more merging of NSA CVS policy
This commit is contained in:
parent
83515f1723
commit
0907bda1e0
@ -45,6 +45,10 @@ gen_tunable(run_ssh_inetd,false)
|
||||
## user domains.
|
||||
gen_bool(secure_mode,false)
|
||||
|
||||
## Allow squid to connect to all ports, not just
|
||||
## HTTP, FTP, and Gopher ports.
|
||||
gen_tunable(squid_connect_any,false)
|
||||
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
gen_tunable(ssh_sysadm_login,false)
|
||||
|
||||
|
@ -6,7 +6,7 @@ policy_module(consoletype, 1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type consoletype_t;
|
||||
type consoletype_t; #, mlsfileread, mlsfilewrite
|
||||
type consoletype_exec_t;
|
||||
init_domain(consoletype_t,consoletype_exec_t)
|
||||
init_system_domain(consoletype_t,consoletype_exec_t)
|
||||
|
@ -53,6 +53,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
|
||||
corenet_udp_sendrecv_all_ports(netutils_t)
|
||||
corenet_tcp_bind_all_nodes(netutils_t)
|
||||
corenet_udp_bind_all_nodes(netutils_t)
|
||||
corenet_tcp_connect_all_ports(netutils_t)
|
||||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
|
@ -10,6 +10,7 @@
|
||||
/usr/lib(64)?/cracklib_dict.* -- context_template(system_u:object_r:crack_db_t,s0)
|
||||
|
||||
/usr/sbin/crack_[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0)
|
||||
/usr/sbin/cracklib-[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0)
|
||||
/usr/sbin/gpasswd -- context_template(system_u:object_r:groupadd_exec_t,s0)
|
||||
/usr/sbin/groupadd -- context_template(system_u:object_r:groupadd_exec_t,s0)
|
||||
/usr/sbin/groupdel -- context_template(system_u:object_r:groupadd_exec_t,s0)
|
||||
@ -24,4 +25,6 @@
|
||||
/usr/sbin/vigr -- context_template(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
/usr/sbin/vipw -- context_template(system_u:object_r:admin_passwd_exec_t,s0)
|
||||
|
||||
/usr/share/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0)
|
||||
|
||||
/var/cache/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0)
|
||||
|
@ -288,6 +288,7 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow passwd_t self:unix_dgram_socket sendto;
|
||||
allow passwd_t self:unix_stream_socket connectto;
|
||||
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow passwd_t self:shm create_shm_perms;
|
||||
allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perms;
|
||||
|
@ -1,9 +1,10 @@
|
||||
|
||||
/usr/bin/gpg -- context_template(system_u:object_r:gpg_exec_t,s0)
|
||||
/usr/bin/gpg(2)? -- context_template(system_u:object_r:gpg_exec_t,s0)
|
||||
/usr/bin/gpg-agent -- context_template(system_u:object_r:gpg_agent_exec_t,s0)
|
||||
/usr/bin/kgpg -- context_template(system_u:object_r:gpg_exec_t,s0)
|
||||
/usr/bin/pinentry.* -- context_template(system_u:object_r:pinentry_exec_t,s0)
|
||||
|
||||
/usr/lib/gnupg/.* -- context_template(system_u:object_r:gpg_exec_t,s0)
|
||||
/usr/lib/gnupg/gpgkeys.* -- context_template(system_u:object_r:gpg_helper_exec_t,s0)
|
||||
|
||||
HOME_DIR/\.gnupg(/.+)? context_template(system_u:object_r:ROLE_gpg_secret_t,s0)
|
||||
|
@ -36,9 +36,21 @@ sid port context_template(system_u:object_r:port_t,s0)
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
|
||||
network_port(afs_bos, udp,7007,s0)
|
||||
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
|
||||
network_port(afs_ka, udp,7004,s0)
|
||||
network_port(afs_pt, udp,7002,s0)
|
||||
network_port(afs_vl, udp,7003,s0)
|
||||
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||
network_port(amavisd_recv, tcp,10024,s0)
|
||||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
dnl network_port(biff) # no defined portcon in current strict
|
||||
network_port(clamd, tcp,3310,s0)
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||
network_port(dbskkd, tcp,1178,s0)
|
||||
network_port(dhcpc, udp,68,s0)
|
||||
network_port(dhcpd, udp,67,s0)
|
||||
@ -47,43 +59,64 @@ network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
network_port(fingerd, tcp,79,s0)
|
||||
network_port(ftp_data, tcp,20,s0)
|
||||
network_port(ftp, tcp,21,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
|
||||
network_port(http, tcp,80,s0, tcp,443,s0)
|
||||
network_port(giftd, tcp,1213,s0)
|
||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
|
||||
dnl network_port(i18n_input) # no defined portcon in current strict
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
|
||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
network_port(innd, tcp,119,s0)
|
||||
network_port(ipp, tcp,631,s0, udp,631,s0)
|
||||
network_port(ircd, tcp,6667,s0)
|
||||
network_port(isakmp, udp,500,s0)
|
||||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||
network_port(jabber_interserver, tcp,5269,s0)
|
||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
||||
network_port(mail, tcp,2000,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
|
||||
network_port(ntp, udp,123,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
|
||||
network_port(openvpn, udp,5000,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
network_port(postgrey, tcp,60000,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
network_port(pyzor, udp,24441,s0)
|
||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||
network_port(razor, tcp,2703,s0)
|
||||
network_port(rndc, tcp,953,s0)
|
||||
network_port(rsh, tcp,514,s0)
|
||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(spamd, tcp,783,s0)
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
||||
dnl network_port(stunnel) # no defined portcon in current strict
|
||||
network_port(swat, tcp,901,s0)
|
||||
network_port(syslogd, udp,514,s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(zebra, tcp,2601,s0)
|
||||
network_port(zope, tcp,8021,s0)
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise
|
||||
|
@ -59,6 +59,11 @@ type cpu_device_t, device_node;
|
||||
fs_associate(cpu_device_t)
|
||||
fs_associate_tmpfs(cpu_device_t)
|
||||
|
||||
# for the IBM zSeries z90crypt hardware ssl accelorator
|
||||
type crypt_device_t, device_node;
|
||||
fs_associate(crypt_device_t)
|
||||
fs_associate_tmpfs(crypt_device_t)
|
||||
|
||||
type dri_device_t, device_node;
|
||||
fs_associate(dri_device_t)
|
||||
fs_associate_tmpfs(dri_device_t)
|
||||
|
@ -40,14 +40,29 @@ type bdev_t, filesystem_type;
|
||||
genfscon bdev / context_template(system_u:object_r:bdev_t,s0)
|
||||
|
||||
type binfmt_misc_fs_t, filesystem_type;
|
||||
files_mountpoint(binfmt_misc_fs_t)
|
||||
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||
|
||||
type debugfs_t, filesystem_type;
|
||||
allow debugfs_t self:filesystem associate;
|
||||
|
||||
type eventpollfs_t, filesystem_type;
|
||||
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
|
||||
|
||||
type futexfs_t, filesystem_type;
|
||||
genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
|
||||
|
||||
type hugetlbfs_t, filesystem_type;
|
||||
files_mountpoint(hugetlbfs_t)
|
||||
allow hugetlbfs_t self:filesystem associate;
|
||||
|
||||
type inotifyfs_t, filesystem_type;
|
||||
allow inotifyfs_t self:filesystem associate;
|
||||
|
||||
type mqueue_t, filesystem_type;
|
||||
files_mountpoint(mqueue_t)
|
||||
allow mqueue_t self:filesystem associate;
|
||||
|
||||
type nfsd_fs_t, filesystem_type;
|
||||
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
|
||||
|
||||
|
@ -68,6 +68,23 @@ interface(`kernel_sigchld',`
|
||||
allow kernel_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to kernel threads.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process sending the signal.
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_signal',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
allow kernel_t $1:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the kernel to share state information with
|
||||
|
@ -38,7 +38,7 @@ dev_node(devtty_t)
|
||||
#
|
||||
# ptmx_t is the type for /dev/ptmx.
|
||||
#
|
||||
type ptmx_t;
|
||||
type ptmx_t; #, mlstrustedobject;
|
||||
dev_node(ptmx_t)
|
||||
|
||||
#
|
||||
|
@ -19,10 +19,13 @@ files_pid_file(hald_var_run_t)
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:tcp_socket create_stream_socket_perms;
|
||||
# For backwards compatibility with older kernels
|
||||
allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
allow hald_t hald_tmp_t:dir create_dir_perms;
|
||||
allow hald_t hald_tmp_t:file create_file_perms;
|
||||
|
@ -120,6 +120,7 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
r_dir_file(slapd_t, cert_t)
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(slapd_t)
|
||||
')
|
||||
|
@ -65,6 +65,7 @@ corenet_tcp_sendrecv_all_ports(nscd_t)
|
||||
corenet_udp_sendrecv_all_ports(nscd_t)
|
||||
corenet_tcp_bind_all_nodes(nscd_t)
|
||||
corenet_udp_bind_all_nodes(nscd_t)
|
||||
corenet_tcp_connect_all_ports(nscd_t)
|
||||
|
||||
selinux_get_fs_mount(nscd_t)
|
||||
selinux_validate_context(nscd_t)
|
||||
|
@ -72,6 +72,7 @@ corenet_udp_sendrecv_all_ports(ntpd_t)
|
||||
corenet_tcp_bind_all_nodes(ntpd_t)
|
||||
corenet_udp_bind_all_nodes(ntpd_t)
|
||||
corenet_udp_bind_ntp_port(ntpd_t)
|
||||
corenet_tcp_connect_ntp_port(ntpd_t)
|
||||
|
||||
dev_read_sysfs(ntpd_t)
|
||||
# for SSP
|
||||
|
@ -58,6 +58,7 @@ corenet_tcp_bind_all_nodes(portmap_t)
|
||||
corenet_udp_bind_all_nodes(portmap_t)
|
||||
corenet_tcp_bind_portmap_port(portmap_t)
|
||||
corenet_udp_bind_portmap_port(portmap_t)
|
||||
corenet_tcp_connect_all_ports(portmap_t)
|
||||
# portmap binds to arbitary ports
|
||||
corenet_tcp_bind_generic_port(portmap_t)
|
||||
corenet_udp_bind_generic_port(portmap_t)
|
||||
@ -158,6 +159,9 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow portmap_helper_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow portmap_helper_t portmap_var_run_t:file create_file_perms;
|
||||
files_create_pid(portmap_helper_t,portmap_var_run_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(portmap_helper_t)
|
||||
corenet_udp_sendrecv_all_if(portmap_helper_t)
|
||||
corenet_raw_sendrecv_all_if(portmap_helper_t)
|
||||
@ -172,6 +176,7 @@ corenet_tcp_bind_reserved_port(portmap_helper_t)
|
||||
corenet_udp_bind_reserved_port(portmap_helper_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
|
||||
corenet_tcp_connect_all_ports(portmap_helper_t)
|
||||
|
||||
files_read_etc_files(portmap_helper_t)
|
||||
files_rw_generic_pids(portmap_helper_t)
|
||||
|
@ -6,7 +6,7 @@ policy_module(privoxy,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type privoxy_t;
|
||||
type privoxy_t; # web_client_domain
|
||||
type privoxy_exec_t;
|
||||
init_daemon_domain(privoxy_t,privoxy_exec_t)
|
||||
|
||||
@ -36,16 +36,11 @@ kernel_list_proc(privoxy_t)
|
||||
kernel_read_proc_symlinks(privoxy_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(privoxy_t)
|
||||
corenet_udp_sendrecv_all_if(privoxy_t)
|
||||
corenet_raw_sendrecv_all_if(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_udp_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_raw_sendrecv_all_nodes(privoxy_t)
|
||||
corenet_tcp_sendrecv_all_ports(privoxy_t)
|
||||
corenet_udp_sendrecv_all_ports(privoxy_t)
