2005-04-20 19:07:16 +00:00
|
|
|
|
2006-03-29 19:18:00 +00:00
|
|
|
policy_module(selinuxutil,1.2.2)
|
2005-04-26 17:00:25 +00:00
|
|
|
|
2005-10-18 18:25:33 +00:00
|
|
|
gen_require(`
|
|
|
|
|
bool secure_mode;
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-04-28 18:59:01 +00:00
|
|
|
# Declarations
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
attribute can_write_binary_policy;
|
|
|
|
|
attribute can_relabelto_binary_policy;
|
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
#
|
|
|
|
|
# selinux_config_t is the type applied to
|
|
|
|
|
# /etc/selinux/config
|
|
|
|
|
#
|
|
|
|
|
# cjp: this is out of order due to rules
|
|
|
|
|
# in the domain_type interface
|
|
|
|
|
# (fix dup decl)
|
|
|
|
|
type selinux_config_t;
|
|
|
|
|
files_type(selinux_config_t)
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
type checkpolicy_t, can_write_binary_policy;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(checkpolicy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
role system_r types checkpolicy_t;
|
|
|
|
|
|
|
|
|
|
type checkpolicy_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# default_context_t is the type applied to
|
|
|
|
|
# /etc/selinux/*/contexts/*
|
|
|
|
|
#
|
|
|
|
|
type default_context_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(default_context_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# file_context_t is the type applied to
|
|
|
|
|
# /etc/selinux/*/contexts/files
|
|
|
|
|
#
|
|
|
|
|
type file_context_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(file_context_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
type load_policy_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(load_policy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
role system_r types load_policy_t;
|
|
|
|
|
|
|
|
|
|
type load_policy_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_entry_file(load_policy_t,load_policy_exec_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-09-26 20:26:32 +00:00
|
|
|
type newrole_t;
|
2006-02-02 21:08:12 +00:00
|
|
|
domain_role_change_exemption(newrole_t)
|
|
|
|
|
domain_obj_id_change_exemption(newrole_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(newrole_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_interactive_fd(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
type newrole_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_entry_file(newrole_t,newrole_exec_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# policy_config_t is the type of /etc/security/selinux/*
|
|
|
|
|
# the security server policy configuration.
|
|
|
|
|
#
|
|
|
|
|
type policy_config_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(policy_config_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
2005-10-24 15:10:03 +00:00
|
|
|
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# policy_src_t is the type of the policy source
|
|
|
|
|
# files.
|
|
|
|
|
#
|
|
|
|
|
type policy_src_t;
|
2005-06-29 14:26:41 +00:00
|
|
|
files_type(policy_src_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-09-26 20:26:32 +00:00
|
|
|
type restorecon_t, can_relabelto_binary_policy;
|
2005-05-09 18:50:20 +00:00
|
|
|
type restorecon_exec_t;
|
2006-02-02 21:08:12 +00:00
|
|
|
domain_obj_id_change_exemption(restorecon_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
init_system_domain(restorecon_t,restorecon_exec_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
role system_r types restorecon_t;
|
|
|
|
|
|
2005-05-18 16:03:54 +00:00
|
|
|
type run_init_t;
|
|
|
|
|
type run_init_exec_t;
|
2006-01-18 14:29:34 +00:00
|
|
|
domain_type(run_init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_entry_file(run_init_t,run_init_exec_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
domain_system_change_exemption(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2006-02-22 21:21:26 +00:00
|
|
|
type semanage_t;
|
|
|
|
|
domain_type(semanage_t)
|
|
|
|
|
|
|
|
|
|
type semanage_exec_t;
|
|
|
|
|
domain_entry_file(semanage_t, semanage_exec_t)
|
|
|
|
|
role system_r types semanage_t;
|
|
|
|
|
|
|
|
|
|
type semanage_store_t;
|
|
|
|
|
files_type(semanage_store_t)
|
|
|
|
|
|
|
|
|
|
type semanage_read_lock_t;
|
|
|
|
|
files_type(semanage_read_lock_t)
|
|
|
|
|
|
|
|
|
|
type semanage_trans_lock_t;
|
|
|
|
|
files_type(semanage_trans_lock_t)
|
|
|
|
|
|
2005-05-09 18:50:20 +00:00
|
|
|
type setfiles_t, can_relabelto_binary_policy;
|
2006-02-02 21:08:12 +00:00
|
|
|
