trunk: Enable open permission checks policy capability.
This commit is contained in:
Chris PeBenito
parent
aea3f28e40
commit
0b36a2146e
|
|
@ -1,3 +1,4 @@
|
|||
- Enable open permission checks policy capability.
|
||||
- Remove hierarchy from portage module as it is not a good example of
|
||||
hieararchy.
|
||||
- Remove enableaudit target from modular build as semodule -DB supplants it.
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ allow acct_t self:capability { sys_pacct chown fsetid };
|
|||
# not sure why we need kill, the command "last" is reported as using it
|
||||
dontaudit acct_t self:capability { kill sys_tty_config };
|
||||
|
||||
allow acct_t self:fifo_file { read write getattr };
|
||||
allow acct_t self:fifo_file rw_fifo_file_perms;
|
||||
allow acct_t self:process signal_perms;
|
||||
|
||||
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
|
||||
|
|
|
|||
|
|
@ -76,10 +76,10 @@ allow amanda_t self:tcp_socket create_stream_socket_perms;
|
|||
allow amanda_t self:udp_socket create_socket_perms;
|
||||
|
||||
# access to amanda_amandates_t
|
||||
allow amanda_t amanda_amandates_t:file { getattr lock read write };
|
||||
allow amanda_t amanda_amandates_t:file rw_file_perms;
|
||||
|
||||
# configuration files -> read only
|
||||
allow amanda_t amanda_config_t:file { getattr read };
|
||||
allow amanda_t amanda_config_t:file read_file_perms;
|
||||
|
||||
# access to amandas data structure
|
||||
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
||||
|
|
@ -87,7 +87,7 @@ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
|||
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
|
||||
|
||||
# access to amanda_dumpdates_t
|
||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
|
||||
|
||||
can_exec(amanda_t, amanda_exec_t)
|
||||
can_exec(amanda_t, amanda_inetd_exec_t)
|
||||
|
|
@ -172,7 +172,7 @@ optional_policy(`
|
|||
|
||||
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
|
||||
allow amanda_recover_t self:process { sigkill sigstop signal };
|
||||
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
|
||||
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
|
||||
allow amanda_recover_t self:unix_stream_socket { connect create read write };
|
||||
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
|
||||
allow amanda_recover_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -171,7 +171,7 @@ userdom_use_unpriv_users_fds(dpkg_t)
|
|||
# transition to dpkg script:
|
||||
dpkg_domtrans_script(dpkg_t)
|
||||
# since the scripts aren't labeled correctly yet...
|
||||
allow dpkg_t dpkg_var_lib_t:file execute;
|
||||
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
|
||||
|
||||
optional_policy(`
|
||||
apt_use_ptys(dpkg_t)
|
||||
|
|
|
|||
|
|
@ -27,13 +27,12 @@ files_config_file(firstboot_etc_t)
|
|||
|
||||
allow firstboot_t self:capability { dac_override setgid };
|
||||
allow firstboot_t self:process setfscreate;
|
||||
allow firstboot_t self:file { read write };
|
||||
allow firstboot_t self:fifo_file { getattr read write };
|
||||
allow firstboot_t self:fifo_file rw_fifo_file_perms;
|
||||
allow firstboot_t self:tcp_socket create_stream_socket_perms;
|
||||
allow firstboot_t self:unix_stream_socket { connect create };
|
||||
allow firstboot_t self:passwd rootok;
|
||||
|
||||
allow firstboot_t firstboot_etc_t:file { getattr read };
|
||||
allow firstboot_t firstboot_etc_t:file read_file_perms;
|
||||
|
||||
kernel_read_system_state(firstboot_t)
|
||||
kernel_read_kernel_sysctls(firstboot_t)
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ files_pid_file(mrtg_var_run_t)
|
|||
allow mrtg_t self:capability { setgid setuid chown };
|
||||
dontaudit mrtg_t self:capability sys_tty_config;
|
||||
allow mrtg_t self:process signal_perms;
|
||||
allow mrtg_t self:fifo_file { getattr read write ioctl };
|
||||
allow mrtg_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mrtg_t self:unix_stream_socket create_socket_perms;
|
||||
allow mrtg_t self:tcp_socket create_socket_perms;
|
||||
allow mrtg_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
|
|||
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
|
||||
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