|
||||
# cjp: this really should be specified!
|
||||
corenet_tcp_bind_generic_port(privoxy_t)
|
||||
corenet_udp_bind_generic_port(privoxy_t)
|
||||
corenet_tcp_bind_http_cache_port(privoxy_t)
|
||||
|
||||
dev_read_sysfs(privoxy_t)
|
||||
|
||||
@ -83,6 +78,10 @@ optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(privoxy_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(privoxy_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(privoxy_t)
|
||||
')
|
||||
|
@ -29,8 +29,7 @@ corenet_raw_sendrecv_all_nodes(rshd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rshd_t)
|
||||
corenet_tcp_sendrecv_all_ports(rshd_t)
|
||||
corenet_tcp_bind_all_nodes(rshd_t)
|
||||
corenet_tcp_bind_reserved_port(rshd_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(rshd_t)
|
||||
corenet_tcp_bind_rsh_port(rshd_t)
|
||||
|
||||
dev_read_urand(rshd_t)
|
||||
|
||||
@ -83,10 +82,6 @@ optional_policy(`kerberos.te',`
|
||||
kerberos_use(rshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rshd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rlogind.te', `
|
||||
allow rshd_t rlogind_tmp_t:file rw_file_perms;
|
||||
|
@ -88,7 +88,5 @@ optional_policy(`nscd.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`ftpd.te', `
|
||||
r_dir_file(rsync_t, ftpd_anon_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
@ -78,6 +78,9 @@ corenet_tcp_bind_all_nodes(squid_t)
|
||||
corenet_udp_bind_all_nodes(squid_t)
|
||||
corenet_tcp_bind_http_cache_port(squid_t)
|
||||
corenet_udp_bind_http_cache_port(squid_t)
|
||||
corenet_tcp_connect_ftp_port(squid_t)
|
||||
corenet_tcp_connect_gopher_port(squid_t)
|
||||
corenet_tcp_connect_http_port(squid_t)
|
||||
|
||||
dev_read_sysfs(squid_t)
|
||||
dev_read_urand(squid_t)
|
||||
@ -126,6 +129,10 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(squid_t)
|
||||
')
|
||||
|
||||
tunable_policy(`squid_connect_any',`
|
||||
corenet_tcp_connect_all_ports(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
allow squid_t self:capability kill;
|
||||
cron_use_fd(squid_t)
|
||||
@ -161,6 +168,11 @@ optional_policy(`rhgb.te',`
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
r_dir_file(squid_t, cert_t)
|
||||
ifdef(`winbind.te', `
|
||||
domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
|
||||
allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
#squid requires the following when run in diskd mode, the recommended setting
|
||||
allow squid_t tmpfs_t:file { read write };
|
||||
') dnl end TODO
|
||||
|
@ -388,7 +388,7 @@ template(`ssh_per_userdomain_template',`
|
||||
## </param>
|
||||
#
|
||||
template(`ssh_server_template', `
|
||||
type $1_t, ssh_server;
|
||||
type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
domain_type($1_t)
|
||||
role system_r types $1_t;
|
||||
|
||||
@ -428,6 +428,7 @@ template(`ssh_server_template', `
|
||||
corenet_tcp_sendrecv_all_ports($1_t)
|
||||
corenet_tcp_bind_all_nodes($1_t)
|
||||
corenet_udp_bind_all_nodes($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
|
||||
dev_read_urand($1_t)
|
||||
|
||||
@ -498,6 +499,10 @@ template(`ssh_server_template', `
|
||||
init_use_script_pty($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te', `
|
||||
mount_send_nfs_client_request($1_t)
|
||||
')
|
||||
|
@ -22,7 +22,7 @@ logging_log_file(lastlog_t)
|
||||
type login_exec_t;
|
||||
files_type(login_exec_t)
|
||||
|
||||
type pam_console_t;
|
||||
type pam_console_t; #, mlsfileread
|
||||
type pam_console_exec_t;
|
||||
init_system_domain(pam_console_t,pam_console_exec_t)
|
||||
role system_r types pam_console_t;
|
||||
@ -142,8 +142,9 @@ allow pam_console_t pam_var_console_t:file r_file_perms;
|
||||
allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(pam_console_t)
|
||||
kernel_read_system_state(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
# Read /proc/meminfo
|
||||
kernel_read_system_state(pam_console_t)
|
||||
|
||||
dev_read_sysfs(pam_console_t)
|
||||
dev_getattr_apm_bios(pam_console_t)
|
||||
@ -173,6 +174,7 @@ storage_getattr_scsi_generic(pam_console_t)
|
||||
storage_setattr_scsi_generic(pam_console_t)
|
||||
|
||||
term_use_console(pam_console_t)
|
||||
term_setattr_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
term_setattr_unallocated_ttys(pam_console_t)
|
||||
|
||||
|
@ -40,6 +40,7 @@ ifdef(`targeted_policy',`
|
||||
# /sbin
|
||||
#
|
||||
/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- context_template(system_u:object_r:sbin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- context_template(system_u:object_r:sbin_t,s0)
|
||||
|
||||
#
|
||||
|
@ -5,6 +5,14 @@
|
||||
/.* context_template(system_u:object_r:default_t,s0)
|
||||
/ -d context_template(system_u:object_r:root_t,s0)
|
||||
/\.journal <<none>>
|
||||
ifdef(`distro_redhat',`
|
||||
/\.autofsck -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
/\.autorelabel -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
/fastboot -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
/forcefsck -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
/fsckoptions -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
/poweroff -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
')
|
||||
|
||||
#
|
||||
# /boot
|
||||
@ -32,6 +40,9 @@
|
||||
/etc/nologin.* -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
/etc/init\.d/functions -- context_template(system_u:object_r:etc_t,s0)
|
||||
ifdef(`distro_suse',`
|
||||
/etc/init\.d/\.depend.* -- context_template(system_u:object_r:etc_runtime_t,s0)
|
||||
')
|
||||
|
||||
/etc/ipsec\.d/examples(/.*)? context_template(system_u:object_r:etc_t,s0)
|
||||
|
||||
|
@ -51,7 +51,7 @@ sid file context_template(system_u:object_r:file_t,s0)
|
||||
# home_root_t is the type for the directory where user home directories
|
||||
# are created
|
||||
#
|
||||
type home_root_t, file_type, mountpoint;
|
||||
type home_root_t, file_type, mountpoint; #, polyparent
|
||||
fs_associate(home_root_t)
|
||||
fs_associate_noxattr(home_root_t)
|
||||
|
||||
@ -84,7 +84,7 @@ fs_associate_noxattr(readable_t)
|
||||
#
|
||||
# root_t is the type for rootfs and the root directory.
|
||||
#
|
||||
type root_t, file_type, mountpoint;
|
||||
type root_t, file_type, mountpoint; #, polyparent
|
||||
fs_associate(root_t)
|
||||
fs_associate_noxattr(root_t)
|
||||
kernel_rootfs_mountpoint(root_t)
|
||||
@ -93,14 +93,14 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0)
|
||||
#
|
||||
# src_t is the type of files in the system src directories.
|
||||
#
|
||||
type src_t, file_type;
|
||||
type src_t, file_type, mountpoint;
|
||||
fs_associate(src_t)
|
||||
fs_associate_noxattr(src_t)
|
||||
|
||||
#
|
||||
# tmp_t is the type of the temporary directories
|
||||
#
|
||||
type tmp_t, file_type, tmpfile, mountpoint;
|
||||
type tmp_t, file_type, tmpfile, mountpoint; #, polydir
|
||||
fs_associate(tmp_t)
|
||||
fs_associate_noxattr(tmp_t)
|
||||
|
||||
|
@ -1,6 +1,7 @@
|
||||
/sbin/blockdev -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/cfdisk -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dosfsck -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dump -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dumpe2fs -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/e2fsck -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/e2label -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
@ -21,6 +22,7 @@
|
||||
/sbin/parted -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/partprobe -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/partx -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/raidautorun -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/raidstart -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/reiserfs(ck|tune) -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/resize.*fs -- context_template(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
@ -2,3 +2,7 @@
|
||||
/etc/mgetty(/.*)? context_template(system_u:object_r:getty_etc_t,s0)
|
||||
|
||||
/sbin/.*getty -- context_template(system_u:object_r:getty_exec_t,s0)
|
||||
|
||||
/var/log/mgetty\.log.* -- context_template(system_u:object_r:getty_log_t,s0)
|
||||
|
||||
/var/run/mgetty\.pid.* -- context_template(system_u:object_r:getty_var_run_t,s0)
|
||||
|
@ -15,33 +15,43 @@ type getty_etc_t;
|
||||
typealias getty_etc_t alias etc_getty_t;
|
||||
files_type(getty_etc_t)
|
||||
|
||||
type getty_lock_t;
|
||||
files_lock_file(getty_lock_t)
|
||||
|
||||
type getty_log_t;
|
||||
logging_log_file(getty_log_t)
|
||||
|
||||
type getty_tmp_t;
|
||||
files_tmp_file(getty_tmp_t)
|
||||
|
||||
type getty_var_run_t;
|
||||
files_pid_file(getty_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Getty local policy
|
||||
#
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
|
||||
# fbgetty needs fsetid for some reason
|
||||
#allow getty_t self:capability fsetid;
|
||||
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
|
||||
allow getty_t self:process { getpgid getsession };
|
||||
|
||||
allow getty_t getty_etc_t:dir r_dir_perms;
|
||||
allow getty_t getty_etc_t:file r_file_perms;
|
||||
files_create_etc_config(getty_t,getty_etc_t,{ file dir })
|
||||
|
||||
allow getty_t getty_lock_t:file create_file_perms;
|
||||
files_create_lock(getty_t,getty_lock_t)
|
||||
|
||||
allow getty_t getty_log_t:file { getattr append setattr };
|
||||
|
||||
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
|
||||
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
|
||||
files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
|
||||
|
||||
allow getty_t getty_log_t:file { getattr append setattr };
|
||||
allow getty_t getty_var_run_t:file create_file_perms;
|
||||
allow getty_t getty_var_run_t:dir create_dir_perms;
|
||||
files_create_pid(getty_t,getty_var_run_t)
|
||||
|
||||
dev_read_sysfs(getty_t)
|
||||
|
||||
@ -58,9 +68,9 @@ term_setattr_console(getty_t)
|
||||
auth_rw_login_records(getty_t)
|
||||
|
||||
corecmd_search_bin(getty_t)
|
||||
corecmd_search_sbin(getty_t)
|
||||
|
||||
files_rw_generic_pids(getty_t)
|
||||
files_manage_generic_locks(getty_t)
|
||||
files_read_etc_runtime_files(getty_t)
|
||||
files_read_etc_files(getty_t)
|
||||
|
||||
@ -75,3 +85,12 @@ locallogin_domtrans(getty_t)
|
||||
logging_send_syslog_msg(getty_t)
|
||||
|
||||
miscfiles_read_localization(getty_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
#
|
||||
# getty needs to be able to run pppd
|
||||
#
|
||||
ifdef(`pppd.te', `
|
||||
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
@ -55,8 +55,10 @@ ifdef(`distro_gentoo', `
|
||||
/var/run/setmixer_flag -- context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/bootsplashctl -p context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/keymap -- context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/numlock-on -- context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/setleds-on -- context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0)
|
||||
')
|
||||
|
||||
|
@ -15,7 +15,7 @@ attribute direct_init_entry;
|
||||
#
|
||||
# init_t is the domain of the init process.
|
||||
#
|
||||
type init_t;
|
||||
type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite;
|
||||
domain_type(init_t)
|
||||
role system_r types init_t;
|
||||
|
||||
@ -37,10 +37,10 @@ files_pid_file(init_var_run_t)
