policy-20051208.patch from dan, plus a few adjustments
This commit is contained in:
parent
b64a0ebc5e
commit
049e11af30
@ -137,7 +137,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
|
||||
|
||||
APPCONF := config/appconfig-$(TYPE)
|
||||
APPDIR := $(CONTEXTPATH)
|
||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
|
||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
||||
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
||||
USER_FILES := $(POLDIR)/users
|
||||
|
||||
@ -274,11 +274,6 @@ $(APPDIR)/removable_context: $(APPCONF)/removable_context
|
||||
@mkdir -p $(APPDIR)
|
||||
$(QUIET) install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/customizable_types: policy.conf
|
||||
@mkdir -p $(APPDIR)
|
||||
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
|
||||
$(QUIET) install -m 644 tmp/customizable_types $@
|
||||
|
||||
$(APPDIR)/default_type: $(APPCONF)/default_type
|
||||
@mkdir -p $(APPDIR)
|
||||
$(QUIET) install -m 644 $< $@
|
||||
|
@ -168,6 +168,15 @@ endif
|
||||
@test -d tmp || mkdir -p tmp
|
||||
$(QUIET) m4 $(M4PARAM) $^ > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(APPDIR)/customizable_types: base.conf
|
||||
@mkdir -p $(APPDIR)
|
||||
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
|
||||
$(QUIET) install -m 644 tmp/customizable_types $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
|
@ -12,7 +12,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
|
||||
FC := file_contexts
|
||||
POLVER := policy.$(PV)
|
||||
|
||||
APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
|
||||
APPFILES += $(INSTALLDIR)/booleans
|
||||
|
||||
# for monolithic policy use all base and module to create policy
|
||||
ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
|
||||
@ -226,6 +226,15 @@ check: policy.conf $(FC)
|
||||
longcheck: policy.conf $(FC)
|
||||
$(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(APPDIR)/customizable_types: policy.conf
|
||||
@mkdir -p $(APPDIR)
|
||||
$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
|
||||
$(QUIET) install -m 644 tmp/customizable_types $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
|
@ -1,8 +1,9 @@
|
||||
system_r:unconfined_t:s0 system_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 system_r:unconfined_t:s0
|
||||
system_r:initrc_t:s0 system_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 system_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 system_r:unconfined_t:s0
|
||||
system_r:rshd_t:s0 system_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 system_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 system_r:unconfined_t:s0
|
||||
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
|
||||
system_r:unconfined_t:s0 system_r:unconfined_t:s0
|
||||
system_r:xdm_t:s0 system_r:unconfined_t:s0
|
||||
|
@ -1,8 +1,9 @@
|
||||
system_r:unconfined_t:s0 system_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 system_r:unconfined_t:s0
|
||||
system_r:initrc_t:s0 system_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 system_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 system_r:unconfined_t:s0
|
||||
system_r:rshd_t:s0 system_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 system_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 system_r:unconfined_t:s0
|
||||
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
|
||||
system_r:unconfined_t:s0 system_r:unconfined_t:s0
|
||||
system_r:xdm_t:s0 system_r:unconfined_t:s0
|
||||
|
@ -1,8 +1,9 @@
|
||||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:crond_t system_r:unconfined_t
|
||||
system_r:initrc_t system_r:unconfined_t
|
||||
system_r:local_login_t system_r:unconfined_t
|
||||
system_r:remote_login_t system_r:unconfined_t
|
||||
system_r:rshd_t system_r:unconfined_t
|
||||
system_r:crond_t system_r:unconfined_t
|
||||
system_r:sshd_t system_r:unconfined_t
|
||||
system_r:sysadm_su_t system_r:unconfined_t
|
||||
system_r:unconfined_t system_r:unconfined_t
|
||||
system_r:xdm_t system_r:unconfined_t
|
||||
|
@ -43,6 +43,11 @@ template(`su_restricted_domain_template', `
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
|
||||
files_read_etc_files($1_su_t)
|
||||
files_read_etc_runtime_files($1_su_t)
|
||||
files_search_var_lib($1_su_t)
|
||||
files_dontaudit_getattr_tmp_dir($1_su_t)
|
||||
|
||||
selinux_get_fs_mount($1_su_t)
|
||||
selinux_validate_context($1_su_t)
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
@ -56,10 +61,6 @@ template(`su_restricted_domain_template', `
|
||||
|
||||
domain_use_wide_inherit_fd($1_su_t)
|
||||
|
||||
files_read_etc_files($1_su_t)
|
||||
files_read_etc_runtime_files($1_su_t)
|
||||
files_search_var_lib($1_su_t)
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
init_dontaudit_use_script_pty($1_su_t)
|
||||
# Write to utmp.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(su,1.0.1)
|
||||
policy_module(su,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.0.1)