|
||||
|
||||
allow gcc_config_t portage_exec_t:file { execute getattr };
|
||||
allow gcc_config_t portage_exec_t:file mmap_file_perms;
|
||||
|
||||
kernel_read_system_state(gcc_config_t)
|
||||
kernel_read_kernel_sysctls(gcc_config_t)
|
||||
|
|
|
|||
|
|
@ -68,8 +68,6 @@ allow rpm_t self:shm create_shm_perms;
|
|||
allow rpm_t self:sem create_sem_perms;
|
||||
allow rpm_t self:msgq create_msgq_perms;
|
||||
allow rpm_t self:msg { send receive };
|
||||
allow rpm_t self:dir search;
|
||||
allow rpm_t self:file rw_file_perms;;
|
||||
|
||||
allow rpm_t rpm_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(rpm_t, rpm_log_t, file)
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
|
|||
allow updfstab_t self:capability dac_override;
|
||||
dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
|
||||
allow updfstab_t self:process signal_perms;
|
||||
allow updfstab_t self:fifo_file { getattr read write ioctl };
|
||||
allow updfstab_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
kernel_use_fds(updfstab_t)
|
||||
kernel_read_kernel_sysctls(updfstab_t)
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ optional_policy(`
|
|||
# awstats cgi script policy
|
||||
#
|
||||
|
||||
allow httpd_awstats_script_t awstats_var_lib_t:dir read;
|
||||
allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
|
||||
|
||||
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
|
||||
files_search_var_lib(httpd_awstats_script_t)
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ logging_log_file(calamaris_log_t)
|
|||
# for when squid has a different UID
|
||||
allow calamaris_t self:capability dac_override;
|
||||
allow calamaris_t self:process { fork signal_perms setsched };
|
||||
allow calamaris_t self:fifo_file { getattr read write ioctl };
|
||||
allow calamaris_t self:fifo_file rw_fifo_file_perms;
|
||||
allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow calamaris_t self:tcp_socket create_stream_socket_perms;
|
||||
allow calamaris_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ allow webalizer_t self:tcp_socket connected_stream_socket_perms;
|
|||
allow webalizer_t self:udp_socket { connect connected_socket_perms };
|
||||
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow webalizer_t webalizer_etc_t:file { getattr read };
|
||||
allow webalizer_t webalizer_etc_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
|
||||
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
|
|||
manage_files_pattern(yam_t, yam_content_t, yam_content_t)
|
||||
manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
|
||||
|
||||
allow yam_t yam_etc_t:file { getattr read };
|
||||
allow yam_t yam_etc_t:file read_file_perms;
|
||||
files_search_etc(yam_t)
|
||||
|
||||
manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
|
||||
|
|
|
|||
|
|
@ -628,7 +628,7 @@ interface(`domain_read_confined_domains_state',`
|
|||
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
|
||||
|
||||
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
|
||||
dontaudit $1 unconfined_domain_type:file { getattr read };
|
||||
dontaudit $1 unconfined_domain_type:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -743,12 +743,12 @@ interface(`domain_dontaudit_read_all_domains_state',`
|
|||
')
|
||||
|
||||
dontaudit $1 domain:dir list_dir_perms;
|
||||
dontaudit $1 domain:lnk_file read_file_perms;
|
||||
dontaudit $1 domain:lnk_file read_lnk_file_perms;
|
||||
dontaudit $1 domain:file read_file_perms;
|
||||
|
||||
# cjp: these should be removed:
|
||||
dontaudit $1 domain:sock_file read_file_perms;
|
||||
dontaudit $1 domain:fifo_file read_file_perms;
|
||||
dontaudit $1 domain:sock_file read_sock_file_perms;
|
||||
dontaudit $1 domain:fifo_file read_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -33,8 +33,8 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
|
|||
#
|
||||
|
||||
# use SELinuxfs
|
||||
allow selinux_unconfined_type security_t:dir { getattr search read };
|
||||
allow selinux_unconfined_type security_t:file { getattr read write };
|
||||
allow selinux_unconfined_type security_t:dir list_dir_perms;
|
||||
allow selinux_unconfined_type security_t:file rw_file_perms;