|
||||
# by init during initialization. This pipe is used
|
||||
# to communicate with init.
|
||||
#
|
||||
type initctl_t;
|
||||
type initctl_t; #, mlstrustedobject;
|
||||
files_type(initctl_t)
|
||||
|
||||
type initrc_t;
|
||||
type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
|
||||
domain_type(initrc_t)
|
||||
role system_r types initrc_t;
|
||||
|
||||
@ -79,6 +79,8 @@ allow init_t self:fifo_file rw_file_perms;
|
||||
# Re-exec itself
|
||||
allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
|
||||
|
||||
allow init_t initrc_t:unix_stream_socket connectto;
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
|
||||
files_create_pid(init_t,init_var_run_t)
|
||||
@ -162,6 +164,10 @@ optional_policy(`userdomain.te',`
|
||||
userdom_shell_domtrans_sysadm(init_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow init_t ramfs_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init script local policy
|
||||
@ -201,12 +207,8 @@ kernel_read_ring_buffer(initrc_t)
|
||||
kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
dev_read_sysfs(initrc_t)
|
||||
dev_rw_sysfs(initrc_t)
|
||||
kernel_read_all_sysctl(initrc_t)
|
||||
kernel_rw_all_sysctl(initrc_t)
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
kernel_dontaudit_getattr_message_if(initrc_t)
|
||||
|
||||
@ -222,11 +224,14 @@ corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_bind_all_nodes(initrc_t)
|
||||
corenet_udp_bind_all_nodes(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
dev_write_rand(initrc_t)
|
||||
dev_write_urand(initrc_t)
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_snd_mixer_dev(initrc_t)
|
||||
@ -244,6 +249,8 @@ fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
storage_getattr_fixed_disk(initrc_t)
|
||||
storage_setattr_fixed_disk(initrc_t)
|
||||
storage_setattr_removable_device(initrc_t)
|
||||
@ -307,7 +314,7 @@ libs_use_shared_libs(initrc_t)
|
||||
libs_exec_lib_files(initrc_t)
|
||||
|
||||
logging_send_syslog_msg(initrc_t)
|
||||
logging_rw_generic_logs(initrc_t)
|
||||
logging_manage_generic_logs(initrc_t)
|
||||
logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
|
||||
@ -527,6 +534,11 @@ role system_r types initrc_su_t;
|
||||
ifdef(`distro_redhat', `
|
||||
# readahead asks for these
|
||||
allow initrc_t var_lib_nfs_t:file r_file_perms;
|
||||
|
||||
file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
|
||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||
allow initrc_t self:capability sys_admin;
|
||||
allow initrc_t device_t:dir create;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
@ -238,9 +238,13 @@ interface(`logging_write_generic_logs',`
|
||||
allow $1 var_log_t:file { getattr write };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# logging_rw_generic_logs(domain)
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_rw_generic_logs',`
|
||||
gen_require(`
|
||||
@ -253,3 +257,24 @@ interface(`logging_rw_generic_logs',`
|
||||
allow $1 var_log_t:dir r_dir_perms;
|
||||
allow $1 var_log_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## generic log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_manage_generic_logs',`
|
||||
gen_require(`
|
||||
type var_log_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir rw_dir_perms;
|
||||
allow $1 var_log_t:file create_file_perms;
|
||||
')
|
||||
|
@ -18,10 +18,10 @@ init_daemon_domain(auditd_t,auditd_exec_t)
|
||||
type auditd_var_run_t;
|
||||
files_pid_file(auditd_var_run_t)
|
||||
|
||||
type devlog_t;
|
||||
type devlog_t; #, mlstrustedobject;
|
||||
files_type(devlog_t)
|
||||
|
||||
type klogd_t;
|
||||
type klogd_t; #, mlsfileread
|
||||
type klogd_exec_t;
|
||||
init_daemon_domain(klogd_t,klogd_exec_t)
|
||||
|
||||
@ -155,7 +155,8 @@ miscfiles_read_localization(klogd_t)
|
||||
# syslogd local policy
|
||||
#
|
||||
|
||||
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
|
||||
# cjp: why net_admin!
|
||||
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
|
||||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
allow syslogd_t self:process signal_perms;
|
||||
|
||||
|
@ -32,14 +32,12 @@ files_tmp_file(lvm_tmp_t)
|
||||
#
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
|
||||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
allow lvm_t self:process setsched;
|
||||
|
||||
allow lvm_t self:file r_file_perms;
|
||||
allow lvm_t self:file rw_file_perms;
|
||||
allow lvm_t self:fifo_file rw_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
@ -122,7 +120,6 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
|
||||
|
||||
domain_use_wide_inherit_fd(lvm_t)
|
||||
|
||||
files_search_var(lvm_t)
|
||||
files_read_etc_files(lvm_t)
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
files_dontaudit_getattr_pid_dir(lvm_t)
|
||||
|
@ -6,12 +6,6 @@ policy_module(miscfiles,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
#
|
||||
# catman_t is the type for /var/catman.
|
||||
#
|
||||
type catman_t;
|
||||
files_tmp_file(catman_t)
|
||||
|
||||
#
|
||||
# cert_t is the type of files in the system certs directories.
|
||||
#
|
||||
@ -25,6 +19,18 @@ files_type(cert_t)
|
||||
type fonts_t;
|
||||
files_type(fonts_t)
|
||||
|
||||
#
|
||||
# Type for anonymous FTP data, used by ftp and rsync
|
||||
#
|
||||
type ftpd_anon_t; #, customizable;
|
||||
files_type(ftpd_anon_t)
|
||||
|
||||
#
|
||||
# type for /tmp/.ICE-unix
|
||||
#
|
||||
type ice_tmp_t;
|
||||
files_tmp_file(ice_tmp_t)
|
||||
|
||||
#
|
||||
# locale_t is the type for system localization
|
||||
#
|
||||
@ -34,7 +40,7 @@ files_type(locale_t)
|
||||
#
|
||||
# man_t is the type for the man directories.
|
||||
#
|
||||
type man_t;
|
||||
type man_t alias catman_t;
|
||||
files_type(man_t)
|
||||
|
||||
#
|
||||
@ -48,3 +54,7 @@ files_type(test_file_t)
|
||||
#
|
||||
type tetex_data_t;
|
||||
files_tmp_file(tetex_data_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow customizable self:filesystem associate;
|
||||
') dnl end TODO
|
||||
|
@ -6,7 +6,7 @@ policy_module(raid,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type mdadm_t;
|
||||
type mdadm_t; # privmail
|
||||
type mdadm_exec_t;
|
||||
init_daemon_domain(mdadm_t,mdadm_exec_t)
|
||||
role system_r types mdadm_t;
|
||||
|
@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||
type policy_src_t;
|
||||
files_type(policy_src_t)
|
||||
|
||||
type restorecon_t, can_relabelto_binary_policy;
|
||||
type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
|
||||
type restorecon_exec_t;
|
||||
domain_obj_id_change_exempt(restorecon_t)
|
||||
init_system_domain(restorecon_t,restorecon_exec_t)
|
||||
@ -280,7 +280,6 @@ kernel_read_system_state(restorecon_t)
|
||||
dev_rw_generic_file(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
fs_list_all(restorecon_t)
|
||||
|
||||
selinux_get_fs_mount(restorecon_t)
|
||||
selinux_validate_context(restorecon_t)
|
||||
|
@ -43,6 +43,7 @@
|
||||
#
|
||||
/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0)
|
||||
/var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0)
|
||||
/var/lib/dhcpcd(/.*)? context_template(system_u:object_r:dhcpc_state_t,s0)
|
||||
|
||||
/var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
/var/run/dhclient.*\.leases -- context_template(system_u:object_r:dhcpc_var_run_t,s0)
|
||||
|
@ -6,7 +6,7 @@ policy_module(udev,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type udev_t;
|
||||
type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
|
||||
type udev_exec_t;
|
||||
type udev_helper_exec_t;
|
||||
kernel_userland_entry(udev_t,udev_exec_t)
|
||||
@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
@ -42,6 +42,7 @@ allow udev_t self:fifo_file rw_file_perms;
|
||||
allow udev_t self:unix_stream_socket { listen accept };
|
||||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket { create bind read };
|
||||
allow udev_t self:shm create_shm_perms;
|
||||
allow udev_t self:sem create_sem_perms;
|
||||
allow udev_t self:msgq create_msgq_perms;
|
||||
@ -72,6 +73,7 @@ kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
kernel_rw_unix_dgram_socket(udev_t)
|
||||
kernel_sendto_unix_dgram_socket(udev_t)
|
||||
kernel_signal(udev_t)
|
||||
|
||||
dev_read_sysfs(udev_t)
|
||||
dev_manage_dev_nodes(udev_t)
|
||||
|
5
strict/domains/misc/local.te
Normal file
5
strict/domains/misc/local.te
Normal file
@ -0,0 +1,5 @@
|
||||
# Local customization of existing policy should be done in this file.
|
||||
# If you are creating brand new policy for a new "target" domain, you
|
||||
# need to create a type enforcement (.te) file in domains/program
|
||||
# and a file context (.fc) file in file_context/program.
|
||||
|
@ -11,7 +11,7 @@
|
||||
# consoletype_t is the domain for the consoletype program.
|
||||
# consoletype_exec_t is the type of the corresponding program.
|
||||
#
|
||||
type consoletype_t, domain;
|
||||
type consoletype_t, domain, mlsfileread, mlsfilewrite;
|
||||
type consoletype_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
role system_r types consoletype_t;
|
||||
@ -57,6 +57,7 @@ allow consoletype_t tmpfs_t:chr_file rw_file_perms;
|
||||
ifdef(`firstboot.te', `
|
||||
allow consoletype_t firstboot_t:fifo_file write;
|
||||
')
|
||||
dontaudit consoletype_t proc_t:dir search;
|
||||
dontaudit consoletype_t proc_t:file read;
|
||||
dontaudit consoletype_t root_t:file read;
|
||||
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
|
||||
|
@ -37,7 +37,7 @@ allow mta_user_agent system_crond_t:fd use;
|
||||
|
||||
# read files in /etc
|
||||
allow system_crond_t etc_t:file r_file_perms;
|
||||
allow system_crond_t etc_runtime_t:file read;
|
||||
allow system_crond_t etc_runtime_t:file { getattr read };
|
||||
|
||||
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||
|
||||
|
@ -23,22 +23,13 @@ allow getty_t self:process { getpgid getsession };
|
||||
allow getty_t self:unix_dgram_socket create_socket_perms;
|
||||
allow getty_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
# to allow w to display everyone...
|
||||
bool user_ttyfile_stat false;
|
||||
if (user_ttyfile_stat) {
|
||||
allow userdomain ttyfile:chr_file getattr;
|
||||
}
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
|
||||
|
||||
# fbgetty needs fsetid for some reason
|
||||
#allow getty_t self:capability fsetid;
|
||||
|
||||
read_locale(getty_t)
|
||||
|
||||
# Run login in local_login_t domain.
|
||||
allow getty_t bin_t:dir search;
|
||||
allow getty_t { sbin_t bin_t }:dir search;
|
||||
domain_auto_trans(getty_t, login_exec_t, local_login_t)
|
||||
|
||||
# Write to /var/run/utmp.
|
||||
@ -55,5 +46,15 @@ allow getty_t ttyfile:chr_file { setattr rw_file_perms };
|
||||
# for error condition handling
|
||||
allow getty_t fs_t:filesystem getattr;
|
||||
|
||||
rw_dir_create_file(getty_t, var_lock_t)
|
||||
lock_domain(getty)
|
||||
r_dir_file(getty_t, sysfs_t)
|
||||
# for mgetty
|
||||
var_run_domain(getty)
|
||||
allow getty_t self:capability { fowner fsetid };
|
||||
|
||||
#
|
||||
# getty needs to be able to run pppd
|
||||
#
|
||||
ifdef(`pppd.te', `
|
||||
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
|
||||
')
|
||||
|
@ -15,7 +15,7 @@ daemon_domain(hald, `, fs_domain, nscd_client_domain')
|
||||
can_exec_any(hald_t)
|
||||
|
||||
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow hald_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
@ -30,6 +30,10 @@ allow hald_t { bin_t sbin_t }:dir search;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t usr_t:file { getattr read };
|
||||
allow hald_t bin_t:file getattr;
|
||||
# For backwards compatibility with older kernels
|
||||
allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
|
||||
can_network_server(hald_t)
