patch from dan Mon, 20 Feb 2006 17:19:34 -0500
This commit is contained in:
parent
794a56ccf1
commit
02bcb8b32d
@ -1,3 +1,4 @@
|
|||||||
|
- Add semanage policy for semodule from Dan Walsh.
|
||||||
- Remove allow_execmem from targeted policy domain_base_type().
|
- Remove allow_execmem from targeted policy domain_base_type().
|
||||||
- Add users_extra and seusers support.
|
- Add users_extra and seusers support.
|
||||||
- Postfix fixes from Serge Hallyn.
|
- Postfix fixes from Serge Hallyn.
|
||||||
|
@ -220,6 +220,14 @@ template(`su_per_userdomain_template',`
|
|||||||
nscd_socket_use($1_su_t)
|
nscd_socket_use($1_su_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# Modify .Xauthority file (via xauth program).
|
||||||
|
optional_policy(`xserver',`
|
||||||
|
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||||
|
# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
||||||
|
# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
||||||
|
xserver_domtrans_user_xauth($1, $1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||||
@ -235,17 +243,6 @@ template(`su_per_userdomain_template',`
|
|||||||
dontaudit $1_su_t home_dir_type:dir { search write };
|
dontaudit $1_su_t home_dir_type:dir { search write };
|
||||||
')
|
')
|
||||||
|
|
||||||
# Modify .Xauthority file (via xauth program).
|
|
||||||
ifdef(`xauth.te', `
|
|
||||||
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
|
||||||
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
|
||||||
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
|
||||||
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`cyrus.te', `
|
|
||||||
allow $1_su_t cyrus_var_lib_t:dir search;
|
|
||||||
')
|
|
||||||
ifdef(`ssh.te', `
|
ifdef(`ssh.te', `
|
||||||
# Access sshd cookie files.
|
# Access sshd cookie files.
|
||||||
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(su,1.2.1)
|
policy_module(su,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(slocate,1.0.1)
|
policy_module(slocate,1.0.2)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
@ -38,6 +38,8 @@ files_list_all(locate_t)
|
|||||||
files_getattr_all_files(locate_t)
|
files_getattr_all_files(locate_t)
|
||||||
files_read_etc_runtime_files(locate_t)
|
files_read_etc_runtime_files(locate_t)
|
||||||
files_read_etc_files(locate_t)
|
files_read_etc_files(locate_t)
|
||||||
|
# mls Higher level directories will be refused, so dontaudit
|
||||||
|
files_dontaudit_getattr_all_dirs(locate_t)
|
||||||
|
|
||||||
fs_getattr_xattr_fs(locate_t)
|
fs_getattr_xattr_fs(locate_t)
|
||||||
|
|
||||||
|
@ -1056,6 +1056,44 @@ interface(`dev_rw_crypto',`
|
|||||||
allow $1 crypt_device_t:chr_file rw_file_perms;
|
allow $1 crypt_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## getattr the dri devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_dri_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, dri_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir r_dir_perms;
|
||||||
|
allow $1 dri_device_t:chr_file getattr;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Setattr the dri devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_dri_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, dri_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir r_dir_perms;
|
||||||
|
allow $1 dri_device_t:chr_file setattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write the dri devices.
|
## Read and write the dri devices.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices,1.0.3)
|
policy_module(devices,1.0.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -544,7 +544,7 @@ interface(`cron_rw_system_job_pipes',`
|
|||||||
type system_crond_t;
|
type system_crond_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 system_crond_t:file rw_file_perms;
|
allow $1 system_crond_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron,1.2.1)
|
policy_module(cron,1.2.2)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -392,6 +392,10 @@ ifdef(`targeted_policy',`
|
|||||||
nscd_socket_use(system_crond_t)
|
nscd_socket_use(system_crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`postfix',`
|
||||||
|
postfix_read_config(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`prelink',`
|
optional_policy(`prelink',`
|
||||||
prelink_read_cache(system_crond_t)
|
prelink_read_cache(system_crond_t)
|
||||||
prelink_manage_log(system_crond_t)
|
prelink_manage_log(system_crond_t)
|
||||||
|
@ -167,6 +167,25 @@ interface(`cups_read_log',`
|
|||||||
allow $1 cupsd_log_t:file { getattr read };
|
allow $1 cupsd_log_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Write cups log files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`cups_write_log',`
|
||||||
|
gen_require(`
|
||||||
|
type cupsd_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
logging_search_logs($1)
|
||||||
|
allow $1 cupsd_log_t:file write;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Connect to ptal over an unix domain stream socket.