|
||||
|
||||
# Access the security API.
|
||||
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ can_exec(afs_bosserver_t,afs_bosserver_exec_t)
|
|||
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
|
||||
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
|
||||
|
||||
allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
|
||||
allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
|
||||
|
||||
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
|
||||
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
|
||||
|
|
|
|||
|
|
@ -790,7 +790,7 @@ interface(`apache_exec_modules',`
|
|||
')
|
||||
|
||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||
allow $1 httpd_modules_t:lnk_file read_file_perms;
|
||||
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
|
||||
can_exec($1,httpd_modules_t)
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -258,7 +258,7 @@ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|||
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
||||
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
||||
|
||||
allow httpd_t httpd_suexec_exec_t:file { getattr read };
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
||||
|
|
@ -509,9 +509,9 @@ optional_policy(`
|
|||
|
||||
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
||||
|
||||
allow httpd_helper_t httpd_config_t:file { getattr read };
|
||||
allow httpd_helper_t httpd_config_t:file read_file_perms;
|
||||
|
||||
allow httpd_helper_t httpd_log_t:file append;
|
||||
allow httpd_helper_t httpd_log_t:file append_file_perms;
|
||||
|
||||
libs_use_ld_so(httpd_helper_t)
|
||||
libs_use_shared_libs(httpd_helper_t)
|
||||
|
|
@ -677,7 +677,7 @@ allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
|
||||
allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
|
|
@ -692,7 +692,7 @@ files_search_spool(httpd_sys_script_t)
|
|||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ files_pid_file(avahi_var_run_t)
|
|||
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
|
||||
dontaudit avahi_t self:capability sys_tty_config;
|
||||
allow avahi_t self:process { setrlimit signal_perms setcap };
|
||||
allow avahi_t self:fifo_file { read write };
|
||||
allow avahi_t self:fifo_file rw_fifo_file_perms;
|
||||
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow avahi_t self:unix_dgram_socket create_socket_perms;
|
||||
allow avahi_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ allow named_t self:unix_dgram_socket create_socket_perms;
|
|||
allow named_t self:tcp_socket create_stream_socket_perms;
|
||||
allow named_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow named_t dnssec_t:file { getattr read };
|
||||
allow named_t dnssec_t:file read_file_perms;
|
||||
|
||||
# read configuration
|
||||
allow named_t named_conf_t:dir list_dir_perms;
|
||||
|
|
@ -201,22 +201,20 @@ optional_policy(`
|
|||
# cjp: why net_admin?!
|
||||
allow ndc_t self:capability { dac_override net_admin };
|
||||
allow ndc_t self:process { fork signal_perms };
|
||||
allow ndc_t self:fifo_file { read write getattr ioctl };
|
||||
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
|
||||
allow ndc_t self:tcp_socket create_socket_perms;
|
||||
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ndc_t dnssec_t:file { getattr read };
|
||||
allow ndc_t dnssec_t:file read_file_perms;
|
||||
allow ndc_t dnssec_t:lnk_file { getattr read };
|
||||
|
||||
allow ndc_t named_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
|
||||
|
||||
allow ndc_t named_conf_t:file { getattr read };
|
||||
allow ndc_t named_conf_t:file read_file_perms;
|
||||
allow ndc_t named_conf_t:lnk_file { getattr read };
|
||||
|
||||
allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||||
|
||||
allow ndc_t named_zone_t:dir search;
|
||||
allow ndc_t named_zone_t:dir search_dir_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(ndc_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ files_pid_file(ccs_var_run_t)
|
|||
allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
|
||||
allow ccs_t self:process { signal setrlimit setsched };
|
||||
dontaudit ccs_t self:process ptrace;
|
||||
allow ccs_t self:fifo_file { read write };
|
||||
allow ccs_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow ccs_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
|
|
|||
|
|
@ -123,7 +123,7 @@ files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
|
|||
|
||||
read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
||||
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
allow cupsd_t hplip_var_run_t:file read_file_perms;
|
||||
|
||||
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
||||
allow cupsd_t ptal_var_run_t : sock_file setattr;
|
||||
|
|
@ -307,7 +307,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
|||
allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
|
||||
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
|
||||
|
||||
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
||||
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ files_pid_file(dante_var_run_t)
|
|||
allow dante_t self:capability { setuid setgid };
|
||||
dontaudit dante_t self:capability sys_tty_config;