|
||||
policy_module(filesystem,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
|
||||
# Requires that a security xattr handler exist for the filesystem.
|
||||
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(canna,1.0)
|
||||
policy_module(canna,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -47,7 +47,6 @@ files_create_pid(canna_t, canna_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(canna_t)
|
||||
kernel_read_system_state(canna_t)
|
||||
kernel_dontaudit_use_fd(canna_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(canna_t)
|
||||
corenet_raw_sendrecv_all_if(canna_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.0.3)
|
||||
policy_module(cups,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -505,6 +505,8 @@ allow cupsd_config_t cupsd_etc_t:file create_file_perms;
|
||||
allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
|
||||
type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
|
||||
|
||||
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
||||
|
||||
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbus,1.0.2)
|
||||
policy_module(dbus,1.1.1)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
|
||||
# cjp: dac_override should probably go in a distro_debian
|
||||
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
|
||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process { getattr signal_perms };
|
||||
allow system_dbusd_t self:process { getattr signal_perms setcap };
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp,1.0.2)
|
||||
policy_module(ftp,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -71,8 +71,11 @@ kernel_read_system_state(ftpd_t)
|
||||
dev_read_sysfs(ftpd_t)
|
||||
dev_read_urand(ftpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(ftpd_t)
|
||||
fs_getattr_all_fs(ftpd_t)
|
||||
corecmd_exec_bin(ftpd_t)
|
||||
corecmd_exec_sbin(ftpd_t)
|
||||
# Execute /bin/ls (can comment this out for proftpd)
|
||||
# also may need rules to allow tar etc...
|
||||
corecmd_exec_ls(ftpd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(ftpd_t)
|
||||
corenet_udp_sendrecv_all_if(ftpd_t)
|
||||
@ -89,25 +92,24 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
corenet_tcp_connect_all_ports(ftpd_t)
|
||||
|
||||
term_dontaudit_use_console(ftpd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(ftpd_t)
|
||||
# Append to /var/log/wtmp.
|
||||
auth_append_login_records(ftpd_t)
|
||||
#kerberized ftp requires the following
|
||||
auth_write_login_records(ftpd_t)
|
||||
|
||||
corecmd_exec_bin(ftpd_t)
|
||||
corecmd_exec_sbin(ftpd_t)
|
||||
# Execute /bin/ls (can comment this out for proftpd)
|
||||
# also may need rules to allow tar etc...
|
||||
corecmd_exec_ls(ftpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ftpd_t)
|
||||
|
||||
files_search_etc(ftpd_t)
|
||||
files_read_etc_files(ftpd_t)
|
||||
files_read_etc_runtime_files(ftpd_t)
|
||||
files_search_var_lib_dir(ftpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(ftpd_t)
|
||||
fs_getattr_all_fs(ftpd_t)
|
||||
|
||||
term_dontaudit_use_console(ftpd_t)
|
||||
|
||||
auth_use_nsswitch(ftpd_t)
|
||||
auth_domtrans_chk_passwd(ftpd_t)