|
||||
|
@ -14,11 +14,11 @@
|
||||
# by init during initialization. This pipe is used
|
||||
# to communicate with init.
|
||||
#
|
||||
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
|
||||
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
|
||||
role system_r types init_t;
|
||||
uses_shlib(init_t);
|
||||
type init_exec_t, file_type, sysadmfile, exec_type;
|
||||
type initctl_t, file_type, sysadmfile, dev_fs;
|
||||
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
||||
|
||||
# for init to determine whether SE Linux is active so it can know whether to
|
||||
# activate it
|
||||
@ -82,6 +82,7 @@ allow init_t self:process { fork sigchld };
|
||||
# Modify utmp.
|
||||
allow init_t var_run_t:file rw_file_perms;
|
||||
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
|
||||
can_unix_connect(init_t, initrc_t)
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
var_run_domain(init)
|
||||
@ -133,6 +134,7 @@ allow init_t lib_t:file { getattr read };
|
||||
|
||||
allow init_t devtty_t:chr_file { read write };
|
||||
allow init_t ramfs_t:dir search;
|
||||
allow init_t ramfs_t:sock_file write;
|
||||
r_dir_file(init_t, sysfs_t)
|
||||
|
||||
r_dir_file(init_t, selinux_config_t)
|
||||
|
@ -12,11 +12,12 @@
|
||||
# initrc_exec_t is the type of the init program.
|
||||
#
|
||||
# do not use privmail for sendmail as it creates a type transition conflict
|
||||
type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
|
||||
type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
|
||||
|
||||
role system_r types initrc_t;
|
||||
uses_shlib(initrc_t);
|
||||
can_network(initrc_t)
|
||||
allow initrc_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(initrc_t)
|
||||
type initrc_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
@ -130,7 +131,7 @@ allow initrc_t ld_so_cache_t:file rw_file_perms;
|
||||
# Update /var/log/wtmp and /var/log/dmesg.
|
||||
allow initrc_t wtmp_t:file { setattr rw_file_perms };
|
||||
allow initrc_t var_log_t:dir rw_dir_perms;
|
||||
allow initrc_t var_log_t:file { setattr rw_file_perms };
|
||||
allow initrc_t var_log_t:file create_file_perms;
|
||||
allow initrc_t lastlog_t:file { setattr rw_file_perms };
|
||||
allow initrc_t logfile:file { read append };
|
||||
|
||||
@ -194,10 +195,8 @@ file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
|
||||
allow initrc_t tmpfs_t:chr_file rw_file_perms;
|
||||
allow initrc_t tmpfs_t:dir r_dir_perms;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Allow initrc domain to set the enforcing flag.
|
||||
can_setenforce(initrc_t)
|
||||
')
|
||||
|
||||
#
|
||||
# readahead asks for these
|
||||
@ -208,6 +207,11 @@ allow initrc_t var_lib_nfs_t:file { getattr read };
|
||||
# for /halt /.autofsck and other flag files
|
||||
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
|
||||
|
||||
file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
|
||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||
allow initrc_t self:capability sys_admin;
|
||||
allow initrc_t device_t:dir create;
|
||||
|
||||
')dnl end distro_redhat
|
||||
|
||||
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
|
||||
@ -287,10 +291,6 @@ allow initrc_t device_t:lnk_file unlink;
|
||||
|
||||
r_dir_file(initrc_t,selinux_config_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||
')
|
||||
|
||||
ifdef(`unlimitedRC', `
|
||||
unconfined_domain(initrc_t)
|
||||
')
|
||||
|
@ -8,7 +8,7 @@
|
||||
#
|
||||
# Rules for the klogd_t domain.
|
||||
#
|
||||
daemon_domain(klogd, `, privmem')
|
||||
daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
|
||||
|
||||
tmp_domain(klogd)
|
||||
allow klogd_t proc_t:dir r_dir_perms;
|
||||
|
@ -18,7 +18,6 @@ type lvm_vg_t, file_type, sysadmfile;
|
||||
type lvm_metadata_t, file_type, sysadmfile;
|
||||
type lvm_control_t, device_type, dev_fs;
|
||||
etcdir_domain(lvm)
|
||||
allow lvm_t var_t:dir search;
|
||||
lock_domain(lvm)
|
||||
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||
|
||||
@ -35,7 +34,7 @@ allow lvm_t self:fifo_file rw_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
r_dir_file(lvm_t, proc_t)
|
||||
allow lvm_t self:file r_file_perms;
|
||||
allow lvm_t self:file rw_file_perms;
|
||||
|
||||
# Read system variables in /proc/sys
|
||||
read_sysctl(lvm_t)
|
||||
@ -65,7 +64,7 @@ tmp_domain(lvm)
|
||||
allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
|
||||
allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
|
||||
|
||||
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
|
||||
file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
|
||||
|
@ -3,7 +3,7 @@
|
||||
# Author: Colin Walters <walters@redhat.com>
|
||||
#
|
||||
|
||||
daemon_base_domain(mdadm, `, fs_domain')
|
||||
daemon_base_domain(mdadm, `, fs_domain, privmail')
|
||||
role sysadm_r types mdadm_t;
|
||||
|
||||
allow initrc_t mdadm_var_run_t:file create_file_perms;
|
||||
|
@ -16,11 +16,14 @@ role sysadm_r types netutils_t;
|
||||
|
||||
uses_shlib(netutils_t)
|
||||
can_network(netutils_t)
|
||||
allow netutils_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(netutils_t)
|
||||
tmp_domain(netutils)
|
||||
|
||||
domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
|
||||
')
|
||||
|
||||
# Inherit and use descriptors from init.
|
||||
allow netutils_t { userdomain init_t }:fd use;
|
||||
|
@ -23,6 +23,7 @@ daemon_domain(nscd, `, userspace_objmgr')
|
||||
allow nscd_t etc_t:file r_file_perms;
|
||||
allow nscd_t etc_t:lnk_file read;
|
||||
can_network_client(nscd_t)
|
||||
allow nscd_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(nscd_t)
|
||||
|
||||
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
|
||||
|
@ -10,7 +10,6 @@
|
||||
#
|
||||
daemon_domain(ntpd, `, nscd_client_domain')
|
||||
type ntp_drift_t, file_type, sysadmfile;
|
||||
type ntp_port_t, port_type, reserved_port_type;
|
||||
|
||||
type ntpdate_exec_t, file_type, sysadmfile, exec_type;
|
||||
domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
|
||||
@ -25,7 +24,7 @@ allow ntpd_t ntp_drift_t:dir rw_dir_perms;
|
||||
allow ntpd_t ntp_drift_t:file create_file_perms;
|
||||
|
||||
# for SSP
|
||||
allow ntpd_t urandom_device_t:chr_file read;
|
||||
allow ntpd_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
|
||||
dontaudit ntpd_t self:capability { net_admin };
|
||||
@ -41,6 +40,7 @@ allow ntpd_t etc_t:file { read getattr };
|
||||
|
||||
# Use the network.
|
||||
can_network(ntpd_t)
|
||||
allow ntpd_t ntp_port_t:tcp_socket name_connect;
|
||||
can_ypbind(ntpd_t)
|
||||
allow ntpd_t ntp_port_t:udp_socket name_bind;
|
||||
allow ntpd_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -83,4 +83,5 @@ ifdef(`winbind.te', `
|
||||
allow ntpd_t winbind_var_run_t:dir r_dir_perms;
|
||||
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
|
||||
')
|
||||
|
||||
# For clock devices like wwvb1
|
||||
allow ntpd_t device_t:lnk_file read;
|
||||
|
@ -3,17 +3,23 @@
|
||||
#
|
||||
# pam_console_apply
|
||||
|
||||
daemon_base_domain(pam_console, `, nscd_client_domain')
|
||||
daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
|
||||
|
||||
type pam_var_console_t, file_type, sysadmfile;
|
||||
|
||||
allow pam_console_t etc_t:file { getattr read ioctl };
|
||||
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# Read /etc/mtab
|
||||
allow pam_console_t etc_runtime_t:file { read getattr };
|
||||
|
||||
# Read /proc/meminfo
|
||||
allow pam_console_t proc_t:file { read getattr };
|
||||
|
||||
allow pam_console_t self:capability { chown fowner fsetid };
|
||||
|
||||
# Allow access to /dev/console through the fd:
|
||||
allow pam_console_t console_device_t:chr_file { read write };
|
||||
allow pam_console_t console_device_t:chr_file { read write setattr };
|
||||
allow pam_console_t { kernel_t init_t }:fd use;
|
||||
|
||||
# for /var/run/console.lock checking
|
||||
@ -36,7 +42,6 @@ ifdef(`hotplug.te', `
|
||||
dontaudit pam_console_t hotplug_etc_t:dir search;
|
||||
allow pam_console_t hotplug_t:fd use;
|
||||
')
|
||||
allow pam_console_t proc_t:file read;
|
||||
ifdef(`xdm.te', `
|
||||
allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
|
@ -145,6 +145,7 @@ dontaudit sysadm_passwd_t devpts_t:dir search;
|
||||
|
||||
# make sure that getcon succeeds
|
||||
allow passwd_t userdomain:dir search;
|
||||
allow passwd_t userdomain:file read;
|
||||
allow passwd_t userdomain:file { getattr read };
|
||||
allow passwd_t userdomain:process getattr;
|
||||
|
||||
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
@ -14,12 +14,11 @@
|
||||
daemon_domain(portmap, `, nscd_client_domain')
|
||||
|
||||
can_network(portmap_t)
|
||||
allow portmap_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(portmap_t)
|
||||
allow portmap_t self:unix_dgram_socket create_socket_perms;
|
||||
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
type portmap_port_t, port_type, reserved_port_type;
|
||||
|
||||
tmp_domain(portmap)
|
||||
|
||||
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
@ -60,11 +59,13 @@ domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
|
||||
dontaudit portmap_helper_t self:capability { net_admin };
|
||||
allow portmap_helper_t self:capability { net_bind_service };
|
||||
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
|
||||
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
|
||||
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
can_network(portmap_helper_t)
|
||||
allow portmap_helper_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(portmap_helper_t)
|
||||
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
|
||||
allow portmap_helper_t etc_t:file { getattr read };
|
||||
dontaudit portmap_helper_t userdomain:fd use;
|
||||
dontaudit portmap_helper_t { userdomain privfd }:fd use;
|
||||
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
|
||||
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|
||||
|
@ -9,7 +9,6 @@
|
||||
type postfix_var_run_t, file_type, sysadmfile, pidfile;
|
||||
|
||||
type postfix_etc_t, file_type, sysadmfile;
|
||||
typealias postfix_etc_t alias etc_postfix_t;
|
||||
type postfix_exec_t, file_type, sysadmfile, exec_type;
|
||||
type postfix_public_t, file_type, sysadmfile;
|
||||
type postfix_private_t, file_type, sysadmfile;
|
||||
@ -120,6 +119,7 @@ allow postfix_master_t postfix_private_t:dir rw_dir_perms;
|
||||
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
|
||||
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
|
||||
can_network(postfix_master_t)
|
||||
allow postfix_master_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(postfix_master_t)
|
||||
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
|
||||
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
|
||||
@ -155,6 +155,7 @@ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
||||
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
||||
allow postfix_$1_t self:capability { setuid setgid dac_override };
|
||||
can_network_client(postfix_$1_t)
|
||||
allow postfix_$1_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(postfix_$1_t)
|
||||
')
|
||||
|
||||
@ -179,6 +180,7 @@ allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
|
||||
# for OpenSSL certificates
|
||||
r_dir_file(postfix_smtpd_t,usr_t)
|
||||
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
|
||||
allow postfix_smtpd_t self:file { getattr read };
|
||||
|
||||
# for prng_exch
|
||||
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
|
||||
@ -345,5 +347,6 @@ allow postfix_map_t self:capability setgid;
|
||||
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
||||
dontaudit postfix_map_t var_t:dir search;
|
||||
can_network_server(postfix_map_t)
|
||||
allow postfix_map_t port_type:tcp_socket name_connect;
|
||||
allow postfix_local_t mail_spool_t:dir { remove_name };
|
||||
allow postfix_local_t mail_spool_t:file { unlink };
