* fixes uncovered by sediff
* fix disable_trans support so the daemon can be both init and inet services, and not get dup bool decl
This commit is contained in:
Chris PeBenito
parent
bea7b4548e
commit
0500e01f2d
@ -81,7 +81,7 @@ template(`apache_content_template',`
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
||||
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ file lnk_file sock_file fifo_file })
|
||||
files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
|
||||
@ -130,6 +130,7 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
allow httpd_t self:sock_file r_file_perms;
|
||||
allow httpd_t self:fifo_file rw_file_perms;
|
||||
allow httpd_t self:shm create_shm_perms;
|
||||
allow httpd_t self:sem create_sem_perms;
|
||||
@ -384,6 +385,7 @@ optional_policy(`mailman.te',`
|
||||
mailman_signal_cgi(httpd_t)
|
||||
mailman_domtrans_cgi(httpd_t)
|
||||
# should have separate types for public and private archives
|
||||
mailman_search_data(httpd_t)
|
||||
mailman_read_archive(httpd_t)
|
||||
')
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ policy_module(finger,1.0)
|
||||
#
|
||||
type fingerd_t;
|
||||
type fingerd_exec_t;
|
||||
init_system_domain(fingerd_t,fingerd_exec_t)
|
||||
init_daemon_domain(fingerd_t,fingerd_exec_t)
|
||||
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
|
||||
|
||||
type fingerd_etc_t;
|
||||
|
||||
@ -36,7 +36,10 @@ interface(`inetd_core_service_domain',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
|
||||
')
|
||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
# can_exec(inetd_t,$2)
|
||||
# cjp: this must be wrong
|
||||
|
||||
@ -183,6 +183,7 @@ allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir })
|
||||
|
||||
allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
|
||||
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(inetd_child_t,inetd_child_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(inetd_child_t)
|
||||
|
||||
@ -182,7 +182,7 @@ interface(`mailman_search_data',`
|
||||
type mailman_data_t;
|
||||
')
|
||||
|
||||
allow $1 mailman_data_t:dir search;
|
||||
allow $1 mailman_data_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -8,7 +8,7 @@ policy_module(tftp,1.0)
|
||||
|
||||
type tftpd_t;
|
||||
type tftpd_exec_t;
|
||||
init_system_domain(tftpd_t,tftpd_exec_t)
|
||||
init_daemon_domain(tftpd_t,tftpd_exec_t)
|
||||
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
|
||||
|
||||
type tftpd_var_run_t;
|
||||
|
||||
@ -989,7 +989,7 @@ interface(`domain_unconfined',`
|
||||
# domain_trans(source_domain,entrypoint_file,target_domain)
|
||||
#
|
||||
template(`domain_trans',`
|
||||
allow $1 $2:file rx_file_perms;
|
||||
allow $1 $2:file { getattr read execute };
|
||||
allow $1 $3:process transition;
|
||||
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
@ -187,6 +187,7 @@ optional_policy(`sysnetwork.te',`
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_domtrans(hotplug_t)
|
||||
udev_helper_domtrans(hotplug_t)
|
||||
udev_read_db(hotplug_t)
|
||||
')
|
||||
|
||||
|
||||
@ -88,7 +88,10 @@ interface(`init_daemon_domain',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
|
||||
')
|
||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
can_exec(initrc_t,$2)
|
||||
can_exec(direct_run_init,$2)
|
||||
|
||||
@ -11,9 +11,6 @@
|
||||
interface(`udev_domtrans',`
|
||||
gen_require(`
|
||||
type udev_t, udev_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, udev_exec_t, udev_t)
|
||||
@ -24,6 +21,27 @@ interface(`udev_domtrans',`
|
||||
allow udev_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a udev helper in the udev domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`udev_helper_domtrans',`
|
||||
gen_require(`
|
||||
type udev_t, udev_helper_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1, udev_helper_exec_t, udev_t)
|
||||
|
||||
allow $1 udev_t:fd use;
|
||||
allow udev_t $1:fd use;
|
||||
allow udev_t $1:fifo_file rw_file_perms;
|
||||
allow udev_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow process to read udev process state.
|
||||
@ -54,7 +72,6 @@ interface(`udev_read_state',`
|
||||
interface(`udev_dontaudit_use_fd',`
|
||||
gen_require(`
|
||||
type udev_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
dontaudit $1 udev_t:fd use;
|
||||
@ -72,7 +89,6 @@ interface(`udev_dontaudit_use_fd',`
|
||||
interface(`udev_dontaudit_rw_unix_dgram_socket',`
|
||||
gen_require(`
|
||||
type udev_t;
|
||||
class unix_dgram_socket { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 udev_t:unix_dgram_socket { read write };
|
||||
@ -89,7 +105,6 @@ interface(`udev_dontaudit_rw_unix_dgram_socket',`
|
||||
interface(`udev_read_db',`
|
||||
gen_require(`
|
||||
type udev_tdb_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
@ -107,10 +122,8 @@ interface(`udev_read_db',`
|
||||
interface(`udev_rw_db',`
|
||||
gen_require(`
|
||||
type udev_tdb_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 udev_tdb_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user