|
||||
# Append to /var/log/wtmp.
|
||||
auth_append_login_records(ftpd_t)
|
||||
#kerberized ftp requires the following
|
||||
auth_write_login_records(ftpd_t)
|
||||
|
||||
init_use_fd(ftpd_t)
|
||||
init_use_script_pty(ftpd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.0.4)
|
||||
policy_module(hal,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,11 +23,13 @@ files_pid_file(hald_var_run_t)
|
||||
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:process signal_perms;
|
||||
# vbetool requires execmem
|
||||
allow hald_t self:process { execmem signal_perms };
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:tcp_socket create_stream_socket_perms;
|
||||
allow hald_t self:udp_socket create_socket_perms;
|
||||
@ -47,6 +49,9 @@ kernel_read_network_state(hald_t)
|
||||
kernel_read_kernel_sysctl(hald_t)
|
||||
kernel_write_proc_file(hald_t)
|
||||
|
||||
corecmd_exec_bin(hald_t)
|
||||
corecmd_exec_sbin(hald_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(hald_t)
|
||||
corenet_udp_sendrecv_all_if(hald_t)
|
||||
corenet_raw_sendrecv_all_if(hald_t)
|
||||
@ -59,7 +64,6 @@ corenet_non_ipsec_sendrecv(hald_t)
|
||||
corenet_tcp_bind_all_nodes(hald_t)
|
||||
corenet_udp_bind_all_nodes(hald_t)
|
||||
|
||||
dev_read_sysfs(hald_t)
|
||||
dev_rw_usbfs(hald_t)
|
||||
dev_read_urand(hald_t)
|
||||
dev_read_input(hald_t)
|
||||
@ -68,6 +72,20 @@ dev_rw_printer(hald_t)
|
||||
dev_read_lvm_control(hald_t)
|
||||
dev_getattr_all_chr_files(hald_t)
|
||||
dev_manage_generic_chr_file(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
dev_rw_sysfs(hald_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hald_t)
|
||||
domain_exec_all_entry_files(hald_t)
|
||||
|
||||
files_exec_etc_files(hald_t)
|
||||
files_read_etc_files(hald_t)
|
||||
files_rw_etc_runtime_files(hald_t)
|
||||
files_search_mnt(hald_t)
|
||||
files_search_var_lib(hald_t)
|
||||
files_read_usr_files(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
files_create_boot_flag(hald_t)
|
||||
|
||||
fs_getattr_all_fs(hald_t)
|
||||
fs_search_all(hald_t)
|
||||
@ -87,19 +105,6 @@ storage_raw_write_fixed_disk(hald_t)
|
||||
|
||||
term_dontaudit_use_console(hald_t)
|
||||
|
||||
corecmd_exec_bin(hald_t)
|
||||
corecmd_exec_sbin(hald_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hald_t)
|
||||
domain_exec_all_entry_files(hald_t)
|
||||
|
||||
files_exec_etc_files(hald_t)
|
||||
files_read_etc_files(hald_t)
|
||||
files_rw_etc_runtime_files(hald_t)
|
||||
files_search_mnt(hald_t)
|
||||
files_search_var_lib(hald_t)
|
||||
files_read_usr_files(hald_t)
|
||||
|
||||
init_use_fd(hald_t)
|
||||
init_use_script_pty(hald_t)
|
||||
|
||||
@ -171,6 +176,10 @@ optional_policy(`nscd',`
|
||||
nscd_use_socket(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`ntp',`
|
||||
ntp_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`pcmcia',`
|
||||
pcmcia_manage_pid(hald_t)
|
||||
pcmcia_manage_runtime_chr(hald_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mta,1.0.4)
|
||||
policy_module(mta,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -57,15 +57,6 @@ init_use_script_pty(system_mail_t)
|
||||
|
||||
userdom_use_sysadm_terms(system_mail_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fds open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd(system_mail_t)
|
||||
storage_dontaudit_read_fixed_disk(system_mail_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
typealias system_mail_t alias sysadm_mail_t;
|
||||
|
||||
|
@ -18,6 +18,7 @@ files_pid_file(saslauthd_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow saslauthd_t self:capability setuid;
|
||||
dontaudit saslauthd_t self:capability sys_tty_config;
|
||||
allow saslauthd_t self:process signal_perms;
|
||||
allow saslauthd_t self:fifo_file { read write };
|
||||
@ -56,9 +57,10 @@ auth_use_nsswitch(saslauthd_t)
|
||||
domain_use_wide_inherit_fd(saslauthd_t)
|
||||
|
||||
files_read_etc_files(saslauthd_t)
|
||||
files_read_etc_runtime_files(saslauthd_t)
|
||||
files_dontaudit_read_etc_runtime_files(saslauthd_t)
|
||||
files_search_var_lib(saslauthd_t)
|
||||
files_dontaudit_getattr_home_dir(saslauthd_t)
|
||||
files_dontaudit_getattr_tmp_dir(saslauthd_t)
|
||||
|
||||
init_use_fd(saslauthd_t)
|
||||
init_use_script_pty(saslauthd_t)
|
||||
|
@ -73,6 +73,10 @@ corenet_non_ipsec_sendrecv(spamd_t)
|
||||
corenet_tcp_bind_all_nodes(spamd_t)
|
||||
corenet_udp_bind_all_nodes(spamd_t)
|
||||
corenet_tcp_bind_spamd_port(spamd_t)