|
||||
|
@ -8,7 +8,7 @@
|
||||
#
|
||||
# Rules for the privoxy_t domain.
|
||||
#
|
||||
daemon_domain(privoxy)
|
||||
daemon_domain(privoxy, `, web_client_domain')
|
||||
|
||||
logdir_domain(privoxy)
|
||||
|
||||
@ -17,7 +17,8 @@ allow privoxy_t self:capability net_bind_service;
|
||||
|
||||
# Use the network.
|
||||
can_network(privoxy_t)
|
||||
allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
|
||||
can_ypbind(privoxy_t)
|
||||
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
|
||||
allow privoxy_t etc_t:file { getattr read };
|
||||
allow privoxy_t self:capability { setgid setuid };
|
||||
allow privoxy_t self:unix_stream_socket create_socket_perms ;
|
||||
|
@ -12,7 +12,7 @@
|
||||
#
|
||||
# needs auth_write attribute because it has relabelfrom/relabelto
|
||||
# access to shadow_t
|
||||
type restorecon_t, domain, privlog, privowner, auth_write, change_context;
|
||||
type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
|
||||
type restorecon_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
role system_r types restorecon_t;
|
||||
@ -48,10 +48,9 @@ allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom rel
|
||||
allow restorecon_t ptyfile:chr_file getattr;
|
||||
|
||||
allow restorecon_t fs_t:filesystem getattr;
|
||||
allow restorecon_t fs_type:dir r_dir_perms;
|
||||
|
||||
allow restorecon_t etc_runtime_t:file read;
|
||||
allow restorecon_t etc_t:file read;
|
||||
allow restorecon_t etc_runtime_t:file { getattr read };
|
||||
allow restorecon_t etc_t:file { getattr read };
|
||||
allow restorecon_t proc_t:file { getattr read };
|
||||
dontaudit restorecon_t proc_t:lnk_file { getattr read };
|
||||
|
||||
@ -60,4 +59,3 @@ allow restorecon_t kernel_t:fd use;
|
||||
allow restorecon_t kernel_t:fifo_file { read write };
|
||||
allow restorecon_t kernel_t:unix_dgram_socket { read write };
|
||||
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
|
||||
|
||||
|
@ -35,3 +35,4 @@ allow rlogind_t self:file { getattr read };
|
||||
allow rlogind_t default_t:dir search;
|
||||
typealias rlogind_port_t alias rlogin_port_t;
|
||||
read_sysctl(rlogind_t);
|
||||
allow rlogind_t krb5_keytab_t:file { getattr read };
|
||||
|
@ -23,10 +23,7 @@ allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chow
|
||||
|
||||
# Use the network.
|
||||
can_network_server(rshd_t)
|
||||
allow rshd_t reserved_port_t:tcp_socket name_bind;
|
||||
dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
|
||||
|
||||
can_ypbind(rshd_t)
|
||||
allow rshd_t rsh_port_t:tcp_socket name_bind;
|
||||
|
||||
allow rshd_t etc_t:file { getattr read };
|
||||
read_locale(rshd_t)
|
||||
|
@ -14,6 +14,4 @@
|
||||
inetd_child_domain(rsync)
|
||||
type rsync_data_t, file_type, sysadmfile;
|
||||
r_dir_file(rsync_t, rsync_data_t)
|
||||
ifdef(`ftpd.te', `
|
||||
r_dir_file(rsync_t, ftpd_anon_t)
|
||||
')
|
||||
|
@ -58,3 +58,4 @@ read_sysctl(slapd_t)
|
||||
allow slapd_t usr_t:file { read getattr };
|
||||
allow slapd_t urandom_device_t:chr_file { getattr read };
|
||||
allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
r_dir_file(slapd_t, cert_t)
|
||||
|
@ -12,7 +12,7 @@
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
|
||||
bool squid_connect_any false;
|
||||
daemon_domain(squid, `, web_client_domain, nscd_client_domain')
|
||||
type squid_conf_t, file_type, sysadmfile;
|
||||
general_domain_access(squid_t)
|
||||
@ -53,12 +53,15 @@ ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
|
||||
|
||||
# Use the network
|
||||
can_network(squid_t)
|
||||
if (squid_connect_any) {
|
||||
allow squid_t port_type:tcp_socket name_connect;
|
||||
}
|
||||
can_ypbind(squid_t)
|
||||
can_tcp_connect(web_client_domain, squid_t)
|
||||
|
||||
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
|
||||
allow squid_t http_cache_port_t:tcp_socket name_bind;
|
||||
allow squid_t http_cache_port_t:udp_socket name_bind;
|
||||
allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
|
||||
allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
|
||||
|
||||
# to allow running programs from /usr/lib/squid (IE unlinkd)
|
||||
# also allow exec()ing itself
|
||||
@ -74,3 +77,8 @@ allow squid_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
#squid requires the following when run in diskd mode, the recommended setting
|
||||
allow squid_t tmpfs_t:file { read write };
|
||||
r_dir_file(squid_t, cert_t)
|
||||
ifdef(`winbind.te', `
|
||||
domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
|
||||
allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
|
||||
')
|
||||
|
@ -23,7 +23,7 @@ define(`sshd_program_domain', `
|
||||
# privowner is for changing the identity on the terminal device
|
||||
# privfd is for passing the terminal file handle to the user process
|
||||
# auth_chkpwd is for running unix_chkpwd and unix_verify.
|
||||
type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
|
||||
type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||
can_exec($1_t, sshd_exec_t)
|
||||
r_dir_file($1_t, self)
|
||||
role system_r types $1_t;
|
||||
@ -67,6 +67,8 @@ allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
|
||||
allow $1_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
can_network($1_t)
|
||||
allow $1_t port_type:tcp_socket name_connect;
|
||||
can_kerberos($1_t)
|
||||
|
||||
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
|
||||
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
|
||||
@ -145,10 +147,8 @@ sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
|
||||
sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
|
||||
}
|
||||
|
||||
ifdef(`use_x_ports', `
|
||||
# for X forwarding
|
||||
allow sshd_t xserver_port_t:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
r_dir_file(sshd_t, selinux_config_t)
|
||||
sshd_program_domain(sshd_extern)
|
||||
|
@ -14,9 +14,9 @@
|
||||
# by syslogd.
|
||||
#
|
||||
ifdef(`klogd.te', `
|
||||
daemon_domain(syslogd)
|
||||
daemon_domain(syslogd, `, privkmsg')
|
||||
', `
|
||||
daemon_domain(syslogd, `, privmem')
|
||||
daemon_domain(syslogd, `, privmem, privkmsg')
|
||||
')
|
||||
|
||||
# can_network is for the UDP socket
|
||||
@ -25,7 +25,7 @@ can_ypbind(syslogd_t)
|
||||
|
||||
r_dir_file(syslogd_t, sysfs_t)
|
||||
|
||||
type devlog_t, file_type, sysadmfile, dev_fs;
|
||||
type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
||||
|
||||
# if something can log to syslog they should be able to log to the console
|
||||
allow privlog console_device_t:chr_file { ioctl read write getattr };
|
||||
@ -36,7 +36,7 @@ tmp_domain(syslogd)
|
||||
allow syslogd_t etc_t:file r_file_perms;
|
||||
|
||||
# Use capabilities.
|
||||
allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
|
||||
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
|
||||
|
||||
# Modify/create log files.
|
||||
create_append_log_file(syslogd_t, var_log_t)
|
||||
@ -94,7 +94,6 @@ allow syslogd_t { device_t file_t }:sock_file unlink;
|
||||
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
|
||||
|
||||
# Allow name_bind for remote logging
|
||||
type syslogd_port_t, port_type, reserved_port_type;
|
||||
allow syslogd_t syslogd_port_t:udp_socket name_bind;
|
||||
#
|
||||
# /initrd is not umounted before minilog starts
|
||||
@ -103,5 +102,4 @@ dontaudit syslogd_t file_t:dir search;
|
||||
allow syslogd_t { tmpfs_t devpts_t }:dir search;
|
||||
dontaudit syslogd_t unlabeled_t:file read;
|
||||
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
allow syslogd_t self:capability net_admin;
|
||||
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
@ -9,7 +9,7 @@
|
||||
#
|
||||
# udev_exec_t is the type of the udev executable.
|
||||
#
|
||||
daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner')
|
||||
daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
|
||||
|
||||
general_domain_access(udev_t)
|
||||
|
||||
@ -33,6 +33,7 @@ allow udev_t self:file { getattr read };
|
||||
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
|
||||
allow udev_t self:unix_dgram_socket create_socket_perms;
|
||||
allow udev_t self:fifo_file rw_file_perms;
|
||||
allow udev_t self:netlink_kobject_uevent_socket { create bind read };
|
||||
allow udev_t device_t:sock_file create_file_perms;
|
||||
allow udev_t device_t:lnk_file create_lnk_perms;
|
||||
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
|
||||
@ -70,6 +71,7 @@ can_setfscreate(udev_t)
|
||||
|
||||
allow udev_t kernel_t:fd use;
|
||||
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
||||
allow udev_t kernel_t:process signal;
|
||||
|
||||
allow udev_t initrc_var_run_t:file r_file_perms;
|
||||
dontaudit udev_t initrc_var_run_t:file write;
|
||||
|
@ -37,9 +37,8 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
|
||||
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xfs_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
|
||||
allow xfs_t fonts_t:dir search;
|
||||
allow xfs_t fonts_t:file { getattr read };
|
||||
# Read fonts
|
||||
read_fonts(xfs_t)
