.fc
-
-BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf 
tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) 
tmp/only_te_rules.conf tmp/all_post.conf
-
-BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
$(POLDIR)/mcs
-BASE_TE_FILES := $(BASE_MODS)
-BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
-BASE_FC_FILES := $(BASE_MODS:.te=.fc)
-
-MOD_MODULES := $(MOD_MODS:.te=.mod)
-MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
-
-# search layer dirs for source files
-vpath %.te $(ALL_LAYERS)
-vpath %.if $(ALL_LAYERS)
-vpath %.fc $(ALL_LAYERS)
-
-########################################
-#
-# default action: create all module packages
-#
-default: base
-
-base: $(BASE_PKG)
-
-modules: $(MOD_PKGS)
-
-#policy: $(POLVER)
-#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
-#load: tmp/load
-
-########################################
-#
-# Create a base module package
-#
-$(BASE_PKG): tmp/base.mod $(BASE_FC)
-       @echo "Creating $(NAME) base module package"
-       $(QUIET) $(SEMOD_PKG) $@ $^
-
-########################################
-#
-# Compile a base module
-#
-tmp/base.mod: base.conf
-       @echo "Compiling $(NAME) base module"
-       $(QUIET) $(CHECKMODULE) $^ -o $@
-
-########################################
-#
-# Construct a base module policy.conf
-#
-base.conf: $(BASE_SECTIONS)
-       @echo "Creating $(NAME) base module policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
-       $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
-       $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp 
> $@
-# the ordering of these ocontexts matters:
-       $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
-       $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
-       $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
-
-tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-# define all available object classes
-       $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
-# per-userdomain templates
-       $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
-       $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
-               echo 
"ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')"
 \
-                       >> $@ ;\
-       done
-       $(QUIET) echo "')" >> $@
-# define foo.te
-       $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
-               echo "define(\`$$i')" >> $@ ;\
-       done
-       $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(BASE_TE_FILES)
-ifeq ($(BASE_TE_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.  portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: 
tmp/all_te_files.conf tmp/post_te_files.conf
-       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
-       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
-       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
-       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
-       $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> 
tmp/all_post.conf || true
-       $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || 
true
-       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-                       -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
-                       < tmp/all_te_files.conf > tmp/only_te_rules.conf
-
-########################################
-#
-# Construct base module file contexts
-#
-$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) 
$(FCSORT)
-ifeq ($(BASE_FC_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @echo "Creating $(NAME) base module file contexts."
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf 
$(BASE_FC_FILES) > tmp/$@.tmp
-       $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
-       $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
-       $(QUIET) $(FCSORT) tmp/$@.tmp $@
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf 
%.te
-       @if test -z "$(filter $^,$(MOD_MODS))"; then \
-               echo "The $(notdir $(basename $@)) module is not configured to 
be compiled as a lodable module." ;\
-               false ;\
-       fi
-       @echo "Compliling $(NAME) $(@F) module"
-       $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
-       $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-%.pp: tmp/%.mod %.fc
-       @echo "Creating $(NAME) $(@F) policy package"
-       $(QUIET) $(SEMOD_PKG) $@ $^
-
-########################################
-#
-# Clean the sources
-#
-clean:
-       rm -fR tmp
-       rm -f base.conf
-       rm -f *.pp
-       rm -f $(BASE_FC)
-
-.PHONY: default base modules clean
diff -r 4e2ffbd99aeb tools/flask/policy/Rules.monolithic
--- a/tools/flask/policy/Rules.monolithic       Wed Aug 19 14:23:30 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,196 +0,0 @@
-########################################
-#
-# Rules and Targets for building monolithic policies
-#
-
-# install paths
-POLICYPATH = $(INSTALLDIR)/policy
-LOADPATH = $(POLICYPATH)/$(POLVER)
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-# for monolithic policy use all base and module to create policy
-ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
-
-ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
-
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-ALL_TE_FILES := $(ALL_MODULES)
-ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
-
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
$(POLDIR)/mcs
-POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
-
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf 
tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) 
tmp/only_te_rules.conf tmp/all_post.conf
-
-########################################
-#
-# default action: build policy locally
-#
-default: policy
-
-policy: $(POLVER)
-
-install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
-
-load: tmp/load
-
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): policy.conf
-       @echo "Compiling $(NAME) $(POLVER)"
-ifneq ($(PV),$(KV))
-       @echo
-       @echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set 