domain_obj_id_change_exemption(setfiles_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_type(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
role system_r types setfiles_t;
|
|
|
|
|
|
|
|
|
|
type setfiles_exec_t;
|
2005-06-13 17:35:46 +00:00
|
|
|
domain_entry_file(setfiles_t,setfiles_exec_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-09-12 21:40:56 +00:00
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
|
init_system_domain(setfiles_t,setfiles_exec_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-04-28 18:59:01 +00:00
|
|
|
# Checkpolicy local policy
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
allow checkpolicy_t self:capability dac_override;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
# able to create and modify binary policy files
|
2005-06-09 18:08:26 +00:00
|
|
|
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
|
|
|
|
|
allow checkpolicy_t policy_config_t:file create_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-05-09 18:50:20 +00:00
|
|
|
# allow test policies to be created in src directories
|
2005-06-09 18:08:26 +00:00
|
|
|
allow checkpolicy_t policy_src_t:dir rw_dir_perms;
|
2005-05-09 18:50:20 +00:00
|
|
|
type_transition checkpolicy_t policy_src_t:file policy_config_t;
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
# only allow read of policy source files
|
2005-06-09 18:08:26 +00:00
|
|
|
allow checkpolicy_t policy_src_t:dir r_dir_perms;
|
|
|
|
|
allow checkpolicy_t policy_src_t:file r_file_perms;
|
|
|
|
|
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
allow checkpolicy_t selinux_config_t:dir search;
|
|
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
fs_getattr_xattr_fs(checkpolicy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_use_console(checkpolicy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(checkpolicy_t)
|
2005-05-18 21:00:56 +00:00
|
|
|
|
2005-09-22 21:59:50 +00:00
|
|
|
files_list_usr(checkpolicy_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
# directory search permissions for path to source and binary policy files
|
2005-06-13 17:35:46 +00:00
|
|
|
files_search_etc(checkpolicy_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
init_use_fds(checkpolicy_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(checkpolicy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(checkpolicy_t)
|
|
|
|
|
libs_use_shared_libs(checkpolicy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_use_all_users_fds(checkpolicy_t)
|
2005-05-18 21:00:56 +00:00
|
|
|
|
2005-10-26 16:00:13 +00:00
|
|
|
ifdef(`targeted_policy',`
|
2006-02-02 21:08:12 +00:00
|
|
|
term_use_generic_ptys(checkpolicy_t)
|
|
|
|
|
term_use_unallocated_ttys(checkpolicy_t)
|
2005-10-26 16:00:13 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Load_policy local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow load_policy_t self:capability dac_override;
|
|
|
|
|
|
|
|
|
|
# only allow read of policy config files
|
|
|
|
|
allow load_policy_t policy_src_t:dir search;
|
2005-06-09 18:08:26 +00:00
|
|
|
allow load_policy_t policy_config_t:dir r_dir_perms;
|
2005-09-12 21:40:56 +00:00
|
|
|
allow load_policy_t policy_config_t:file r_file_perms;
|
|
|
|
|
allow load_policy_t policy_config_t:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-09 18:08:26 +00:00
|
|
|
allow load_policy_t selinux_config_t:dir r_dir_perms;
|
|
|
|
|
allow load_policy_t selinux_config_t:file r_file_perms;
|
|
|
|
|
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-27 16:23:39 +00:00
|
|
|
domain_use_interactive_fds(load_policy_t)
|
|
|
|
|
|
|
|
|
|
# for mcs.conf
|
|
|
|
|
files_read_etc_files(load_policy_t)
|
|
|
|
|
files_read_etc_runtime_files(load_policy_t)
|
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
fs_getattr_xattr_fs(load_policy_t)
|
|
|
|
|
|
2006-02-27 16:23:39 +00:00
|
|
|
mls_file_read_up(load_policy_t)
|
|
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
selinux_get_fs_mount(load_policy_t)
|
|
|
|
|
selinux_load_policy(load_policy_t)
|
|
|
|
|
selinux_set_boolean(load_policy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_use_console(load_policy_t)
|
|
|
|
|
term_list_ptys(load_policy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
init_use_script_fds(load_policy_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(load_policy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(load_policy_t)
|
|
|
|
|
libs_use_shared_libs(load_policy_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
miscfiles_read_localization(load_policy_t)
|
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_use_all_users_fds(load_policy_t)