|
||||
# spamassassin 3.1 needs this for its
|
||||
# DnsResolver.pm module which binds to
|
||||
# random ports >= 1024.
|
||||
corenet_udp_bind_generic_port(spamd_t)
|
||||
|
||||
dev_read_sysfs(spamd_t)
|
||||
dev_read_urand(spamd_t)
|
||||
|
@ -6,11 +6,7 @@ policy_module(xdm,1.0.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_alias_domain(xdm_t)
|
||||
',`
|
||||
type xdm_t;
|
||||
')
|
||||
type xdm_t;
|
||||
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
@ -78,7 +74,9 @@ selinux_compute_user_contexts(xdm_t)
|
||||
files_read_etc_runtime_files(xdm_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
allow xdm_t self:process execmem;
|
||||
unconfined_domain_template(xdm_t)
|
||||
unconfined_domtrans(xdm_t)
|
||||
',`
|
||||
allow xdm_t xdm_lock_t:file create_file_perms;
|
||||
files_create_lock(xdm_t,xdm_lock_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hostname,1.0)
|
||||
policy_module(hostname,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,7 +22,6 @@ allow hostname_t self:capability sys_admin;
|
||||
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit hostname_t self:capability sys_tty_config;
|
||||
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
kernel_list_proc(hostname_t)
|
||||
kernel_read_proc_symlinks(hostname_t)
|
||||
|
||||
|
@ -31,18 +31,6 @@ interface(`init_domain',`
|
||||
allow init_t $1:fd use;
|
||||
allow $1 init_t:fifo_file rw_file_perms;
|
||||
allow $1 init_t:process sigchld;
|
||||
|
||||
# Red Hat systems seem to have stray
|
||||
# fds open from the initrd
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fds open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd($1)
|
||||
storage_dontaudit_read_fixed_disk($1)
|
||||
files_dontaudit_read_root_file($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -82,16 +70,6 @@ interface(`init_daemon_domain',`
|
||||
typeattribute $2 direct_init_entry;
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fds open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd($1)
|
||||
storage_dontaudit_read_fixed_disk($1)
|
||||
files_dontaudit_read_root_file($1)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
@ -163,16 +141,6 @@ interface(`init_system_domain',`
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fds open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd($1)
|
||||
storage_dontaudit_read_fixed_disk($1)
|
||||
files_dontaudit_read_root_file($1)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -62,7 +62,8 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
@ -103,7 +104,6 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/.*/libxpcom_core.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
@ -113,6 +113,10 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
||||
# Fedora Extras packages: ladspa, imlib2, ocaml
|
||||
/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.0.1)
|
||||
policy_module(libraries,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -42,12 +42,8 @@ ifdef(`targeted_policy',`
|
||||
# texrel_shlib_t is the type of shared objects in the system lib
|
||||
# directories, which require text relocation.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
typealias lib_t alias texrel_shlib_t;
|
||||
',`
|
||||
type texrel_shlib_t;
|
||||
files_type(texrel_shlib_t)
|
||||
')
|
||||
type texrel_shlib_t;
|
||||
files_type(texrel_shlib_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -168,13 +168,6 @@ userdom_use_unpriv_users_fd(local_login_t)
|
||||
# Search for mail spool file.
|
||||
mta_getattr_spool(local_login_t)
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd(local_login_t)
|
||||
files_dontaudit_read_root_file(local_login_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain_template(local_login_t)
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.0.1)
|
||||
policy_module(mount,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,7 +26,6 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_dontaudit_use_fd(mount_t)
|
||||
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||
|
Loading…
Reference in New Issue
Block a user