correctly?"
-       @echo
-endif
-       $(QUIET) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): policy.conf
-       @mkdir -p $(POLICYPATH)
-       @echo "Compiling and installing $(NAME) $(LOADPATH)"
-ifneq ($(PV),$(KV))
-       @echo
-       @echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set 
correctly?"
-       @echo
-endif
-       $(QUIET) $(CHECKPOLICY) $^ -o $@
-
-########################################
-#
-# Load the binary policy
-#
-reload tmp/load: $(LOADPATH) $(FCPATH)
-       @echo "Loading $(NAME) $(LOADPATH)"
-       $(QUIET) $(LOADPOLICY) -q $(LOADPATH)
-       @touch tmp/load
-
-########################################
-#
-# Construct a monolithic policy.conf
-#
-policy.conf: $(POLICY_SECTIONS)
-       @echo "Creating $(NAME) policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
-       $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
-       $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp 
> $@
-
-tmp/pre_te_files.conf: $(PRE_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
-# per-userdomain templates:
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
-       $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
-               echo 
"ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')"
 \
-                       >> $@ ;\
-       done
-       $(QUIET) echo "')" >> $@
-# define foo.te
-       $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
-               echo "define(\`$$i')" >> $@ ;\
-       done
-#      $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(ALL_TE_FILES)
-ifeq ($(ALL_TE_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(POST_TE_FILES)
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last.  portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: 
tmp/all_te_files.conf tmp/post_te_files.conf
-       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
-       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
-       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
-       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
-       $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> 
tmp/all_post.conf || true
-       $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || 
true
-       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
-                       -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
-                       < tmp/all_te_files.conf > tmp/only_te_rules.conf
-
-########################################
-#
-# Remove the dontaudit rules from the policy.conf
-#
-enableaudit: policy.conf
-       @test -d tmp || mkdir -p tmp
-       @echo "Removing dontaudit rules from policy.conf"
-       $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
-       $(QUIET) mv tmp/policy.audit policy.conf
-
-########################################
-#
-# Construct file_contexts
-#
-$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
-ifeq ($(ALL_FC_FILES),)
-       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
-endif
-       @echo "Creating $(NAME) file_contexts."
-       @test -d tmp || mkdir -p tmp
-       $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf 
$(ALL_FC_FILES) > tmp/$@.tmp
-#      $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
-#      $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
-#      $(QUIET) $(FCSORT) tmp/$@.tmp $@
-       $(QUIET) touch $(HOMEDIR_TEMPLATE)
-       $(QUIET) touch $@
-
-########################################
-#
-# Install file_contexts
-#
-$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
-       @echo "Validating $(NAME) file_contexts."
-#      $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
-       @echo "Installing file_contexts."
-       @mkdir -p $(CONTEXTPATH)/files
-       $(QUIET) install -m 644 $(FC) $(FCPATH)
-       $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
-#      $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
-
-########################################
-#
-# Run policy source checks
-#
-check: policy.conf $(FC)
-       $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) 
> $@.res
-
-longcheck: policy.conf $(FC)
-       $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
-
-########################################
-#
-# Clean the sources
-#
-clean:
-       rm -fR tmp
-       rm -f policy.conf
-       rm -f policy.$(PV)
-       rm -f $(FC)
-       rm -f *.res
-
-.PHONY: default policy install load reload enableaudit checklabels 
restorelabels relabel check longcheck clean
diff -r 4e2ffbd99aeb tools/flask/policy/policy/mcs
--- a/tools/flask/policy/policy/mcs     Wed Aug 19 14:23:30 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,324 +0,0 @@
-ifdef(`enable_mcs',`
-#
-# Define sensitivities 
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
-
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-#           | not expression
-#           | expression and expression
-#           | expression or expression
-#           | u1 op u2
-#           | r1 role_mls_op r2
-#           | t1 op t2
-#           | l1 role_mls_op l2
-#           | l1 role_mls_op h2
-#           | h1 role_mls_op l2
-#           | h1 role_mls_op h2
-#           | l1 role_mls_op h1
-#           | l2 role_mls_op h2
-#           | u1 op names
-#           | u2 op names
-#           | r1 op names
-#           | r2 op names
-#           | t1 op names
-#           | t2 op names
-#           | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-#           | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-#           | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-
-') dnl end enable_mcs
diff -r 4e2ffbd99aeb tools/flask/policy/policy/mls
--- a/tools/flask/policy/policy/mls     Wed Aug 19 14:23:30 2009 +0100
+++ b/tools/flask/policy/policy/mls     Thu Aug 20 11:21:01 2009 -0400
@@ -1,317 +1,27 @@
-
 ifdef(`enable_mls',`
 #
 # Define sensitivities 
 #
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
+# Domination of sensitivities is in increasin
+# numerical order, with s0 being the lowest
 