|
2005-05-18 21:00:56 +00:00
|
|
|
|
2006-01-06 22:51:40 +00:00
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
|
|
|
# cjp: cover up stray file descriptors.
|
|
|
|
|
dontaudit load_policy_t selinux_config_t:file write;
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
unconfined_dontaudit_read_pipes(load_policy_t)
|
2006-01-06 22:51:40 +00:00
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
ifdef(`targeted_policy',`
|
2006-02-02 21:08:12 +00:00
|
|
|
term_use_unallocated_ttys(load_policy_t)
|
|
|
|
|
term_use_generic_ptys(load_policy_t)
|
2005-10-31 20:54:33 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Newrole local policy
|
|
|
|
|
#
|
|
|
|
|
|
2005-09-16 19:36:10 +00:00
|
|
|
allow newrole_t self:capability { fowner setuid setgid dac_override };
|
2005-09-01 20:13:42 +00:00
|
|
|
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
2005-04-28 18:59:01 +00:00
|
|
|
allow newrole_t self:process setexec;
|
|
|
|
|
allow newrole_t self:fd use;
|
2005-06-09 18:08:26 +00:00
|
|
|
allow newrole_t self:fifo_file rw_file_perms;
|
2005-11-08 22:00:30 +00:00
|
|
|
allow newrole_t self:sock_file r_file_perms;
|
2005-06-09 18:08:26 +00:00
|
|
|
allow newrole_t self:shm create_shm_perms;
|
|
|
|
|
allow newrole_t self:sem create_sem_perms;
|
|
|
|
|
allow newrole_t self:msgq create_msgq_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
allow newrole_t self:msg { send receive };
|
2005-10-14 17:55:40 +00:00
|
|
|
allow newrole_t self:unix_dgram_socket sendto;
|
2005-11-10 21:37:54 +00:00
|
|
|
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
2006-01-06 22:51:40 +00:00
|
|
|
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-09 18:08:26 +00:00
|
|
|
allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
|
|
|
|
|
allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
|
|
|
|
|
allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
kernel_read_system_state(newrole_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(newrole_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
|
|
|
|
dev_read_urand(newrole_t)
|
|
|
|
|
|
|
|
|
|
fs_getattr_xattr_fs(newrole_t)
|
2005-06-27 16:30:55 +00:00
|
|
|
fs_search_auto_mountpoints(newrole_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
2005-09-26 20:26:32 +00:00
|
|
|
mls_file_read_up(newrole_t)
|
|
|
|
|
mls_file_write_down(newrole_t)
|
|
|
|
|
mls_file_upgrade(newrole_t)
|
|
|
|
|
mls_file_downgrade(newrole_t)
|
|
|
|
|
mls_process_set_level(newrole_t)
|
|
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
selinux_get_fs_mount(newrole_t)
|
|
|
|
|
selinux_validate_context(newrole_t)
|
|
|
|
|
selinux_compute_access_vector(newrole_t)
|
|
|
|
|
selinux_compute_create_context(newrole_t)
|
|
|
|
|
selinux_compute_relabel_context(newrole_t)
|
|
|
|
|
selinux_compute_user_contexts(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_use_all_user_ttys(newrole_t)
|
|
|
|
|
term_use_all_user_ptys(newrole_t)
|
2005-06-21 17:01:45 +00:00
|
|
|
term_relabel_all_user_ttys(newrole_t)
|
|
|
|
|
term_relabel_all_user_ptys(newrole_t)
|
2006-03-23 19:19:38 +00:00
|
|
|
term_getattr_unallocated_ttys(newrole_t)
|
2006-02-13 22:05:08 +00:00
|
|
|
term_dontaudit_use_unallocated_ttys(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
auth_domtrans_chk_passwd(newrole_t)
|
2005-05-04 17:01:46 +00:00
|
|
|
|
2005-11-08 22:00:30 +00:00
|
|
|
corecmd_list_bin(newrole_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
corecmd_read_bin_symlinks(newrole_t)
|
2005-11-08 22:00:30 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(newrole_t)
|
2005-06-29 20:53:53 +00:00
|
|
|
# for when the user types "exec newrole" at the command line:
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_sigchld_interactive_fds(newrole_t)