|
||||
allow dante_t self:process signal_perms;
|
||||
allow dante_t self:fifo_file { read write };
|
||||
allow dante_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dante_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dante_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ files_pid_file(system_dbusd_var_run_t)
|
|||
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
|
||||
dontaudit system_dbusd_t self:capability sys_tty_config;
|
||||
allow system_dbusd_t self:process { getattr signal_perms setcap };
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ files_pid_file(dhcpd_var_run_t)
|
|||
allow dhcpd_t self:capability net_raw;
|
||||
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
|
||||
allow dhcpd_t self:process signal_perms;
|
||||
allow dhcpd_t self:fifo_file { read write getattr };
|
||||
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dhcpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ files_pid_file(distccd_var_run_t)
|
|||
allow distccd_t self:capability { setgid setuid };
|
||||
dontaudit distccd_t self:capability sys_tty_config;
|
||||
allow distccd_t self:process { signal_perms setsched };
|
||||
allow distccd_t self:fifo_file { read write getattr };
|
||||
allow distccd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow distccd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow distccd_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ files_pid_file(dnsmasq_var_run_t)
|
|||
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
|
||||
dontaudit dnsmasq_t self:capability sys_tty_config;
|
||||
allow dnsmasq_t self:process { setcap signal_perms };
|
||||
allow dnsmasq_t self:fifo_file { read write };
|
||||
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
|
||||
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
|
||||
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
|
||||
allow dnsmasq_t self:udp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -148,7 +148,7 @@ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
|||
|
||||
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||
|
||||
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
|
||||
allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
|
||||
|
||||
# Allow dovecot to create and read SSL parameters file
|
||||
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ files_pid_file(fingerd_var_run_t)
|
|||
allow fingerd_t self:capability { setgid setuid };
|
||||
dontaudit fingerd_t self:capability { sys_tty_config fsetid };
|
||||
allow fingerd_t self:process signal_perms;
|
||||
allow fingerd_t self:fifo_file { read write getattr };
|
||||
allow fingerd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow fingerd_t self:udp_socket create_socket_perms;
|
||||
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
|
|||
allow gatekeeper_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
|
||||
allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
|
||||
allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
|
||||
files_search_etc(gatekeeper_t)
|
||||
|
||||
manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ files_pid_file(jabberd_var_run_t)
|
|||
allow jabberd_t self:capability dac_override;
|
||||
dontaudit jabberd_t self:capability sys_tty_config;
|
||||
allow jabberd_t self:process signal_perms;
|
||||
allow jabberd_t self:fifo_file { read write getattr };
|
||||
allow jabberd_t self:fifo_file read_fifo_file_perms;
|
||||
allow jabberd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow jabberd_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ files_pid_file(slapd_var_run_t)
|
|||
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
|
||||
dontaudit slapd_t self:capability sys_tty_config;
|
||||
allow slapd_t self:process setsched;
|
||||
allow slapd_t self:fifo_file { read write };
|
||||
allow slapd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow slapd_t self:udp_socket create_socket_perms;
|
||||
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
|
||||
allow slapd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
@ -58,7 +58,7 @@ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
|
|||
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
|
||||
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
|
||||
|
||||
allow slapd_t slapd_etc_t:file { getattr read };
|
||||
allow slapd_t slapd_etc_t:file read_file_perms;
|
||||
|
||||
allow slapd_t slapd_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(slapd_t,slapd_lock_t,file)
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
|
|||
files_search_spool(checkpc_t)
|
||||
|
||||
allow checkpc_t printconf_t:file getattr;
|
||||
allow checkpc_t printconf_t:dir { getattr search read };
|
||||
allow checkpc_t printconf_t:dir list_dir_perms;
|
||||
|
||||
kernel_read_system_state(checkpc_t)
|
||||
|
||||
|
|
@ -142,7 +142,7 @@ manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
|
|||
files_search_spool(lpd_t)
|
||||
|
||||
# lpd must be able to execute the filter utilities in /usr/share/printconf.
|
||||
allow lpd_t printconf_t:dir { getattr search read };
|
||||
allow lpd_t printconf_t:dir list_dir_perms;
|
||||
can_exec(lpd_t, printconf_t)
