- Allow radvd to use fifo_file
- dontaudit setfiles reading links - allow semanage sys_resource - add allow_httpd_mod_auth_ntlm_winbind boolean - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set
This commit is contained in:
parent
27943de6a0
commit
08f4abfd6d
@ -5108,8 +5108,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+HOME_DIR/\.local.* gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -0,0 +1,351 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-04-05 07:58:19.000000000 -0400
|
||||
@@ -0,0 +1,352 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
@ -5287,6 +5287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
||||
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
||||
+
|
||||
+ userdom_delete_user_tmpfs_files($1, nsplugin_t)
|
||||
+ userdom_use_user_terminals($1, nsplugin_t)
|
||||
+ userdom_use_user_terminals($1, nsplugin_config_t)
|
||||
+')
|
||||
@ -5463,8 +5464,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-04 12:06:55.000000000 -0400
|
||||
@@ -0,0 +1,184 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-05 07:52:00.000000000 -0400
|
||||
@@ -0,0 +1,186 @@
|
||||
+
|
||||
+policy_module(nsplugin,1.0.0)
|
||||
+
|
||||
@ -5549,6 +5550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+fs_list_inotifyfs(nsplugin_t)
|
||||
+fs_manage_tmpfs_files(nsplugin_t)
|
||||
+fs_getattr_tmpfs(nsplugin_t)
|
||||
+fs_getattr_xattr_fs(nsplugin_t)
|
||||
+
|
||||
+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
|
||||
+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
|
||||
@ -5597,6 +5599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_execmem_signull(nsplugin_t)
|
||||
+ unconfined_delete_tmpfs_files(nsplugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -8247,7 +8250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
|
||||
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-04 12:06:55.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-05 07:45:49.000000000 -0400
|
||||
@@ -13,21 +13,16 @@
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
@ -8810,9 +8813,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+
|
||||
+ seutil_domtrans_setfiles($1)
|
||||
+
|
||||
+ manage_app_pattern($1, httpd_tmp_t)
|
||||
+ manage_app_pattern($1, httpd_php_tmp_t)
|
||||
+ manage_app_pattern($1, httpd_suexec_tmp_t)
|
||||
+ manage_all_pattern($1, httpd_tmp_t)
|
||||
+ manage_all_pattern($1, httpd_php_tmp_t)
|
||||
+ manage_all_pattern($1, httpd_suexec_tmp_t)
|
||||
+ files_tmp_filetrans($1, httpd_tmp_t, { file dir })
|
||||
+
|
||||
+# apache_set_booleans($1, $2, $3, httpd_bool_t )
|
||||
@ -26306,7 +26309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
|
||||
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
|
||||
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-05 07:50:51.000000000 -0400
|
||||
@@ -99,7 +99,7 @@
|
||||
template(`authlogin_per_role_template',`
|
||||
|
||||
@ -27324,7 +27327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 07:22:08.000000000 -0400
|
||||
@@ -133,6 +133,7 @@
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -27374,7 +27377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@@ -304,3 +311,9 @@
|
||||
@@ -304,3 +311,11 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -27384,9 +27387,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
+
|
||||
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-04 17:42:06.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-05 07:34:59.000000000 -0400
|
||||
@@ -23,6 +23,9 @@
|
||||
init_system_domain(ldconfig_t,ldconfig_exec_t)
|
||||
role system_r types ldconfig_t;
|
||||
@ -27434,7 +27439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
|
||||
@@ -102,4 +114,12 @@
|
||||
@@ -102,4 +114,10 @@
|
||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||
# blow up.
|
||||
rpm_manage_script_tmp_files(ldconfig_t)
|
||||
@ -27443,8 +27448,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # run mkinitrd as unconfined user
|
||||
+ unconfined_manage_tmp_files(ldconfig_t)
|
||||
+ unconfined_domain(ldconfig_t)
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.3.1/policy/modules/system/locallogin.te
|
||||
@ -29839,7 +29842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
|
||||
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-04 12:06:56.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-05 07:51:46.000000000 -0400
|
||||
@@ -12,14 +12,13 @@
|
||||
#
|
||||
interface(`unconfined_domain_noaudit',`
|
||||
@ -29934,7 +29937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:dbus acquire_svc;
|
||||
@@ -589,7 +612,120 @@
|
||||
@@ -589,49 +612,209 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -30053,56 +30056,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow apps to set rlimits on userdomain
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -597,20 +733,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`unconfined_read_home_content_files',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`unconfined_set_rlimitnh',`
|
||||
gen_require(`
|
||||
- type unconfined_home_dir_t, unconfined_home_t;
|
||||
+ gen_require(`
|
||||
+ type unconfined_t;
|
||||
')
|
||||
|
||||
- files_search_home($1)
|
||||
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
|
||||
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
|
||||
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unconfined_t:process rlimitinh;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read unconfined users temporary files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to read/write to
|
||||
+## unconfined with a unix domain stream sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -618,31 +752,54 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`unconfined_read_tmp_files',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`unconfined_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
- type unconfined_tmp_t;
|
||||
+ gen_require(`
|
||||
+ type unconfined_t;
|
||||
')
|
||||
|
||||
- files_search_tmp($1)
|
||||
- allow $1 unconfined_tmp_t:dir list_dir_perms;
|
||||
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
|
||||
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unconfined_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Write unconfined users temporary files.