|
||||
|
||||
# Unlink the xfs socket.
|
||||
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
|
||||
|
@ -4,3 +4,5 @@
|
||||
/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
|
||||
/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
|
||||
/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
|
||||
/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
|
||||
/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
|
||||
|
@ -1,6 +1,7 @@
|
||||
# apache
|
||||
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
|
||||
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
|
||||
/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t
|
||||
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
|
||||
/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
|
||||
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
|
||||
@ -15,7 +16,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
|
||||
/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t
|
||||
/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t
|
||||
/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t
|
||||
/usr/sbin/httpd -- system_u:object_r:httpd_exec_t
|
||||
/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t
|
||||
/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t
|
||||
/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t
|
||||
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
|
||||
@ -36,7 +37,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
|
||||
/var/run/gcache_port -s system_u:object_r:httpd_var_run_t
|
||||
ifdef(`distro_suse', `
|
||||
# suse puts shell scripts there :-(
|
||||
/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
|
||||
/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
|
||||
/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t
|
||||
')
|
||||
/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
|
||||
/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t
|
||||
@ -44,3 +46,9 @@ ifdef(`distro_suse', `
|
||||
/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
|
||||
/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
|
||||
/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
|
||||
/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
|
||||
ifdef(`targeted_policy', `', `
|
||||
/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t
|
||||
')
|
||||
/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t
|
||||
|
||||
|
@ -1,9 +1,12 @@
|
||||
# apmd
|
||||
/usr/sbin/apmd -- system_u:object_r:apmd_exec_t
|
||||
/usr/sbin/acpid -- system_u:object_r:apmd_exec_t
|
||||
/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t
|
||||
/usr/bin/apm -- system_u:object_r:apm_exec_t
|
||||
/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t
|
||||
/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t
|
||||
/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t
|
||||
/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t
|
||||
/var/log/acpid -- system_u:object_r:apmd_log_t
|
||||
ifdef(`distro_suse', `
|
||||
/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t
|
||||
|
@ -1,4 +1,6 @@
|
||||
# crack - for password checking
|
||||
/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t
|
||||
/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
|
||||
/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
|
||||
/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
|
||||
/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t
|
||||
|
@ -6,6 +6,7 @@
|
||||
/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
|
||||
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
|
||||
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
|
||||
/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
|
||||
/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
|
||||
/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
|
||||
# pump
|
||||
|
@ -1,6 +1,7 @@
|
||||
# fs admin utilities
|
||||
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t
|
||||
/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
|
||||
@ -19,9 +20,11 @@
|
||||
/sbin/parted -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/dump -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/raidautorun -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/mkraid -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/blockdev -- system_u:object_r:fsadm_exec_t
|
||||
/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
|
||||
|
@ -13,3 +13,4 @@
|
||||
/var/log/xferreport.* -- system_u:object_r:xferlog_t
|
||||
/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
|
||||
/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
|
||||
/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
|
||||
|
@ -1,3 +1,5 @@
|
||||
# getty
|
||||
/sbin/.*getty -- system_u:object_r:getty_exec_t
|
||||
/etc/mgetty(/.*)? system_u:object_r:getty_etc_t
|
||||
/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t
|
||||
/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t
|
||||
|
@ -1,5 +1,7 @@
|
||||
# gpg
|
||||
HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
|
||||
/usr/bin/gpg -- system_u:object_r:gpg_exec_t
|
||||
/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t
|
||||
/usr/bin/kgpg -- system_u:object_r:gpg_exec_t
|
||||
/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
|
||||
/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t
|
||||
/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
|
||||
|
||||
|
3
strict/file_contexts/program/iceauth.fc
Normal file
3
strict/file_contexts/program/iceauth.fc
Normal file
@ -0,0 +1,3 @@
|
||||
# iceauth
|
||||
/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
|
||||
HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
|
@ -19,6 +19,9 @@ ifdef(`distro_suse', `
|
||||
/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t
|
||||
/var/run/keymap -- system_u:object_r:initrc_var_run_t
|
||||
/var/run/numlock-on -- system_u:object_r:initrc_var_run_t
|
||||
/var/run/setleds-on -- system_u:object_r:initrc_var_run_t
|
||||
/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t
|
||||
/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
@ -35,5 +38,11 @@ ifdef(`distro_gentoo', `
|
||||
/etc/nohotplug -- system_u:object_r:etc_runtime_t
|
||||
ifdef(`distro_redhat', `
|
||||
/halt -- system_u:object_r:etc_runtime_t
|
||||
/fastboot -- system_u:object_r:etc_runtime_t
|
||||
/fsckoptions -- system_u:object_r:etc_runtime_t
|
||||
/forcefsck -- system_u:object_r:etc_runtime_t
|
||||
/poweroff -- system_u:object_r:etc_runtime_t
|
||||
/\.autofsck -- system_u:object_r:etc_runtime_t
|
||||
/\.autorelabel -- system_u:object_r:etc_runtime_t
|
||||
')
|
||||
|
||||
|
@ -730,3 +730,4 @@ mlsconstrain xextension use
|
||||
|
||||
# these access vectors have no MLS restrictions
|
||||
# association { sendto recvfrom }
|
||||
|
||||
|
@ -17,7 +17,6 @@
|
||||
# protocol number context
|
||||
# protocol low-high context
|
||||
#
|
||||
ifdef(`inetd.te', `
|
||||
portcon tcp 7 system_u:object_r:inetd_child_port_t
|
||||
portcon udp 7 system_u:object_r:inetd_child_port_t
|
||||
portcon tcp 9 system_u:object_r:inetd_child_port_t
|
||||
@ -37,42 +36,47 @@ portcon udp 891 system_u:object_r:inetd_child_port_t
|
||||
portcon tcp 892 system_u:object_r:inetd_child_port_t
|
||||
portcon udp 892 system_u:object_r:inetd_child_port_t
|
||||
portcon tcp 2105 system_u:object_r:inetd_child_port_t
|
||||
')
|
||||
ifdef(`ftpd.te', `
|
||||
portcon tcp 20 system_u:object_r:ftp_data_port_t
|
||||
portcon tcp 21 system_u:object_r:ftp_port_t
|
||||
')
|
||||
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
|
||||
ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
|
||||
ifdef(`mta.te', `
|
||||
portcon tcp 22 system_u:object_r:ssh_port_t
|
||||
portcon tcp 23 system_u:object_r:telnetd_port_t
|
||||
|
||||
portcon tcp 25 system_u:object_r:smtp_port_t
|
||||
portcon tcp 465 system_u:object_r:smtp_port_t
|
||||
portcon tcp 587 system_u:object_r:smtp_port_t
|
||||
')
|
||||
ifdef(`use_dns', `
|
||||
|
||||
portcon udp 500 system_u:object_r:isakmp_port_t
|
||||
portcon udp 53 system_u:object_r:dns_port_t
|
||||
portcon tcp 53 system_u:object_r:dns_port_t
|
||||
')
|
||||
ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
|
||||
ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
|
||||
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
|
||||
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
|
||||
ifdef(`apache.te', `
|
||||
|
||||
portcon udp 67 system_u:object_r:dhcpd_port_t
|
||||
portcon udp 68 system_u:object_r:dhcpc_port_t
|
||||
portcon udp 70 system_u:object_r:gopher_port_t
|
||||
portcon tcp 70 system_u:object_r:gopher_port_t
|
||||
|
||||
portcon udp 69 system_u:object_r:tftp_port_t
|
||||
portcon tcp 79 system_u:object_r:fingerd_port_t
|
||||
|
||||
portcon tcp 80 system_u:object_r:http_port_t
|
||||
portcon tcp 443 system_u:object_r:http_port_t
|
||||
')
|
||||
ifdef(`use_pop', `
|
||||
portcon tcp 488 system_u:object_r:http_port_t
|
||||
portcon tcp 8008 system_u:object_r:http_port_t
|
||||
|
||||
portcon tcp 106 system_u:object_r:pop_port_t
|
||||
portcon tcp 109 system_u:object_r:pop_port_t
|
||||
portcon tcp 110 system_u:object_r:pop_port_t
|
||||
')
|
||||
ifdef(`portmap.te', `
|
||||
portcon tcp 143 system_u:object_r:pop_port_t
|
||||
portcon tcp 220 system_u:object_r:pop_port_t
|
||||
portcon tcp 993 system_u:object_r:pop_port_t
|
||||
portcon tcp 995 system_u:object_r:pop_port_t
|
||||
portcon tcp 1109 system_u:object_r:pop_port_t
|
||||
|
||||
portcon udp 111 system_u:object_r:portmap_port_t
|
||||
portcon tcp 111 system_u:object_r:portmap_port_t
|
||||
')
|
||||
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
|
||||
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
|
||||
ifdef(`samba.te', `
|
||||
|
||||
portcon tcp 119 system_u:object_r:innd_port_t
|
||||
portcon udp 123 system_u:object_r:ntp_port_t
|
||||
|
||||
portcon tcp 137 system_u:object_r:smbd_port_t
|
||||
portcon udp 137 system_u:object_r:nmbd_port_t
|
||||
portcon tcp 138 system_u:object_r:smbd_port_t
|
||||
@ -80,39 +84,26 @@ portcon udp 138 system_u:object_r:nmbd_port_t
|
||||
portcon tcp 139 system_u:object_r:smbd_port_t
|
||||
portcon udp 139 system_u:object_r:nmbd_port_t
|
||||
portcon tcp 445 system_u:object_r:smbd_port_t
|
||||
')
|
||||
ifdef(`use_pop', `
|
||||
portcon tcp 143 system_u:object_r:pop_port_t
|
||||
portcon tcp 220 system_u:object_r:pop_port_t
|
||||
')
|
||||
ifdef(`snmpd.te', `
|
||||
|
||||
portcon udp 161 system_u:object_r:snmp_port_t
|
||||
portcon udp 162 system_u:object_r:snmp_port_t
|
||||
portcon tcp 199 system_u:object_r:snmp_port_t
|
||||
')
|
||||
ifdef(`comsat.te', `
|
||||
portcon udp 512 system_u:object_r:comsat_port_t
|
||||
')
|
||||
ifdef(`slapd.te', `
|
||||
|
||||
portcon tcp 389 system_u:object_r:ldap_port_t
|
||||
portcon udp 389 system_u:object_r:ldap_port_t
|
||||
portcon tcp 636 system_u:object_r:ldap_port_t
|
||||
portcon udp 636 system_u:object_r:ldap_port_t
|
||||
')
|
||||
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
|
||||
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
|
||||
ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
|
||||
ifdef(`syslogd.te', `
|
||||
|
||||
portcon tcp 513 system_u:object_r:rlogind_port_t
|
||||
portcon tcp 514 system_u:object_r:rsh_port_t
|
||||
|
||||
portcon tcp 515 system_u:object_r:printer_port_t
|
||||
portcon udp 514 system_u:object_r:syslogd_port_t
|
||||
')
|
||||
ifdef(`ktalkd.te', `
|
||||
portcon udp 517 system_u:object_r:ktalkd_port_t
|
||||
portcon udp 518 system_u:object_r:ktalkd_port_t
|
||||
')
|
||||
ifdef(`cups.te', `
|
||||
portcon tcp 631 system_u:object_r:ipp_port_t
|
||||
portcon udp 631 system_u:object_r:ipp_port_t
|
||||
')
|
||||
portcon tcp 88 system_u:object_r:kerberos_port_t
|
||||
portcon udp 88 system_u:object_r:kerberos_port_t
|
||||
portcon tcp 464 system_u:object_r:kerberos_admin_port_t
|
||||
@ -122,66 +113,57 @@ portcon tcp 750 system_u:object_r:kerberos_port_t
|
||||
portcon udp 750 system_u:object_r:kerberos_port_t
|
||||
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
|
||||