|
||||
|
||||
# Create and bind to /dev/printer.
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ allow monopd_t self:process signal_perms;
|
|||
allow monopd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow monopd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow monopd_t monopd_etc_t:file { getattr read };
|
||||
allow monopd_t monopd_etc_t:file read_file_perms;
|
||||
files_search_etc(monopd_t)
|
||||
|
||||
allow monopd_t monopd_share_t:dir list_dir_perms;
|
||||
|
|
|
|||
|
|
@ -157,7 +157,7 @@ interface(`mysql_rw_db_sockets',`
|
|||
|
||||
files_search_var_lib($1)
|
||||
allow $1 mysqld_db_t:dir search;
|
||||
allow $1 mysqld_db_t:sock_file rw_file_perms;
|
||||
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ files_tmp_file(mysqld_tmp_t)
|
|||
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
|
||||
dontaudit mysqld_t self:capability sys_tty_config;
|
||||
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
|
||||
allow mysqld_t self:fifo_file { read write };
|
||||
allow mysqld_t self:fifo_file rw_fifo_file_perms;
|
||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:udp_socket create_socket_perms;
|
||||
|
|
@ -43,7 +43,7 @@ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
|||
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
||||
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file })
|
||||
|
||||
allow mysqld_t mysqld_etc_t:file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:file read_file_perms;
|
||||
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -177,7 +177,7 @@ dontaudit nrpe_t self:capability sys_tty_config;
|
|||
allow nrpe_t self:process { setpgid signal_perms };
|
||||
allow nrpe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow nrpe_t nrpe_etc_t:file { getattr read };
|
||||
allow nrpe_t nrpe_etc_t:file read_file_perms;
|
||||
files_search_etc(nrpe_t)
|
||||
|
||||
kernel_read_system_state(nrpe_t)
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ files_pid_file(nessusd_var_run_t)
|
|||
allow nessusd_t self:capability net_raw;
|
||||
dontaudit nessusd_t self:capability sys_tty_config;
|
||||
allow nessusd_t self:process { setsched signal_perms };
|
||||
allow nessusd_t self:fifo_file { getattr read write };
|
||||
allow nessusd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nessusd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nessusd_t self:udp_socket create_socket_perms;
|
||||
allow nessusd_t self:rawip_socket create_socket_perms;
|
||||
|
|
@ -42,7 +42,7 @@ manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
|
|||
manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
|
||||
files_list_var_lib(nessusd_t)
|
||||
|
||||
allow nessusd_t nessusd_etc_t:file { getattr read };
|
||||
allow nessusd_t nessusd_etc_t:file read_file_perms;
|
||||
files_search_etc(nessusd_t)
|
||||
|
||||
manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
|
||||
|
|
|
|||
|
|
@ -224,7 +224,7 @@ allow ypserv_t self:udp_socket create_socket_perms;
|
|||
|
||||
manage_files_pattern(ypserv_t,var_yp_t,var_yp_t)
|
||||
|
||||
allow ypserv_t ypserv_conf_t:file { getattr read };
|
||||
allow ypserv_t ypserv_conf_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
|
||||
manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
|
||||
|
|
@ -304,7 +304,7 @@ manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
|
|||
allow ypxfr_t ypserv_t:tcp_socket { read write };
|
||||
allow ypxfr_t ypserv_t:udp_socket { read write };
|
||||
|
||||
allow ypxfr_t ypserv_conf_t:file { getattr read };
|
||||
allow ypxfr_t ypserv_conf_t:file read_file_perms;
|
||||
|
||||
corenet_all_recvfrom_unlabeled(ypxfr_t)
|
||||
corenet_all_recvfrom_netlabel(ypxfr_t)
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ logging_log_file(nscd_log_t)
|
|||
allow nscd_t self:capability { kill setgid setuid audit_write };
|
||||
dontaudit nscd_t self:capability sys_tty_config;
|
||||
allow nscd_t self:process { getattr setsched signal_perms };
|
||||
allow nscd_t self:fifo_file { read write };
|
||||
allow nscd_t self:fifo_file read_fifo_file_perms;
|
||||
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
|
|||
allow nsd_crond_t self:tcp_socket create_socket_perms;
|
||||
allow nsd_crond_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
|
||||
allow nsd_crond_t nsd_conf_t:file read_file_perms;
|
||||
|
||||
allow nsd_crond_t nsd_db_t:file manage_file_perms;
|
||||
filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ files_pid_file(ntop_var_run_t)
|
|||
allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
|
||||
dontaudit ntop_t self:capability sys_tty_config;
|
||||
allow ntop_t self:process signal_perms;
|
||||
allow ntop_t self:fifo_file { read write };
|
||||
