trunk: 5 patches from dan.
This commit is contained in:
Chris PeBenito
parent
ce2c80f3c6
commit
0a0b8078ca
@ -1,4 +1,3 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
|
||||
|
||||
/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(readahead,1.3.1)
|
||||
policy_module(readahead,1.3.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -11,6 +11,9 @@ type readahead_exec_t;
|
||||
init_daemon_domain(readahead_t,readahead_exec_t)
|
||||
application_domain(readahead_t,readahead_exec_t)
|
||||
|
||||
type readahead_etc_rw_t;
|
||||
files_pid_file(readahead_etc_rw_t)
|
||||
|
||||
type readahead_var_run_t;
|
||||
files_pid_file(readahead_var_run_t)
|
||||
|
||||
@ -19,9 +22,12 @@ files_pid_file(readahead_var_run_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
|
||||
allow readahead_t self:capability { dac_override dac_read_search };
|
||||
dontaudit readahead_t self:capability sys_tty_config;
|
||||
allow readahead_t self:process signal_perms;
|
||||
|
||||
manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
|
||||
|
||||
manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
|
||||
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
|
||||
|
||||
@ -37,7 +43,7 @@ dev_getattr_all_blk_files(readahead_t)
|
||||
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||
dev_dontaudit_getattr_memory_dev(readahead_t)
|
||||
dev_dontaudit_getattr_nvram_dev(readahead_t)
|
||||
storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
|
||||
storage_raw_read_fixed_disk(readahead_t)
|
||||
|
||||
domain_use_interactive_fds(readahead_t)
|
||||
|
||||
@ -68,6 +74,7 @@ libs_use_ld_so(readahead_t)
|
||||
libs_use_shared_libs(readahead_t)
|
||||
|
||||
logging_send_syslog_msg(readahead_t)
|
||||
logging_dontaudit_search_audit_config(readahead_t)
|
||||
|
||||
miscfiles_read_localization(readahead_t)
|
||||
|
||||
@ -80,6 +87,10 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(readahead_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(readahead_t, readahead_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(readahead_t)
|
||||
')
|
||||
|
||||
@ -278,5 +278,5 @@ interface(`usermanage_read_crack_db',`
|
||||
type crack_db_t;
|
||||
')
|
||||
|
||||
allow $1 crack_db_t:file read_file_perms;
|
||||
read_files_pattern($1,crack_db_t,crack_db_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.7.1)
|
||||
policy_module(usermanage,1.7.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -191,7 +191,6 @@ allow groupadd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow groupadd_t self:unix_dgram_socket sendto;
|
||||
allow groupadd_t self:unix_stream_socket connectto;
|
||||
allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
fs_search_auto_mountpoints(groupadd_t)
|
||||
@ -223,6 +222,7 @@ libs_use_shared_libs(groupadd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(groupadd_t)
|
||||
|
||||
logging_send_audit_msgs(groupadd_t)
|
||||
logging_send_syslog_msg(groupadd_t)
|
||||
|
||||
miscfiles_read_localization(groupadd_t)
|
||||
@ -244,6 +244,10 @@ optional_policy(`
|
||||
dpkg_rw_pipes(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_fds(groupadd_t)
|
||||
rpm_rw_pipes(groupadd_t)
|
||||
@ -254,7 +258,7 @@ optional_policy(`
|
||||
# Passwd local policy
|
||||
#
|
||||
|
||||
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
|
||||
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
allow passwd_t self:fd use;
|
||||
@ -264,7 +268,6 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow passwd_t self:unix_dgram_socket sendto;
|
||||
allow passwd_t self:unix_stream_socket connectto;
|
||||
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow passwd_t self:shm create_shm_perms;
|
||||
allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perms;
|
||||
@ -316,6 +319,7 @@ init_dontaudit_rw_utmp(passwd_t)
|
||||
libs_use_ld_so(passwd_t)
|
||||
libs_use_shared_libs(passwd_t)
|
||||
|
||||
logging_send_audit_msgs(passwd_t)
|
||||
logging_send_syslog_msg(passwd_t)
|
||||
|
||||
miscfiles_read_localization(passwd_t)
|
||||
@ -336,6 +340,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(passwd_t)
|
||||
nscd_domtrans(passwd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -426,6 +431,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(sysadm_passwd_t)
|
||||