portcon udp 4444 system_u:object_r:kerberos_master_port_t
|
||||
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
|
||||
ifdef(`rsync.te', `
|
||||
portcon tcp 783 system_u:object_r:spamd_port_t
|
||||
portcon tcp 540 system_u:object_r:uucpd_port_t
|
||||
portcon tcp 2401 system_u:object_r:cvs_port_t
|
||||
portcon udp 2401 system_u:object_r:cvs_port_t
|
||||
portcon tcp 873 system_u:object_r:rsync_port_t
|
||||
portcon udp 873 system_u:object_r:rsync_port_t
|
||||
')
|
||||
ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
|
||||
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
|
||||
ifdef(`use_pop', `
|
||||
portcon tcp 993 system_u:object_r:pop_port_t
|
||||
portcon tcp 995 system_u:object_r:pop_port_t
|
||||
portcon tcp 1109 system_u:object_r:pop_port_t
|
||||
')
|
||||
ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
|
||||
ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
|
||||
ifdef(`radius.te', `
|
||||
portcon tcp 901 system_u:object_r:swat_port_t
|
||||
portcon tcp 953 system_u:object_r:rndc_port_t
|
||||
portcon tcp 1213 system_u:object_r:giftd_port_t
|
||||
portcon tcp 1241 system_u:object_r:nessus_port_t
|
||||
portcon tcp 1234 system_u:object_r:monopd_port_t
|
||||
portcon udp 1645 system_u:object_r:radius_port_t
|
||||
portcon udp 1646 system_u:object_r:radacct_port_t
|
||||
portcon udp 1812 system_u:object_r:radius_port_t
|
||||
portcon udp 1813 system_u:object_r:radacct_port_t
|
||||
')
|
||||
ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
|
||||
ifdef(`gatekeeper.te', `
|
||||
portcon udp 1718 system_u:object_r:gatekeeper_port_t
|
||||
portcon udp 1719 system_u:object_r:gatekeeper_port_t
|
||||
portcon tcp 1721 system_u:object_r:gatekeeper_port_t
|
||||
portcon tcp 7000 system_u:object_r:gatekeeper_port_t
|
||||
')
|
||||
ifdef(`asterisk.te', `
|
||||
portcon tcp 2040 system_u:object_r:afs_fs_port_t
|
||||
portcon udp 7000 system_u:object_r:afs_fs_port_t
|
||||
portcon udp 7002 system_u:object_r:afs_pt_port_t
|
||||
portcon udp 7003 system_u:object_r:afs_vl_port_t
|
||||
portcon udp 7004 system_u:object_r:afs_ka_port_t
|
||||
portcon udp 7005 system_u:object_r:afs_fs_port_t
|
||||
portcon udp 7007 system_u:object_r:afs_bos_port_t
|
||||
portcon tcp 1720 system_u:object_r:asterisk_port_t
|
||||
portcon udp 2427 system_u:object_r:asterisk_port_t
|
||||
portcon udp 2727 system_u:object_r:asterisk_port_t
|
||||
portcon udp 4569 system_u:object_r:asterisk_port_t
|
||||
portcon udp 5060 system_u:object_r:asterisk_port_t
|
||||
')
|
||||
portcon tcp 2000 system_u:object_r:mail_port_t
|
||||
ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
|
||||
ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
|
||||
ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
|
||||
ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
|
||||
ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
|
||||
ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
|
||||
ifdef(`imazesrv.te',`
|
||||
portcon tcp 2601 system_u:object_r:zebra_port_t
|
||||
portcon tcp 2628 system_u:object_r:dict_port_t
|
||||
portcon tcp 3306 system_u:object_r:mysqld_port_t
|
||||
portcon tcp 3632 system_u:object_r:distccd_port_t
|
||||
portcon udp 4011 system_u:object_r:pxe_port_t
|
||||
portcon udp 5000 system_u:object_r:openvpn_port_t
|
||||
portcon tcp 5323 system_u:object_r:imaze_port_t
|
||||
portcon udp 5323 system_u:object_r:imaze_port_t
|
||||
')
|
||||
ifdef(`howl.te', `
|
||||
portcon tcp 5335 system_u:object_r:howl_port_t
|
||||
portcon udp 5353 system_u:object_r:howl_port_t
|
||||
')
|
||||
ifdef(`jabberd.te', `
|
||||
portcon tcp 5222 system_u:object_r:jabber_client_port_t
|
||||
portcon tcp 5223 system_u:object_r:jabber_client_port_t
|
||||
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
|
||||
')
|
||||
ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
|
||||
ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
|
||||
ifdef(`xdm.te', `
|
||||
portcon tcp 5432 system_u:object_r:postgresql_port_t
|
||||
portcon tcp 5666 system_u:object_r:inetd_child_port_t
|
||||
portcon tcp 5703 system_u:object_r:ptal_port_t
|
||||
portcon tcp 50000 system_u:object_r:hplip_port_t
|
||||
portcon tcp 50002 system_u:object_r:hplip_port_t
|
||||
portcon tcp 5900 system_u:object_r:vnc_port_t
|
||||
')
|
||||
ifdef(`use_x_ports', `
|
||||
portcon tcp 6000 system_u:object_r:xserver_port_t
|
||||
portcon tcp 6001 system_u:object_r:xserver_port_t
|
||||
portcon tcp 6002 system_u:object_r:xserver_port_t
|
||||
@ -202,29 +184,34 @@ portcon tcp 6016 system_u:object_r:xserver_port_t
|
||||
portcon tcp 6017 system_u:object_r:xserver_port_t
|
||||
portcon tcp 6018 system_u:object_r:xserver_port_t
|
||||
portcon tcp 6019 system_u:object_r:xserver_port_t
|
||||
')
|
||||
ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
|
||||
ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
|
||||
ifdef(`sound-server.te', `
|
||||
portcon tcp 6667 system_u:object_r:ircd_port_t
|
||||
portcon tcp 8000 system_u:object_r:soundd_port_t
|
||||
# 9433 is for YIFF
|
||||
portcon tcp 9433 system_u:object_r:soundd_port_t
|
||||
')
|
||||
ifdef(`use_http_cache', `
|
||||
portcon tcp 3128 system_u:object_r:http_cache_port_t
|
||||
portcon tcp 8080 system_u:object_r:http_cache_port_t
|
||||
portcon udp 3130 system_u:object_r:http_cache_port_t
|
||||
')
|
||||
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
|
||||
ifdef(`amanda.te', `
|
||||
# 8118 is for privoxy
|
||||
portcon tcp 8118 system_u:object_r:http_cache_port_t
|
||||
|
||||
portcon udp 4041 system_u:object_r:clockspeed_port_t
|
||||
portcon tcp 8081 system_u:object_r:transproxy_port_t
|
||||
portcon udp 10080 system_u:object_r:amanda_port_t
|
||||
portcon tcp 10080 system_u:object_r:amanda_port_t
|
||||
portcon udp 10081 system_u:object_r:amanda_port_t
|
||||
portcon tcp 10081 system_u:object_r:amanda_port_t
|
||||
portcon tcp 10082 system_u:object_r:amanda_port_t
|
||||
portcon tcp 10083 system_u:object_r:amanda_port_t
|
||||
')
|
||||
ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
|
||||
portcon tcp 60000 system_u:object_r:postgrey_port_t
|
||||
|
||||
portcon tcp 10024 system_u:object_r:amavisd_recv_port_t
|
||||
portcon tcp 10025 system_u:object_r:amavisd_send_port_t
|
||||
portcon tcp 3310 system_u:object_r:clamd_port_t
|
||||
portcon udp 6276 system_u:object_r:dcc_port_t
|
||||
portcon udp 6277 system_u:object_r:dcc_port_t
|
||||
portcon udp 24441 system_u:object_r:pyzor_port_t
|
||||
portcon tcp 2703 system_u:object_r:razor_port_t
|
||||
portcon tcp 8021 system_u:object_r:zope_port_t
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise
|
||||
|
@ -10,7 +10,7 @@
|
||||
#
|
||||
# device_t is the type of /dev.
|
||||
#
|
||||
type device_t, file_type, dev_fs;
|
||||
type device_t, file_type, mount_point, dev_fs;
|
||||
|
||||
#
|
||||
# null_device_t is the type of /dev/null.
|
||||
@ -154,3 +154,10 @@ type cpu_device_t, device_type, dev_fs;
|
||||
|
||||
# for other device nodes such as the NVidia binary-only driver
|
||||
type xserver_misc_device_t, device_type, dev_fs;
|
||||
|
||||
# for the IBM zSeries z90crypt hardware ssl accelorator
|
||||
type crypt_device_t, device_type, dev_fs;
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -10,12 +10,12 @@
|
||||
#
|
||||
# ptmx_t is the type for /dev/ptmx.
|
||||
#
|
||||
type ptmx_t, sysadmfile, device_type, dev_fs;
|
||||
type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
|
||||
|
||||
#
|
||||
# devpts_t is the type of the devpts file system and
|
||||
# the type of the root directory of the file system.
|
||||
#
|
||||
type devpts_t, fs_type;
|
||||
type devpts_t, mount_point, fs_type;
|
||||
|
||||
|
||||
|
@ -23,37 +23,37 @@ type fs_t, fs_type;
|
||||
type eventpollfs_t, fs_type;
|
||||
type futexfs_t, fs_type;
|
||||
type bdev_t, fs_type;
|
||||
type usbfs_t, fs_type;
|
||||
type usbfs_t, mount_point, fs_type;
|
||||
type nfsd_fs_t, fs_type;
|
||||
type rpc_pipefs_t, fs_type;
|
||||
type binfmt_misc_fs_t, fs_type;
|
||||
type binfmt_misc_fs_t, mount_point, fs_type;
|
||||
|
||||
#
|
||||
# file_t is the default type of a file that has not yet been
|
||||
# assigned an extended attribute (EA) value (when using a filesystem
|
||||
# that supports EAs).
|
||||
#
|
||||
type file_t, file_type, sysadmfile;
|
||||
type file_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
# default_t is the default type for files that do not
|
||||
# match any specification in the file_contexts configuration
|
||||
# other than the generic /.* specification.
|
||||
type default_t, file_type, sysadmfile;
|
||||
type default_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
#
|
||||
# root_t is the type for the root directory.
|
||||
#
|
||||
type root_t, file_type, sysadmfile;
|
||||
type root_t, file_type, mount_point, polyparent, sysadmfile;
|
||||
|
||||
#
|
||||
# mnt_t is the type for mount points such as /mnt/cdrom
|
||||
type mnt_t, file_type, sysadmfile;
|
||||
type mnt_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
#
|
||||
# home_root_t is the type for the directory where user home directories
|
||||
# are created
|
||||
#
|
||||
type home_root_t, file_type, sysadmfile;
|
||||
type home_root_t, file_type, mount_point, polyparent, sysadmfile;
|
||||
|
||||
#
|
||||
# lost_found_t is the type for the lost+found directories.
|
||||
@ -64,7 +64,7 @@ type lost_found_t, file_type, sysadmfile;
|
||||
# boot_t is the type for files in /boot,
|
||||
# including the kernel.
|
||||
#
|
||||
type boot_t, file_type, sysadmfile;
|
||||
type boot_t, file_type, mount_point, sysadmfile;
|
||||
# system_map_t is for the system.map files in /boot
|
||||
type system_map_t, file_type, sysadmfile;
|
||||
|
||||
@ -77,7 +77,7 @@ type boot_runtime_t, file_type, sysadmfile;
|
||||
#
|
||||
# tmp_t is the type of /tmp and /var/tmp.
|
||||
#
|
||||
type tmp_t, file_type, sysadmfile, tmpfile;
|
||||
type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
|
||||
|
||||
#
|
||||
# etc_t is the type of the system etc directories.
|
||||
@ -137,7 +137,11 @@ type shlib_t, file_type, sysadmfile;
|
||||
# texrel_shlib_t is the type of shared objects in the system lib
|
||||
# directories, which require text relocation.
|
||||
#
|
||||
ifdef(`targeted_policy', `
|
||||
typealias lib_t alias texrel_shlib_t;
|
||||
', `
|
||||
type texrel_shlib_t, file_type, sysadmfile;
|
||||
')
|
||||
|
||||
# ld_so_t is the type of the system dynamic loaders.
|
||||
#
|
||||
@ -171,26 +175,27 @@ type sbin_t, file_type, sysadmfile;
|
||||
#
|
||||
# usr_t is the type for /usr.
|
||||
#
|
||||
type usr_t, file_type, sysadmfile;
|
||||
type usr_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
#
|
||||
# src_t is the type of files in the system src directories.
|
||||
#
|
||||
type src_t, file_type, sysadmfile;
|
||||
type src_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
#
|
||||
# var_t is the type for /var.
|
||||
#
|
||||
type var_t, file_type, sysadmfile;
|
||||
type var_t, file_type, mount_point, sysadmfile;
|
||||
|
||||
#
|
||||
# Types for subdirectories of /var.
|
||||
#
|
||||
type var_run_t, file_type, sysadmfile;
|
||||
type var_log_t, file_type, sysadmfile, logfile;
|
||||
typealias var_log_t alias crond_log_t;
|
||||
type faillog_t, file_type, sysadmfile, logfile;
|
||||
type var_lock_t, file_type, sysadmfile, lockfile;
|
||||
type var_lib_t, file_type, sysadmfile;
|
||||
type var_lib_t, mount_point, file_type, sysadmfile;
|
||||
# for /var/{spool,lib}/texmf index files
|
||||
type tetex_data_t, file_type, sysadmfile, tmpfile;
|
||||
type var_spool_t, file_type, sysadmfile, tmpfile;
|
||||
@ -203,18 +208,13 @@ type var_log_ksyms_t, file_type, sysadmfile, logfile;
|
||||
type lastlog_t, file_type, sysadmfile, logfile;
|
||||
|
||||
# Type for /var/lib/nfs.
|
||||
type var_lib_nfs_t, file_type, sysadmfile, usercanread;
|
||||
type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
|
||||
|
||||
#
|
||||
# wtmp_t is the type of /var/log/wtmp.
|
||||
#
|
||||
type wtmp_t, file_type, sysadmfile, logfile;
|
||||
|
||||
#
|
||||
# catman_t is the type for /var/catman.
|
||||
#
|
||||
type catman_t, file_type, sysadmfile, tmpfile;