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/write unconfined tmpfs files.
|
||||
## </summary>
|
||||
+## <desc>
|
||||
@ -30116,31 +30105,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`unconfined_write_tmp_files',`
|
||||
-interface(`unconfined_read_home_content_files',`
|
||||
+interface(`unconfined_rw_tmpfs_files',`
|
||||
gen_require(`
|
||||
- type unconfined_tmp_t;
|
||||
- type unconfined_home_dir_t, unconfined_home_t;
|
||||
+ type unconfined_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- files_search_home($1)
|
||||
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
|
||||
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
|
||||
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
|
||||
+ fs_search_tmpfs($1)
|
||||
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
|
||||
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read unconfined users temporary files.
|
||||
+## Delete unconfined tmpfs files.
|
||||
## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Read/write unconfined tmpfs files.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`unconfined_read_tmp_files',`
|
||||
+interface(`unconfined_delete_tmpfs_files',`
|
||||
gen_require(`
|
||||
- type unconfined_tmp_t;
|
||||
+ type unconfined_tmpfs_t;
|
||||
')
|
||||
|
||||
- files_search_tmp($1)
|
||||
- allow $1 unconfined_tmp_t:dir list_dir_perms;
|
||||
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
|
||||
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
|
||||
+ fs_search_tmpfs($1)
|
||||
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
|
||||
+ delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
|
||||
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Write unconfined users temporary files.
|
||||
+## Get the process group of unconfined.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -639,10 +822,10 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`unconfined_write_tmp_files',`
|
||||
+interface(`unconfined_getpgid',`
|
||||
+ gen_require(`
|
||||
gen_require(`
|
||||
- type unconfined_tmp_t;
|
||||
+ type unconfined_t;
|
||||
')
|
||||
|
||||
@ -30484,7 +30513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-04 16:27:53.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-05 07:57:03.000000000 -0400
|
||||
@@ -29,9 +29,14 @@
|
||||
')
|
||||
|
||||
@ -32271,28 +32300,159 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3254,6 +3357,42 @@
|
||||
@@ -3254,24 +3357,24 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_rw_user_tmpfs_files',`
|
||||
+template(`userdom_read_user_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
gen_require(`
|
||||
type $1_tmpfs_t;
|
||||
')
|
||||
|
||||
fs_search_tmpfs($2)
|
||||
allow $2 $1_tmpfs_t:dir list_dir_perms;
|
||||
- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## List users untrusted directories.
|
||||
+## Read/write user tmpfs files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## List users untrusted directories.
|
||||
+## Read/write user tmpfs files.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -3290,23 +3393,24 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_list_user_untrusted_content',`
|
||||
+template(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
- type $1_untrusted_content_t;
|
||||
+ type $1_tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- allow $2 $1_untrusted_content_t:dir list_dir_perms;
|
||||
+ fs_search_tmpfs($2)
|
||||
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
|
||||
+ read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
+ rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to list user
|
||||
-## untrusted directories.
|
||||
+## Unlink user tmpfs files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Do not audit attempts to read user
|
||||
-## untrusted directories.
|
||||
+## Read/write user tmpfs files.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -3321,25 +3425,28 @@
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit.
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_dontaudit_list_user_untrusted_content',`
|
||||
+template(`userdom_delete_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
- type $1_untrusted_content_t;
|
||||
+ type $1_tmpfs_t;
|
||||
')
|
||||
|
||||
- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
|
||||
+ fs_search_tmpfs($2)
|
||||
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
|
||||
+ delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Read user untrusted files.
|
||||
+## List users untrusted directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Read user untrusted files.
|
||||
+## List users untrusted directories.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -3358,18 +3465,86 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_read_user_untrusted_content_files',`
|
||||
+template(`userdom_list_user_untrusted_content',`
|
||||
gen_require(`
|
||||
type $1_untrusted_content_t;
|
||||
')
|
||||
|
||||
allow $2 $1_untrusted_content_t:dir list_dir_perms;
|
||||
- read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Manage user untrusted files.
|
||||
+## Do not audit attempts to list user
|
||||
+## untrusted directories.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Do not audit attempts to read user
|
||||
+## untrusted directories.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## This is a templated interface, and should only
|
||||
+## be called from a per-userdomain template.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="userdomain_prefix">
|
||||
+## <summary>
|
||||
+## The prefix of the user domain (e.g., user
|
||||
+## is the prefix for user_t).