|
2005-05-04 17:01:46 +00:00
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
# Write to utmp.
|
2006-01-18 18:08:39 +00:00
|
|
|
init_rw_utmp(newrole_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(newrole_t)
|
2005-06-29 20:53:53 +00:00
|
|
|
files_read_var_files(newrole_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_read_var_symlinks(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(newrole_t)
|
|
|
|
|
libs_use_shared_libs(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(newrole_t)
|
2005-05-09 18:50:20 +00:00
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
miscfiles_read_localization(newrole_t)
|
|
|
|
|
|
2006-02-21 18:40:44 +00:00
|
|
|
userdom_use_unpriv_users_fds(newrole_t)
|
2005-07-11 19:02:50 +00:00
|
|
|
# for some PAM modules and for cwd
|
2006-02-21 18:40:44 +00:00
|
|
|
userdom_dontaudit_search_all_users_home_content(newrole_t)
|
2005-05-09 18:50:20 +00:00
|
|
|
|
2005-11-01 21:15:11 +00:00
|
|
|
ifdef(`targeted_policy',`
|
|
|
|
|
# newrole does not make any sense in
|
|
|
|
|
# the targeted policy. This is to
|
|
|
|
|
# make sediff easier.
|
|
|
|
|
if(!secure_mode) {
|
|
|
|
|
unconfined_domtrans(newrole_t)
|
|
|
|
|
}
|
|
|
|
|
',`
|
|
|
|
|
# if secure mode is enabled, then newrole
|
|
|
|
|
# can only transition to unprivileged users
|
|
|
|
|
if(secure_mode) {
|
|
|
|
|
userdom_spec_domtrans_unpriv_users(newrole_t)
|
|
|
|
|
} else {
|
|
|
|
|
userdom_spec_domtrans_all_users(newrole_t)
|
|
|
|
|
}
|
|
|
|
|
')
|
2005-06-21 17:01:45 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-06-27 16:30:55 +00:00
|
|
|
nis_use_ypbind(newrole_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-02-02 21:08:12 +00:00
|
|
|
nscd_socket_use(newrole_t)
|
2005-07-13 20:48:51 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Restorecon local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow restorecon_t self:capability { dac_override dac_read_search fowner };
|
2006-01-17 17:50:10 +00:00
|
|
|
allow restorecon_t self:fifo_file rw_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-09 18:08:26 +00:00
|
|
|
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
|
|
|
|
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
|
|
|
|
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
kernel_use_fds(restorecon_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_rw_pipes(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
kernel_read_system_state(restorecon_t)
|
2006-02-03 17:57:16 +00:00
|
|
|
kernel_relabelfrom_unlabeled_dirs(restorecon_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_files(restorecon_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_sockets(restorecon_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
2006-02-03 17:57:16 +00:00
|
|
|
dev_relabel_all_dev_nodes(restorecon_t)