nscd_domtrans(sysadm_passwd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -433,7 +439,7 @@ optional_policy(`
|
||||
# Useradd local policy
|
||||
#
|
||||
|
||||
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
|
||||
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
|
||||
dontaudit useradd_t self:capability sys_tty_config;
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
@ -447,7 +453,6 @@ allow useradd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctls(useradd_t)
|
||||
@ -492,6 +497,7 @@ init_rw_utmp(useradd_t)
|
||||
libs_use_ld_so(useradd_t)
|
||||
libs_use_shared_libs(useradd_t)
|
||||
|
||||
logging_send_audit_msgs(useradd_t)
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
|
||||
miscfiles_read_localization(useradd_t)
|
||||
@ -518,6 +524,10 @@ optional_policy(`
|
||||
dpkg_rw_pipes(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_fds(useradd_t)
|
||||
rpm_rw_pipes(useradd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(loadkeys,1.1.0)
|
||||
policy_module(loadkeys,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,7 +39,7 @@ ifdef(`targeted_policy',`
|
||||
files_read_etc_runtime_files(loadkeys_t)
|
||||
|
||||
term_dontaudit_use_console(loadkeys_t)
|
||||
term_dontaudit_use_unallocated_ttys(loadkeys_t)
|
||||
term_use_unallocated_ttys(loadkeys_t)
|
||||
|
||||
init_dontaudit_use_script_ptys(loadkeys_t)
|
||||
|
||||
@ -49,4 +49,8 @@ ifdef(`targeted_policy',`
|
||||
locallogin_use_fds(loadkeys_t)
|
||||
|
||||
miscfiles_read_localization(loadkeys_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_dontaudit_search_pid(loadkeys_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -19,3 +19,23 @@ interface(`setroubleshoot_stream_connect',`
|
||||
allow $1 setroubleshoot_var_run_t:sock_file write;
|
||||
allow $1 setroubleshootd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit attempts to connect to setroubleshootd
|
||||
## over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`setroubleshoot_dontaudit_stream_connect',`
|
||||
gen_require(`
|
||||
type setroubleshootd_t, setroubleshoot_var_run_t;
|
||||
')
|
||||
|
||||
dontaudit $1 setroubleshoot_var_run_t:sock_file write;
|
||||
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(setroubleshoot,1.4.0)
|
||||
policy_module(setroubleshoot,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -33,7 +33,6 @@ allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# database files
|
||||
allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
|
||||
@ -76,12 +75,17 @@ files_read_etc_files(setroubleshootd_t)
|
||||
files_getattr_all_dirs(setroubleshootd_t)
|
||||
files_getattr_all_files(setroubleshootd_t)
|
||||
|
||||
fs_getattr_all_dirs(setroubleshootd_t)
|
||||
fs_getattr_all_files(setroubleshootd_t)
|
||||
|
||||
selinux_get_enforce_mode(setroubleshootd_t)
|
||||
selinux_validate_context(setroubleshootd_t)
|
||||
|
||||
term_dontaudit_use_all_user_ptys(setroubleshootd_t)
|
||||
term_dontaudit_use_all_user_ttys(setroubleshootd_t)
|
||||
|
||||
auth_use_nsswitch(setroubleshootd_t)
|
||||
|
||||
init_read_utmp(setroubleshootd_t)
|
||||
init_dontaudit_write_utmp(setroubleshootd_t)
|
||||
|
||||
@ -112,7 +116,3 @@ optional_policy(`
|
||||
rpm_dontaudit_manage_db(setroubleshootd_t)
|
||||
rpm_use_script_fds(setroubleshootd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(setroubleshootd_t)
|
||||
')
|
||||
|
||||
@ -315,6 +315,25 @@ interface(`logging_read_audit_config',`
|
||||
allow $1 auditd_etc_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit search of auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_dontaudit_search_audit_config',`
|
||||
gen_require(`
|
||||
type auditd_etc_t;
|
||||
')
|
||||
|
||||
dontaudit $1 auditd_etc_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the domain to open a file in the
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.7.2)
|
||||
policy_module(logging,1.7.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(netlabel,1.0.1)
|
||||
policy_module(netlabel,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -21,6 +21,8 @@ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
|
||||
|
||||
kernel_read_network_state(netlabel_mgmt_t)
|
||||
|
||||
files_read_etc_files(netlabel_mgmt_t)
|
||||
|
||||
libs_use_ld_so(netlabel_mgmt_t)
|
||||
libs_use_shared_libs(netlabel_mgmt_t)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user