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
-
+gen_sens(mls_num_sens)
 
 #
 # Define the categories
 #
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
+# Generate declarations
 
+gen_cats(mls_num_cats)
 
 #
 # Each MLS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
+# Generate levels from all sensitivities
+# with all categories
 
+gen_levels(mls_num_sens,mls_num_cats)
 
 #
 # Define the MLS policy
@@ -350,5 +60,24 @@
 # name_list : name | name_list name
 #
 
+#
+# MLS policy for the domain class
+#
+
+# new domain labels must be dominated by the calling subject clearance
+# and sensitivity level changes require privilege
+mlsconstrain domain transition
+       (( h1 dom h2 ) and (( l1 eq l2 ) or (t1 == mls_priv)));
+
+# all the domain "read" ops
+mlsconstrain domain { getvcpuaffinity getdomaininfo getvcpuinfo getvcpucontext 
getaddrsize getextvcpucontext }
+       ((l1 dom l2) or (t1 == mls_priv));
+
+# all the domain "write" ops
+mlsconstrain domain { setvcpucontext pause unpause resume create max_vcpus 
destroy setvcpuaffinity scheduler setdomainmaxmem setdomainhandle setdebugging 
hypercall settime set_target shutdown setaddrsize trigger setextvcpucontext }
+       ((l1 eq l2) or (t1 == mls_priv));
+
+# This is incomplete - similar constraints must be written for all classes
+# and permissions for which MLS enforcement is desired.
 
 ') dnl end enable_mls
diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules.conf
--- a/tools/flask/policy/policy/modules.conf    Wed Aug 19 14:23:30 2009 +0100
+++ b/tools/flask/policy/policy/modules.conf    Thu Aug 20 11:21:01 2009 -0400
@@ -1,14 +1,8 @@
 #
 # This file contains a listing of available modules.
 # To prevent a module from  being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module.  "module" will be compiled
-# as individual loadable modules.
+# creation, set the module name to "off" otherwise
+# set the module name on "on".
 #
 