|
||||
|
||||
#
|
||||
# cron_spool_t is the type for /var/spool/cron.
|
||||
#
|
||||
@ -239,6 +239,7 @@ type mqueue_spool_t, file_type, sysadmfile;
|
||||
# man_t is the type for the man directories.
|
||||
#
|
||||
type man_t, file_type, sysadmfile;
|
||||
typealias man_t alias catman_t;
|
||||
|
||||
#
|
||||
# readable_t is a general type for
|
||||
@ -271,23 +272,23 @@ type locale_t, file_type, sysadmfile;
|
||||
# the default file system type.
|
||||
#
|
||||
allow { file_type device_type ttyfile } fs_t:filesystem associate;
|
||||
ifdef(`distro_redhat', `
|
||||
allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
|
||||
')
|
||||
|
||||
# Allow the pty to be associated with the file system.
|
||||
allow devpts_t self:filesystem associate;
|
||||
|
||||
type tmpfs_t, file_type, sysadmfile, fs_type;
|
||||
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
|
||||
ifdef(`distro_redhat', `
|
||||
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
|
||||
')
|
||||
|
||||
type autofs_t, fs_type, noexattrfile, sysadmfile;
|
||||
allow autofs_t self:filesystem associate;
|
||||
|
||||
type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
|
||||
type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
|
||||
allow usbdevfs_t self:filesystem associate;
|
||||
|
||||
type sysfs_t, fs_type, sysadmfile;
|
||||
type sysfs_t, mount_point, fs_type, sysadmfile;
|
||||
allow sysfs_t self:filesystem associate;
|
||||
|
||||
type iso9660_t, fs_type, noexattrfile, sysadmfile;
|
||||
@ -302,6 +303,12 @@ allow ramfs_t self:filesystem associate;
|
||||
type dosfs_t, fs_type, noexattrfile, sysadmfile;
|
||||
allow dosfs_t self:filesystem associate;
|
||||
|
||||
type hugetlbfs_t, mount_point, fs_type, sysadmfile;
|
||||
allow hugetlbfs_t self:filesystem associate;
|
||||
|
||||
type mqueue_t, mount_point, fs_type, sysadmfile;
|
||||
allow mqueue_t self:filesystem associate;
|
||||
|
||||
# udev_runtime_t is the type of the udev table file
|
||||
type udev_runtime_t, file_type, sysadmfile;
|
||||
|
||||
@ -310,7 +317,12 @@ type krb5_conf_t, file_type, sysadmfile;
|
||||
|
||||
type cifs_t, fs_type, noexattrfile, sysadmfile;
|
||||
allow cifs_t self:filesystem associate;
|
||||
typealias cifs_t alias sambafs_t;
|
||||
|
||||
type debugfs_t, fs_type, sysadmfile;
|
||||
allow debugfs_t self:filesystem associate;
|
||||
|
||||
type inotifyfs_t, fs_type, sysadmfile;
|
||||
allow inotifyfs_t self:filesystem associate;
|
||||
|
||||
# removable_t is the default type of all removable media
|
||||
type removable_t, file_type, sysadmfile, usercanread;
|
||||
@ -318,4 +330,11 @@ allow removable_t self:filesystem associate;
|
||||
allow file_type removable_t:filesystem associate;
|
||||
allow file_type noexattrfile:filesystem associate;
|
||||
|
||||
# Type for anonymous FTP data, used by ftp and rsync
|
||||
type ftpd_anon_t, file_type, sysadmfile, customizable;
|
||||
|
||||
allow customizable self:filesystem associate;
|
||||
|
||||
# type for /tmp/.ICE-unix
|
||||
type ice_tmp_t, file_type, sysadmfile, tmpfile;
|
||||
|
||||
|
@ -8,50 +8,27 @@
|
||||
# Modified by Russell Coker
|
||||
# Move port types to their respective domains, add ifdefs, other cleanups.
|
||||
|
||||
# generally we do not want to define port types in this file, but some things
|
||||
# are insanely difficult to do elsewhere, xserver_port_t is a good example
|
||||
# getting the type defined is the easy part for X, conditional code for many
|
||||
# other domains (including one that starts with a) is the hard part.
|
||||
ifdef(`xdm.te', `define(`use_x_ports')')
|
||||
ifdef(`startx.te', `define(`use_x_ports')')
|
||||
ifdef(`xauth.te', `define(`use_x_ports')')
|
||||
ifdef(`xserver.te', `define(`use_x_ports')')
|
||||
ifdef(`use_x_ports', `
|
||||
type xserver_port_t, port_type;
|
||||
')
|
||||
#
|
||||
# Defines used by the te files need to be defined outside of net_constraints
|
||||
#
|
||||
ifdef(`named.te', `define(`use_dns')')
|
||||
ifdef(`nsd.te', `define(`use_dns')')
|
||||
ifdef(`tinydns.te', `define(`use_dns')')
|
||||
ifdef(`dnsmasq.te', `define(`use_dns')')
|
||||
ifdef(`use_dns', `
|
||||
type dns_port_t, port_type;
|
||||
')
|
||||
type rsh_port_t, port_type, reserved_port_type;
|
||||
type dns_port_t, port_type, reserved_port_type;
|
||||
type smtp_port_t, port_type, reserved_port_type;
|
||||
type dhcpd_port_t, port_type, reserved_port_type;
|
||||
type smbd_port_t, port_type, reserved_port_type;
|
||||
type nmbd_port_t, port_type, reserved_port_type;
|
||||
type http_cache_port_t, port_type, reserved_port_type;
|
||||
type http_port_t, port_type, reserved_port_type;
|
||||
type ipp_port_t, port_type, reserved_port_type;
|
||||
type gopher_port_t, port_type, reserved_port_type;
|
||||
type isakmp_port_t, port_type, reserved_port_type;
|
||||
|
||||
ifdef(`dhcpd.te', `define(`use_dhcpd')')
|
||||
ifdef(`dnsmasq.te', `define(`use_dhcpd')')
|
||||
ifdef(`use_dhcpd', `
|
||||
type dhcpd_port_t, port_type;
|
||||
')
|
||||
|
||||
ifdef(`cyrus.te', `define(`use_pop')')
|
||||
ifdef(`courier.te', `define(`use_pop')')
|
||||
ifdef(`perdition.te', `define(`use_pop')')
|
||||
ifdef(`dovecot.te', `define(`use_pop')')
|
||||
ifdef(`uwimapd.te', `define(`use_pop')')
|
||||
ifdef(`use_pop', `
|
||||
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
|
||||
type pop_port_t, port_type, reserved_port_type;
|
||||
')
|
||||
ifdef(`apache.te', `define(`use_http_cache')')
|
||||
ifdef(`squid.te', `define(`use_http_cache')')
|
||||
ifdef(`use_http_cache', `
|
||||
type http_cache_port_t, port_type;
|
||||
')
|
||||
|
||||
ifdef(`dhcpd.te', `define(`use_pxe')')
|
||||
ifdef(`pxe.te', `define(`use_pxe')')
|
||||
type ftp_port_t, port_type, reserved_port_type;
|
||||
type ftp_data_port_t, port_type, reserved_port_type;
|
||||
|
||||
############################################
|
||||
#
|
||||
@ -70,6 +47,16 @@ type kerberos_port_t, port_type, reserved_port_type;
|
||||
type kerberos_admin_port_t, port_type, reserved_port_type;
|
||||
type kerberos_master_port_t, port_type;
|
||||
|
||||
#
|
||||
# Ports used to communicate with portmap server
|
||||
#
|
||||
type portmap_port_t, port_type, reserved_port_type;
|
||||
|
||||
#
|
||||
# Ports used to communicate with ldap server
|
||||
#
|
||||
type ldap_port_t, port_type, reserved_port_type;
|
||||
|
||||
#
|
||||
# port_t is the default type of INET port numbers.
|
||||
# The *_port_t types are used for specific port
|
||||
@ -120,3 +107,79 @@ allow kernel_t node_type:node { rawip_send rawip_recv };
|
||||
# Kernel-generated traffic, e.g. TCP resets.
|
||||
allow kernel_t netif_type:netif { tcp_send tcp_recv };
|
||||
allow kernel_t node_type:node { tcp_send tcp_recv };
|
||||
type radius_port_t, port_type;
|
||||
type radacct_port_t, port_type;
|
||||
type rndc_port_t, port_type, reserved_port_type;
|
||||
type tftp_port_t, port_type, reserved_port_type;
|
||||
type printer_port_t, port_type, reserved_port_type;
|
||||
type mysqld_port_t, port_type;
|
||||
type postgresql_port_t, port_type;
|
||||
type ptal_port_t, port_type, reserved_port_type;
|
||||
type howl_port_t, port_type;
|
||||
type dict_port_t, port_type;
|
||||
type syslogd_port_t, port_type, reserved_port_type;
|
||||
type spamd_port_t, port_type, reserved_port_type;
|
||||
type ssh_port_t, port_type, reserved_port_type;
|
||||
type pxe_port_t, port_type;
|
||||
type amanda_port_t, port_type;
|
||||
type fingerd_port_t, port_type, reserved_port_type;
|
||||
type dhcpc_port_t, port_type, reserved_port_type;
|
||||
type ntp_port_t, port_type, reserved_port_type;
|
||||
type stunnel_port_t, port_type;
|
||||
type zebra_port_t, port_type;
|
||||
type i18n_input_port_t, port_type;
|
||||
type vnc_port_t, port_type;
|
||||
type openvpn_port_t, port_type;
|
||||
type clamd_port_t, port_type, reserved_port_type;
|
||||
type transproxy_port_t, port_type;
|
||||
type clockspeed_port_t, port_type;
|
||||
type pyzor_port_t, port_type, reserved_port_type;
|
||||
type postgrey_port_t, port_type;
|
||||
type asterisk_port_t, port_type;
|
||||
type utcpserver_port_t, port_type;
|
||||
type nessus_port_t, port_type;
|
||||
type razor_port_t, port_type;
|
||||
type distccd_port_t, port_type;
|
||||
type socks_port_t, port_type;
|
||||
type gatekeeper_port_t, port_type;
|
||||
type dcc_port_t, port_type;
|
||||
type lrrd_port_t, port_type;
|
||||
type jabber_client_port_t, port_type;
|
||||
type jabber_interserver_port_t, port_type;
|
||||
type ircd_port_t, port_type;
|
||||
type giftd_port_t, port_type;
|
||||
type soundd_port_t, port_type;
|
||||
type imaze_port_t, port_type;
|
||||
type monopd_port_t, port_type;
|
||||
# Differentiate between the port where amavisd receives mail, and the
|
||||
# port where it returns cleaned mail back to the MTA.
|
||||
type amavisd_recv_port_t, port_type;
|
||||
type amavisd_send_port_t, port_type;
|
||||
type innd_port_t, port_type, reserved_port_type;
|
||||
type snmp_port_t, port_type, reserved_port_type;
|
||||
type biff_port_t, port_type, reserved_port_type;
|
||||
type hplip_port_t, port_type;
|
||||
|
||||
#inetd_child_ports
|
||||
|
||||
type rlogind_port_t, port_type, reserved_port_type;
|
||||
type telnetd_port_t, port_type, reserved_port_type;
|
||||
type comsat_port_t, port_type, reserved_port_type;
|
||||
type cvs_port_t, port_type;
|
||||
type dbskkd_port_t, port_type, reserved_port_type;
|
||||
type inetd_child_port_t, port_type, reserved_port_type;
|
||||
type ktalkd_port_t, port_type, reserved_port_type;
|
||||
type rsync_port_t, port_type, reserved_port_type;
|
||||
type uucpd_port_t, port_type, reserved_port_type;
|
||||
type swat_port_t, port_type, reserved_port_type;
|
||||
type zope_port_t, port_type;
|
||||
type auth_port_t, port_type, reserved_port_type;
|
||||
|
||||
# afs ports
|
||||
|
||||
type afs_fs_port_t, port_type;
|
||||
type afs_pt_port_t, port_type;
|
||||
type afs_vl_port_t, port_type;
|
||||
type afs_ka_port_t, port_type;
|
||||
type afs_bos_port_t, port_type;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user