|
## Connect to ptal over an unix domain stream socket.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cups,1.2.1)
|
policy_module(cups,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -279,6 +279,8 @@ template(`ssh_per_userdomain_template',`
|
|||||||
|
|
||||||
allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
|
allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
|
||||||
|
|
||||||
|
allow $1_ssh_agent_t self:unix_stream_socket { connectto rw_socket_perms };
|
||||||
|
|
||||||
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
|
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
# for ssh-add
|
# for ssh-add
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ssh,1.2.0)
|
policy_module(ssh,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(authlogin,1.2.1)
|
policy_module(authlogin,1.2.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -153,6 +153,8 @@ kernel_read_system_state(pam_console_t)
|
|||||||
dev_read_sysfs(pam_console_t)
|
dev_read_sysfs(pam_console_t)
|
||||||
dev_getattr_apm_bios_dev(pam_console_t)
|
dev_getattr_apm_bios_dev(pam_console_t)
|
||||||
dev_setattr_apm_bios_dev(pam_console_t)
|
dev_setattr_apm_bios_dev(pam_console_t)
|
||||||
|
dev_getattr_dri_dev(pam_console_t)
|
||||||
|
dev_setattr_dri_dev(pam_console_t)
|
||||||
dev_getattr_framebuffer_dev(pam_console_t)
|
dev_getattr_framebuffer_dev(pam_console_t)
|
||||||
dev_setattr_framebuffer_dev(pam_console_t)
|
dev_setattr_framebuffer_dev(pam_console_t)
|
||||||
dev_getattr_misc_dev(pam_console_t)
|
dev_getattr_misc_dev(pam_console_t)
|
||||||
|
@ -4,13 +4,13 @@
|
|||||||
# /etc
|
# /etc
|
||||||
#
|
#
|
||||||
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
|
||||||
|
|
||||||
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
|
||||||
|
|
||||||
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
|
||||||
|
|
||||||
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
|
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
|
||||||
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||||
|
/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semanage_store_t,s0)
|
||||||
|
/etc/selinux([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
|
||||||
|
/etc/selinux([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
|
||||||
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -35,6 +35,7 @@
|
|||||||
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
|
||||||
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
|
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
|
||||||
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
|
||||||
|
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
|
||||||
|
@ -778,3 +778,124 @@ interface(`seutil_manage_src_policy',`
|
|||||||
allow $1 policy_src_t:dir create_dir_perms;
|
allow $1 policy_src_t:dir create_dir_perms;
|
||||||
allow $1 policy_src_t:file create_file_perms;
|
allow $1 policy_src_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run semanage.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`seutil_domtrans_semanage',`
|
||||||
|
gen_require(`
|
||||||
|
type semanage_t, semanage_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_usr($1)
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domain_auto_trans($1,semanage_exec_t,semanage_t)
|
||||||
|
|
||||||
|
allow $1 semanage_t:fd use;
|
||||||
|
allow semanage_t $1:fd use;
|
||||||
|
allow semanage_t $1:fifo_file rw_file_perms;
|
||||||
|
allow semanage_t $1:process sigchld;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute semanage in the semanage domain, and
|
||||||
|
## allow the specified role the semanage domain,
|
||||||
|
## and use the caller's terminal.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed the checkpolicy domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="terminal">
|
||||||
|
## <summary>
|
||||||
|
## The type of the terminal allow the semanage domain to use.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`seutil_run_semanage',`
|
||||||
|
gen_require(`
|
||||||
|
type semanage_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
seutil_domtrans_semanage($1)
|
||||||
|
role $2 types semanage_t;
|
||||||
|
allow semanage_t $3:chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Full management of the semanage
|
||||||
|