|
2005-07-11 19:02:50 +00:00
|
|
|
# cjp: why is this needed?
|
2006-01-31 16:08:56 +00:00
|
|
|
dev_rw_generic_files(restorecon_t)
|
2005-07-11 19:02:50 +00:00
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
fs_getattr_xattr_fs(restorecon_t)
|
2005-10-14 17:55:40 +00:00
|
|
|
fs_search_auto_mountpoints(restorecon_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
2005-10-13 20:59:36 +00:00
|
|
|
mls_file_read_up(restorecon_t)
|
|
|
|
|
mls_file_write_down(restorecon_t)
|
|
|
|
|
mls_file_upgrade(restorecon_t)
|
|
|
|
|
mls_file_downgrade(restorecon_t)
|
|
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
selinux_get_fs_mount(restorecon_t)
|
|
|
|
|
selinux_validate_context(restorecon_t)
|
|
|
|
|
selinux_compute_access_vector(restorecon_t)
|
|
|
|
|
selinux_compute_create_context(restorecon_t)
|
|
|
|
|
selinux_compute_relabel_context(restorecon_t)
|
|
|
|
|
selinux_compute_user_contexts(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-02 21:08:12 +00:00
|
|
|
term_use_unallocated_ttys(restorecon_t)
|
2005-09-16 21:20:37 +00:00
|
|
|
term_use_all_user_ttys(restorecon_t)
|
|
|
|
|
term_use_all_user_ptys(restorecon_t)
|
2005-05-04 17:01:46 +00:00
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
init_use_fds(restorecon_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(restorecon_t)
|
2006-02-13 22:05:08 +00:00
|
|
|
domain_dontaudit_search_all_domains_state(restorecon_t)
|
2005-05-04 17:01:46 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_etc_runtime_files(restorecon_t)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(restorecon_t)
|
|
|
|
|
libs_use_shared_libs(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_use_all_users_fds(restorecon_t)
|
2005-05-18 21:00:56 +00:00
|
|
|
|
2005-05-25 20:58:21 +00:00
|
|
|
files_relabel_all_files(restorecon_t)
|
2006-01-31 19:21:01 +00:00
|
|
|
files_list_all(restorecon_t)
|
2005-05-09 18:50:20 +00:00
|
|
|
# this is to satisfy the assertion:
|
2005-06-13 17:35:46 +00:00
|
|
|
auth_relabelto_shadow(restorecon_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`distro_redhat', `
|
2006-01-31 20:29:27 +00:00
|
|
|
fs_rw_tmpfs_chr_files(restorecon_t)
|
|
|
|
|
fs_rw_tmpfs_blk_files(restorecon_t)
|
|
|
|
|
fs_relabel_tmpfs_blk_file(restorecon_t)
|
|
|
|
|
fs_relabel_tmpfs_chr_file(restorecon_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
|
2005-07-11 19:02:50 +00:00
|
|
|
ifdef(`hide_broken_symptoms',`
|
2006-03-24 16:48:35 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
udev_dontaudit_rw_dgram_sockets(restorecon_t)
|
|
|
|
|
')
|
2005-07-11 19:02:50 +00:00
|
|
|
')
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-02 23:41:11 +00:00
|
|
|
hotplug_use_fds(restorecon_t)
|
2005-06-21 17:01:45 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
ifdef(`TODO',`
|
|
|
|
|
# for upgrading glibc and other shared objects - without this the upgrade
|
|
|
|
|
# scripts will put things in a state such that restorecon can not be run!
|
|
|
|
|
allow restorecon_t lib_t:file { read execute };
|
2005-09-16 21:20:37 +00:00
|
|
|
ifdef(`dpkg.te', `
|
|
|
|
|
domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
|
|
|
|
|
')
|
2005-04-28 18:59:01 +00:00
|
|
|
') dnl endif TODO
|
|
|
|
|
|
2005-11-08 22:00:30 +00:00
|
|
|
allow restorecon_t kernel_t:unix_dgram_socket { read write };
|
|
|
|
|
|
2005-05-18 16:03:54 +00:00
|
|
|
#################################
|
|
|
|
|
#
|
|
|
|
|
# Run_init local policy
|
|
|
|
|
#
|
|
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
selinux_get_fs_mount(run_init_t)
|
|
|
|
|
selinux_validate_context(run_init_t)
|
|
|
|
|
selinux_compute_access_vector(run_init_t)
|
|
|
|
|
selinux_compute_create_context(run_init_t)
|
|
|
|
|