 # Layer: xen
@@ -17,5 +11,5 @@
 #
 # Policy for xen.
 # 
-xen = base
+xen = on
 
diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules/xen/xen.if
--- a/tools/flask/policy/policy/modules/xen/xen.if      Wed Aug 19 14:23:30 
2009 +0100
+++ b/tools/flask/policy/policy/modules/xen/xen.if      Thu Aug 20 11:21:01 
2009 -0400
@@ -1,1 +1,62 @@
+###############################################################################
 #
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+       type $2, domain_type;
+       allow $1 $2:domain {create max_vcpus setdomainmaxmem 
+                               setaddrsize getdomaininfo hypercall 
+                               setvcpucontext scheduler unpause 
+                               getvcpuinfo getaddrsize getvcpuaffinity};
+       allow $1 $2:shadow {enable};
+       allow $1 $2:mmu {map_read map_write adjust physmap};
+       allow $2 $2:mmu {adjust physmap};
+       allow $1 $3:event {create};
+')
+
+###############################################################################
+#
+# create_hvm_dom(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_hvm_dom', `
+       create_domain($1, $2, $3)
+       allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel 
pcilevel };
+       allow $2 $2:hvm setparam;
+')     
+
+###############################################################################
+#
+# create_pv_dom(priv_dom, domain, channel, iodomain)
+#
+################################################################################
+define(`create_pv_dom', `
+       create_domain($1, $2, $3)
+       allow $1 $2:mmu {memorymap pinpage};
+       allow $2 $2:mmu {map_read map_write pinpage};
+       allow $2 $4:mmu {map_read};
+       
+       allow $2 $2:grant {query setup};
+       allow $1 $2:grant {map_read unmap};
+')     
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+       allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+       type $3, event_type;
+       type_transition $1 $2:event $3;
+       allow $1 $3:event {create};
+       allow $3 $2:event {bind};
+')
diff -r 4e2ffbd99aeb tools/flask/policy/policy/modules/xen/xen.te
--- a/tools/flask/policy/policy/modules/xen/xen.te      Wed Aug 19 14:23:30 
2009 +0100
+++ b/tools/flask/policy/policy/modules/xen/xen.te      Thu Aug 20 11:21:01 
2009 -0400
@@ -2,10 +2,11 @@
 attribute domain_type;
 attribute resource_type;
 attribute event_type;
+attribute mls_priv;
 
-type xen_t, xen_type, domain_type;
+type xen_t, xen_type, domain_type, mls_priv;
 
-type dom0_t, domain_type;
+type dom0_t, domain_type, mls_priv;
 
 type domio_t, domain_type;
 
@@ -22,47 +23,6 @@
 
 
################################################################################
 #
-# create_domain(priv_dom, domain, channel)
-#
-################################################################################
-define(`create_domain', `
-       type $2, domain_type;
-       allow $1 $2:domain {create max_vcpus setdomainmaxmem 
-                               setaddrsize getdomaininfo hypercall 
-                               setvcpucontext scheduler unpause 
-                               getvcpuinfo getaddrsize getvcpuaffinity};
-       allow $1 $2:shadow {enable};
-       allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
-       allow $2 $2:mmu {map_read map_write adjust pinpage};
-       allow $2 domio_t:mmu {map_read};
-       allow $2 $2:grant {query setup};
-       allow $1 $2:grant {map_read unmap};
-       allow $1 $3:event {create};
-')
-
-################################################################################
-#
-# manage_domain(priv_dom, domain)
-#
-################################################################################
-define(`manage_domain', `
-       allow $1 $2:domain {pause destroy};
-')
-
-################################################################################
-#
-# create_channel(caller, peer, channel)
-#
-################################################################################
-define(`create_channel', `
-       type $3, event_type;
-       type_transition $1 $2:event $3;
-       allow $1 $3:event {create};
-       allow $3 $2:event {bind};
-')
-
-################################################################################
-#
 # Boot the hypervisor and dom0
 #
 
################################################################################
@@ -85,7 +45,9 @@
 allow xen_t iomem_t:resource {add_iomem remove_iomem};
 allow dom0_t iomem_t:resource {use};
 allow xen_t pirq_t:resource {add_irq remove_irq};
-allow dom0_t pirq_t:resource {use};
+allow dom0_t pirq_t:resource { add_irq remove_irq use};
+allow dom0_t dom0_t:resource { add remove };
+allow dom0_t xen_t:xen firmware;
 
 allow dom0_t security_t:security {compute_av compute_create compute_member 
 check_context load_policy compute_relabel compute_user setenforce setbool
@@ -99,7 +61,7 @@
 # Create and manage a domU w/ dom0 IO
 #
 