## module store.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`seutil_manage_module_store',`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_config_t, semanage_store_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir rw_dir_perms;
|
||||||
|
type_transition $1 selinux_config_t:dir semanage_store_t;
|
||||||
|
|
||||||
|
allow $1 semanage_store_t:dir create_dir_perms;
|
||||||
|
allow $1 semanage_store_t:file create_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Get read lock on module store
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`seutil_get_semanage_read_lock',`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_config_t, semanage_read_lock_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
allow $1 semanage_read_lock_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Get trans lock on module store
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`seutil_get_semanage_trans_lock',`
|
||||||
|
gen_require(`
|
||||||
|
type selinux_config_t, semanage_trans_lock_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
allow $1 selinux_config_t:dir search_dir_perms;
|
||||||
|
allow $1 semanage_trans_lock_t:file rw_file_perms;
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(selinuxutil,1.1.5)
|
policy_module(selinuxutil,1.1.6)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
bool secure_mode;
|
bool secure_mode;
|
||||||
@ -89,6 +89,22 @@ domain_type(run_init_t)
|
|||||||
domain_entry_file(run_init_t,run_init_exec_t)
|
domain_entry_file(run_init_t,run_init_exec_t)
|
||||||
domain_system_change_exemption(run_init_t)
|
domain_system_change_exemption(run_init_t)
|
||||||
|
|
||||||
|
type semanage_t;
|
||||||
|
domain_type(semanage_t)
|
||||||
|
|
||||||
|
type semanage_exec_t;
|
||||||
|
domain_entry_file(semanage_t, semanage_exec_t)
|
||||||
|
role system_r types semanage_t;
|
||||||
|
|
||||||
|
type semanage_store_t;
|
||||||
|
files_type(semanage_store_t)
|
||||||
|
|
||||||
|
type semanage_read_lock_t;
|
||||||
|
files_type(semanage_read_lock_t)
|
||||||
|
|
||||||
|
type semanage_trans_lock_t;
|
||||||
|
files_type(semanage_trans_lock_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
domain_obj_id_change_exemption(setfiles_t)
|
domain_obj_id_change_exemption(setfiles_t)
|
||||||
domain_type(setfiles_t)
|
domain_type(setfiles_t)
|
||||||
@ -464,6 +480,47 @@ ifdef(`targeted_policy',`',`
|
|||||||
')
|
')
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# semodule local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
allow semanage_t policy_config_t:file { read write };
|
||||||
|
|
||||||
|
kernel_read_system_state(semanage_t)
|
||||||
|
kernel_read_kernel_sysctls(semanage_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(semanage_t)
|
||||||
|
corecmd_exec_sbin(semanage_t)
|
||||||
|
|
||||||
|
files_read_etc_files(semanage_t)
|
||||||
|
files_read_usr_files(semanage_t)
|
||||||
|
files_list_pids(semanage_t)
|
||||||
|
|
||||||
|
mls_file_write_down(semanage_t)
|
||||||
|
mls_rangetrans_target(semanage_t)
|
||||||
|
|
||||||
|
selinux_get_enforce_mode(semanage_t)
|
||||||
|
|
||||||
|
term_use_all_terms(semanage_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(semanage_t)
|
||||||
|
libs_use_shared_libs(semanage_t)
|
||||||
|
libs_use_lib_files(semanage_t)
|
||||||
|
|
||||||
|
seutil_search_default_contexts(semanage_t)
|
||||||
|
seutil_rw_file_contexts(semanage_t)
|
||||||
|
seutil_domtrans_setfiles(semanage_t)
|
||||||
|
seutil_domtrans_loadpolicy(semanage_t)
|
||||||
|
seutil_read_config(semanage_t)
|
||||||
|
seutil_manage_bin_policy(semanage_t)
|
||||||
|
seutil_use_newrole_fds(semanage_t)
|
||||||
|
seutil_manage_module_store(semanage_t)
|
||||||
|
seutil_get_semanage_trans_lock(semanage_t)
|
||||||
|
seutil_get_semanage_read_lock(semanage_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Setfiles local policy
|
# Setfiles local policy
|
||||||
@ -525,12 +582,8 @@ logging_send_syslog_msg(setfiles_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(setfiles_t)
|
miscfiles_read_localization(setfiles_t)
|
||||||
|
|
||||||
|
seutil_get_semanage_read_lock(setfiles_t)
|
||||||
|
|
||||||
userdom_use_all_users_fds(setfiles_t)
|
userdom_use_all_users_fds(setfiles_t)
|
||||||
# for config files in a home directory
|
# for config files in a home directory
|
||||||
userdom_read_all_users_home_content_files(setfiles_t)
|
userdom_read_all_users_home_content_files(setfiles_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