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`userdom_dontaudit_list_user_untrusted_content',`
|
||||
+ gen_require(`
|
||||
+ type $1_untrusted_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read/write user tmpfs files.
|
||||
+## Read user untrusted files.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Read/write user tmpfs files.
|
||||
+## Read user untrusted files.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## This is a templated interface, and should only
|
||||
@ -32311,10 +32471,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
template(`userdom_rw_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
type $1_tmpfs_t;
|
||||
@@ -4231,11 +4370,11 @@
|
||||
+template(`userdom_read_user_untrusted_content_files',`
|
||||
+ gen_require(`
|
||||
+ type $1_untrusted_content_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
|
||||
+ read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage user untrusted files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@@ -4231,11 +4406,11 @@
|
||||
#
|
||||
interface(`userdom_search_staff_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32328,7 +32500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4251,10 +4390,10 @@
|
||||
@@ -4251,10 +4426,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_search_staff_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32341,7 +32513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4270,11 +4409,11 @@
|
||||
@@ -4270,11 +4445,11 @@
|
||||
#
|
||||
interface(`userdom_manage_staff_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32355,7 +32527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4289,16 +4428,16 @@
|
||||
@@ -4289,16 +4464,16 @@
|
||||
#
|
||||
interface(`userdom_relabelto_staff_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32375,7 +32547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4307,12 +4446,27 @@
|
||||
@@ -4307,12 +4482,27 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -32406,7 +32578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4327,13 +4481,13 @@
|
||||
@@ -4327,13 +4517,13 @@
|
||||
#
|
||||
interface(`userdom_read_staff_home_content_files',`
|
||||
gen_require(`
|
||||
@ -32424,7 +32596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4531,10 +4685,10 @@
|
||||
@@ -4531,10 +4721,10 @@
|
||||
#
|
||||
interface(`userdom_getattr_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32437,7 +32609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4551,10 +4705,10 @@
|
||||
@@ -4551,10 +4741,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32450,7 +32622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4569,10 +4723,10 @@
|
||||
@@ -4569,10 +4759,10 @@
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32463,7 +32635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4588,10 +4742,10 @@
|
||||
@@ -4588,10 +4778,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32476,7 +32648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4606,10 +4760,10 @@
|
||||
@@ -4606,10 +4796,10 @@
|
||||
#
|
||||
interface(`userdom_list_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32489,7 +32661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4625,10 +4779,10 @@
|
||||
@@ -4625,10 +4815,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32502,7 +32674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4644,12 +4798,11 @@
|
||||
@@ -4644,12 +4834,11 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
||||
gen_require(`
|
||||
@ -32518,7 +32690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4676,10 +4829,10 @@
|
||||
@@ -4676,10 +4865,10 @@
|
||||
#
|
||||
interface(`userdom_sysadm_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -32531,7 +32703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4694,10 +4847,10 @@
|
||||
@@ -4694,10 +4883,10 @@
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -32544,7 +32716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4712,13 +4865,13 @@
|
||||
@@ -4712,13 +4901,13 @@
|
||||
#
|
||||
interface(`userdom_read_sysadm_home_content_files',`
|
||||
gen_require(`
|
||||
@ -32562,7 +32734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4754,11 +4907,49 @@
|
||||
@@ -4754,11 +4943,49 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32613,7 +32785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4778,6 +4969,14 @@
|
||||
@@ -4778,6 +5005,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
@ -32628,7 +32800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4839,6 +5038,26 @@
|
||||
@@ -4839,6 +5074,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32655,7 +32827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Create, read, write, and delete all directories
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4859,6 +5078,25 @@
|
||||
@@ -4859,6 +5114,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32681,7 +32853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Create, read, write, and delete all files
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -4879,6 +5117,26 @@
|
||||
@@ -4879,6 +5153,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32708,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Create, read, write, and delete all symlinks
|
||||
## in all users home directories.
|
||||
## </summary>
|
||||
@@ -5115,7 +5373,7 @@
|
||||
@@ -5115,7 +5409,7 @@
|
||||
#
|
||||
interface(`userdom_relabelto_generic_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -32717,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
@@ -5304,6 +5562,50 @@
|
||||
@@ -5304,6 +5598,50 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32768,7 +32940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Create, read, write, and delete directories in
|
||||
## unprivileged users home directories.
|
||||
## </summary>
|
||||
@@ -5509,6 +5811,42 @@
|
||||
@@ -5509,6 +5847,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -32811,28 +32983,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5674,6 +6012,42 @@
|
||||
@@ -5674,7 +6048,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Send a dbus message to all user domains.
|
||||
+## Manage keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5682,18 +6056,54 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_dbus_send_all_users',`
|
||||
+interface(`userdom_manage_all_users_keys',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ ')
|
||||
+
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
- class dbus send_msg;
|
||||
')
|
||||
|
||||
- allow $1 userdomain:dbus send_msg;
|
||||
+ allow $1 userdomain:key manage_key_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Unconfined access to user domains. (Deprecated)
|
||||
+## dontaudit search keys for all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -32851,10 +33028,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Send a dbus message to all user domains.
|
||||
+## Send a dbus message to all user domains.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dbus_send_all_users',`
|
||||
+ gen_require(`
|
||||
+ attribute userdomain;
|
||||
+ class dbus send_msg;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 userdomain:dbus send_msg;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Unconfined access to user domains. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5704,3 +6078,370 @@
|
||||
## <summary>
|
||||
@@ -5704,3 +6114,370 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user