################################################################################
-create_domain(dom0_t, domU_t, evchnU-0_t)
+create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t)
 
 create_channel(domU_t, domU_t, evchnU-U_t)
 allow domU_t evchnU-U_t:event {send};
@@ -118,6 +80,27 @@
 
 
################################################################################
 #
+# Create and manage an HVM domU w/ dom0 IO
+#
+################################################################################
+create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t)
+allow dom0_t evchn0-HU_t:event {send};
+
+create_channel(domHU_t, domHU_t, evchnHU-HU_t)
+allow domHU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domHU_t, evchn0-HU_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domHU_t, dom0_t, evchnHU-0_t)
+allow domHU_t evchnU-0_t:event {send};
+
+allow dom0_t dom0_t:event {send};
+
+manage_domain(dom0_t, domHU_t)
+
+################################################################################
+#
 #
 #
 
################################################################################
@@ -134,6 +117,3 @@
 sid device gen_context(system_u:object_r:device_t,s0)
 
 role system_r types { xen_type domain_type };
-role user_r types { xen_type domain_type };
-role sysadm_r types { xen_type domain_type };
-role staff_r types { xen_type domain_type };
diff -r 4e2ffbd99aeb tools/flask/policy/policy/support/misc_macros.spt
--- a/tools/flask/policy/policy/support/misc_macros.spt Wed Aug 19 14:23:30 
2009 +0100
+++ b/tools/flask/policy/policy/support/misc_macros.spt Thu Aug 20 11:21:01 
2009 -0400
@@ -11,17 +11,53 @@
 #
 define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
 
+#
+# ifndef(expr,true_block,false_block)
+#
+# m4 does not have this.
+#
+define(`ifndef',`ifdef(`$1',`$3',`$2')')
+
+#
+# __endline__
+#
+# dummy macro to insert a newline.  used for 
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
 ########################################
 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+# refpolwarn(message)
 #
-define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range 
$4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+# print a warning message
+#
+define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)')
+
+########################################
+#
+# refpolerr(message)
+#
+# print an error message.  does not
+# make anything fail.
+#
+define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)')
+
+########################################
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range)
+#
+define(`gen_user',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`';
+')
 
 ########################################
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')
 dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'')
 
 ########################################
 #
diff -r 4e2ffbd99aeb tools/flask/policy/policy/support/mls_macros.spt
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/support/mls_macros.spt  Thu Aug 20 11:21:01 
2009 -0400
@@ -0,0 +1,55 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
+define(`mls_allcats',`c0.c`'decr(mls_num_cats)')
diff -r 4e2ffbd99aeb tools/flask/policy/policy/systemuser
--- a/tools/flask/policy/policy/systemuser      Wed Aug 19 14:23:30 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-##################################
-#
-# System User configuration.
-#
-
-#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
-#
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
-
-# Normal users should not be added to this file,
-# but instead added to the users file.
diff -r 4e2ffbd99aeb tools/flask/policy/policy/users
--- a/tools/flask/policy/policy/users   Wed Aug 19 14:23:30 2009 +0100
+++ b/tools/flask/policy/policy/users   Thu Aug 20 11:21:01 2009 -0400
@@ -1,39 +1,17 @@
-
 ##################################
 #
-# Core User configuration.
+# System User configuration.
 #
 
 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+# gen_user(username, role_set, mls_defaultlevel, mls_range)
 #
 
 #
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
 #
-ifdef(`targeted_policy',`
-gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
-',`
-gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
-')
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
 
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-ifdef(`targeted_policy',`
-       gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
-',`
-       ifdef(`direct_sysadm_daemon',`
-               gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, 
c0.c127)
-       ',`
-               gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
-       ')
-')


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.