# for upgrading glibc and other shared objects - without this the upgrade
|
|
||||||
# scripts will put things in a state such that setfiles can not be run!
|
|
||||||
allow setfiles_t lib_t:file { read execute };
|
|
||||||
') dnl endif TODO
|
|
||||||
|
@ -145,6 +145,7 @@ template(`base_user_template',`
|
|||||||
allow $1_t unpriv_userdomain:fd use;
|
allow $1_t unpriv_userdomain:fd use;
|
||||||
|
|
||||||
kernel_read_kernel_sysctls($1_t)
|
kernel_read_kernel_sysctls($1_t)
|
||||||
|
kernel_read_net_sysctls($1_t)
|
||||||
kernel_dontaudit_list_unlabeled($1_t)
|
kernel_dontaudit_list_unlabeled($1_t)
|
||||||
kernel_dontaudit_getattr_unlabeled_files($1_t)
|
kernel_dontaudit_getattr_unlabeled_files($1_t)
|
||||||
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
|
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
|
||||||
@ -414,6 +415,8 @@ template(`base_user_template',`
|
|||||||
optional_policy(`rpm',`
|
optional_policy(`rpm',`
|
||||||
files_getattr_var_lib_dirs($1_t)
|
files_getattr_var_lib_dirs($1_t)
|
||||||
files_search_var_lib($1_t)
|
files_search_var_lib($1_t)
|
||||||
|
rpm_read_db($1_t)
|
||||||
|
rpm_dontaudit_manage_db($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`samba',`
|
optional_policy(`samba',`
|
||||||
@ -3944,6 +3947,8 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
|
|||||||
type user_home_t;
|
type user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir create_dir_perms;
|
allow $1 user_home_t:dir create_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -3963,6 +3968,8 @@ interface(`userdom_manage_generic_user_home_content_files',`
|
|||||||
type user_home_t;
|
type user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir rw_dir_perms;
|
allow $1 user_home_t:dir rw_dir_perms;
|
||||||
allow $1 user_home_t:file create_file_perms;
|
allow $1 user_home_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
@ -3983,6 +3990,8 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
|
|||||||
type user_home_t;
|
type user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir rw_dir_perms;
|
allow $1 user_home_t:dir rw_dir_perms;
|
||||||
allow $1 user_home_t:lnk_file create_lnk_perms;
|
allow $1 user_home_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
@ -4003,6 +4012,8 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
|
|||||||
type user_home_t;
|
type user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir rw_dir_perms;
|
allow $1 user_home_t:dir rw_dir_perms;
|
||||||
allow $1 user_home_t:fifo_file create_file_perms;
|
allow $1 user_home_t:fifo_file create_file_perms;
|
||||||
')
|
')
|
||||||
@ -4023,6 +4034,8 @@ interface(`userdom_manage_generic_user_home_content_sockets',`
|
|||||||
type user_home_t;
|
type user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||||
allow $1 user_home_t:dir rw_dir_perms;
|
allow $1 user_home_t:dir rw_dir_perms;
|
||||||
allow $1 user_home_t:sock_file create_file_perms;
|
allow $1 user_home_t:sock_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.2.8)
|
policy_module(userdomain,1.2.9)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
@ -70,12 +70,12 @@ ifdef(`targeted_policy',`
|
|||||||
unconfined_alias_domain(sysadm_t)
|
unconfined_alias_domain(sysadm_t)
|
||||||
|
|
||||||
# User home directory type.
|
# User home directory type.
|
||||||
type user_home_t alias { staff_home_t sysadm_home_t }, home_type;
|
type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
|
||||||
files_type(user_home_t)
|
files_type(user_home_t)
|
||||||
files_associate_tmp(user_home_t)
|
files_associate_tmp(user_home_t)
|
||||||
fs_associate_tmpfs(user_home_t)
|
fs_associate_tmpfs(user_home_t)
|
||||||
|
|
||||||
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type;
|
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
|
||||||
files_type(user_home_dir_t)
|
files_type(user_home_dir_t)
|
||||||
files_associate_tmp(user_home_dir_t)
|
files_associate_tmp(user_home_dir_t)
|
||||||
fs_associate_tmpfs(user_home_dir_t)
|
fs_associate_tmpfs(user_home_dir_t)
|
||||||
@ -363,6 +363,7 @@ ifdef(`targeted_policy',`
|
|||||||
seutil_manage_bin_policy(secadm_t)
|
seutil_manage_bin_policy(secadm_t)
|
||||||
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
|
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
|
||||||
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
|
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
|
||||||
|
seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
|
||||||
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
|
seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
|
||||||
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
|
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
|
||||||
', `
|
', `
|
||||||
@ -373,6 +374,7 @@ ifdef(`targeted_policy',`
|
|||||||
seutil_manage_bin_policy(sysadm_t)
|
seutil_manage_bin_policy(sysadm_t)
|
||||||
seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
|
seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
|
||||||
seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
|
seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
|
||||||
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user