selinux_compute_relabel_context(run_init_t)
|
|
|
|
|
selinux_compute_user_contexts(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2006-02-21 15:57:49 +00:00
|
|
|
ifdef(`direct_sysadm_daemon',`',`
|
|
|
|
|
ifdef(`distro_gentoo',`
|
|
|
|
|
# Gentoo integrated run_init:
|
|
|
|
|
init_script_file_entry_type(run_init_t)
|
|
|
|
|
')
|
|
|
|
|
')
|
|
|
|
|
|
2005-06-07 18:45:47 +00:00
|
|
|
ifdef(`targeted_policy',`',`
|
2005-06-03 12:25:14 +00:00
|
|
|
allow run_init_t self:process setexec;
|
|
|
|
|
allow run_init_t self:capability setuid;
|
2005-06-09 18:08:26 +00:00
|
|
|
allow run_init_t self:fifo_file rw_file_perms;
|
2006-01-27 20:13:08 +00:00
|
|
|
allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
# often the administrator runs such programs from a directory that is owned
|
|
|
|
|
# by a different user or has restrictive SE permissions, do not want to audit
|
|
|
|
|
# the failed access to the current directory
|
|
|
|
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
fs_getattr_xattr_fs(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_dontaudit_list_ptys(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2006-01-31 21:43:09 +00:00
|
|
|
auth_domtrans_chk_passwd(run_init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
auth_dontaudit_read_shadow(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
corecmd_exec_bin(run_init_t)
|
|
|
|
|
corecmd_exec_shell(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(run_init_t)
|
2005-06-13 17:35:46 +00:00
|
|
|
files_dontaudit_search_all_dirs(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
init_domtrans_script(run_init_t)
|
2005-06-03 12:25:14 +00:00
|
|
|
# for utmp
|
2006-01-18 18:08:39 +00:00
|
|
|
init_rw_utmp(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(run_init_t)
|
|
|
|
|
libs_use_shared_libs(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
seutil_read_config(run_init_t)
|
|
|
|
|
seutil_read_default_contexts(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-03 12:25:14 +00:00
|
|
|
miscfiles_read_localization(run_init_t)
|
2005-05-18 16:03:54 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(run_init_t)
|
2006-01-16 18:30:14 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-01-16 18:30:14 +00:00
|
|
|
daemontools_domtrans_start(run_init_t)
|
|
|
|
|
')
|
2006-03-23 19:19:38 +00:00
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-23 19:19:38 +00:00
|
|
|
nscd_socket_use(run_init_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-05-18 16:03:54 +00:00
|
|
|
') dnl end ifdef targeted policy
|
|
|
|
|
|
2006-02-22 21:21:26 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# semodule local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
|
|
|
|
|
|
allow semanage_t policy_config_t:file { read write };
|
|
|
|
|
|
|
|
|
|
kernel_read_system_state(semanage_t)
|
|
|
|
|
kernel_read_kernel_sysctls(semanage_t)
|
|
|
|
|
|
|
|
|
|
corecmd_exec_bin(semanage_t)
|
|
|
|
|
corecmd_exec_sbin(semanage_t)
|
|
|
|
|
|
|
|
|
|
files_read_etc_files(semanage_t)
|
|
|
|
|
files_read_usr_files(semanage_t)
|
|
|
|
|
files_list_pids(semanage_t)
|
|
|
|
|
|
|
|
|
|
mls_file_write_down(semanage_t)
|
|
|
|
|
mls_rangetrans_target(semanage_t)
|
2006-03-23 19:19:38 +00:00
|
|
|
mls_file_read_up(semanage_t)
|
2006-02-22 21:21:26 +00:00
|
|
|
|
|
|
|
|
selinux_get_enforce_mode(semanage_t)
|
|
|
|
|
|
|
|
|
|
term_use_all_terms(semanage_t)
|
|
|
|
|
|
|
|
|
|
libs_use_ld_so(semanage_t)
|
|
|
|
|
libs_use_shared_libs(semanage_t)
|
|
|
|
|
libs_use_lib_files(semanage_t)
|
|
|
|
|
|
|
|
|
|
seutil_search_default_contexts(semanage_t)
|
2006-03-29 19:18:00 +00:00
|
|
|
seutil_manage_file_contexts(semanage_t)
|
2006-03-23 19:19:38 +00:00
|
|
|
seutil_manage_selinux_config(semanage_t)
|
2006-02-22 21:21:26 +00:00
|
|
|
seutil_domtrans_setfiles(semanage_t)
|
|
|
|
|
seutil_domtrans_loadpolicy(semanage_t)
|
|
|
|
|
seutil_read_config(semanage_t)
|
|
|
|
|
seutil_manage_bin_policy(semanage_t)
|
|
|
|
|
seutil_use_newrole_fds(semanage_t)
|
|
|
|
|
seutil_manage_module_store(semanage_t)
|
|
|
|
|
seutil_get_semanage_trans_lock(semanage_t)
|
|
|
|
|
seutil_get_semanage_read_lock(semanage_t)
|
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2006-03-23 19:19:38 +00:00
|
|
|
nscd_socket_use(semanage_t)
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-28 18:59:01 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Setfiles local policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow setfiles_t self:capability { dac_override dac_read_search fowner };
|
2006-01-17 17:50:10 +00:00
|
|
|
allow setfiles_t self:fifo_file rw_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-09 18:08:26 +00:00
|
|
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
|
|
|
|
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
|
|
|
|
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
kernel_read_system_state(setfiles_t)
|
2006-02-03 17:57:16 +00:00
|
|
|
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_pipes(setfiles_t)
|
|
|
|
|
kernel_relabelfrom_unlabeled_sockets(setfiles_t)
|
|
|
|
|
|
|
|
|
|
dev_relabel_all_dev_nodes(setfiles_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
|
|
|
|
fs_getattr_xattr_fs(setfiles_t)
|
2005-07-11 19:02:50 +00:00
|
|
|
fs_list_all(setfiles_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
|
2005-10-13 20:59:36 +00:00
|
|
|
mls_file_read_up(setfiles_t)
|
|
|
|
|
mls_file_write_down(setfiles_t)
|
|
|
|
|
mls_file_upgrade(setfiles_t)
|
|
|
|
|
mls_file_downgrade(setfiles_t)
|
|
|
|
|
|
2005-06-14 20:48:34 +00:00
|
|
|
selinux_get_fs_mount(setfiles_t)
|
|
|
|
|
selinux_validate_context(setfiles_t)
|
|
|
|
|
selinux_compute_access_vector(setfiles_t)
|
|
|
|
|
selinux_compute_create_context(setfiles_t)
|
|
|
|
|
selinux_compute_relabel_context(setfiles_t)
|
|
|
|
|
selinux_compute_user_contexts(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
term_use_all_user_ttys(setfiles_t)
|
|
|
|
|
term_use_all_user_ptys(setfiles_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
term_use_unallocated_ttys(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-03 17:57:16 +00:00
|
|
|
# this is to satisfy the assertion:
|
|
|
|
|
auth_relabelto_shadow(setfiles_t)
|
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
init_use_fds(setfiles_t)
|
2006-02-20 21:33:25 +00:00
|
|
|
init_use_script_fds(setfiles_t)
|
2006-02-02 21:08:12 +00:00
|
|
|
init_use_script_ptys(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(setfiles_t)
|
2005-05-04 17:01:46 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
libs_use_ld_so(setfiles_t)
|
|
|
|
|
libs_use_shared_libs(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
files_read_etc_runtime_files(setfiles_t)
|
2005-06-29 14:26:41 +00:00
|
|
|
files_read_etc_files(setfiles_t)
|
2006-02-03 17:57:16 +00:00
|
|
|
files_list_all(setfiles_t)
|
|
|
|
|
files_relabel_all_files(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
2005-06-13 17:35:46 +00:00
|
|
|
logging_send_syslog_msg(setfiles_t)
|
2005-04-28 18:59:01 +00:00
|
|
|
|
|
|
|
|
miscfiles_read_localization(setfiles_t)
|
|
|
|
|
|
2006-02-22 21:21:26 +00:00
|
|
|
seutil_get_semanage_read_lock(setfiles_t)
|
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_use_all_users_fds(setfiles_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
# for config files in a home directory
|
2006-02-21 18:40:44 +00:00
|
|
|
userdom_read_all_users_home_content_files(setfiles_t)
|