allow ntop_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ntop_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ntop_t self:udp_socket create_socket_perms;
|
||||
allow ntop_t self:packet_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
|
|||
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
|
||||
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
|
||||
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
|
||||
allow ntpd_t self:fifo_file { read write getattr };
|
||||
allow ntpd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ntpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ntpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ntpd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ files_pid_file(nx_server_var_run_t)
|
|||
# NX server local policy
|
||||
#
|
||||
|
||||
allow nx_server_t self:fifo_file { getattr ioctl read write };
|
||||
allow nx_server_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nx_server_t self:tcp_socket create_socket_perms;
|
||||
allow nx_server_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ optional_policy(`
|
|||
|
||||
dontaudit scannerdaemon_t self:capability sys_tty_config;
|
||||
allow scannerdaemon_t self:process signal_perms;
|
||||
allow scannerdaemon_t self:fifo_file { read write };
|
||||
allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
|
||||
allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
|
||||
allow scannerdaemon_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ files_pid_file(oddjob_var_run_t)
|
|||
|
||||
allow oddjob_t self:capability setgid;
|
||||
allow oddjob_t self:process { setexec signal };
|
||||
allow oddjob_t self:fifo_file { read write };
|
||||
allow oddjob_t self:fifo_file rw_fifo_file_perms;
|
||||
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
|
||||
|
|
@ -68,7 +68,7 @@ optional_policy(`
|
|||
# oddjob_mkhomedir local policy
|
||||
#
|
||||
|
||||
allow oddjob_mkhomedir_t self:fifo_file { read write };
|
||||
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
|
||||
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
files_read_etc_files(oddjob_mkhomedir_t)
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ files_pid_file(pcscd_var_run_t)
|
|||
|
||||
allow pcscd_t self:capability { dac_override dac_read_search };
|
||||
allow pcscd_t self:process signal;
|
||||
allow pcscd_t self:fifo_file { read write };
|
||||
allow pcscd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pcscd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pcscd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ allow perdition_t self:process signal_perms;
|
|||
allow perdition_t self:tcp_socket create_stream_socket_perms;
|
||||
allow perdition_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow perdition_t perdition_etc_t:file { getattr read };
|
||||
allow perdition_t perdition_etc_t:file read_file_perms;
|
||||
files_search_etc(perdition_t)
|
||||
|
||||
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
|
||||
|
|
|
|||
|
|
@ -474,8 +474,8 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|||
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||
|
||||
corecmd_exec_bin(postfix_qmgr_t)
|
||||
|
|
@ -494,8 +494,8 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
|||
|
||||
postfix_list_spool(postfix_showq_t)
|
||||
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||
|
||||
# to write the mailq output, it really should not need read access!
|
||||
|
|
|
|||
|
|
@ -103,8 +103,7 @@ role system_r types sepgsql_trusted_proc_t;
|
|||
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
|
||||
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
||||
allow postgresql_t self:process signal_perms;
|
||||
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
||||
allow postgresql_t self:file { getattr read };
|
||||
allow postgresql_t self:fifo_file rw_fifo_file_perms;
|
||||
allow postgresql_t self:sem create_sem_perms;
|
||||
allow postgresql_t self:shm create_shm_perms;
|
||||
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -223,23 +223,23 @@ optional_policy(`
|
|||
allow pptp_t self:capability net_raw;
|
||||
dontaudit pptp_t self:capability sys_tty_config;
|
||||
allow pptp_t self:process signal;
|
||||
allow pptp_t self:fifo_file { read write };
|
||||
allow pptp_t self:fifo_file rw_fifo_file_perms;
|
||||
allow pptp_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow pptp_t self:rawip_socket create_socket_perms;
|
||||
allow pptp_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow pptp_t pppd_etc_t:dir { getattr read search };
|
||||
allow pptp_t pppd_etc_t:file { read getattr };
|
||||
allow pptp_t pppd_etc_t:dir list_dir_perms;
|
||||
allow pptp_t pppd_etc_t:file read_file_perms;
|
||||
allow pptp_t pppd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow pptp_t pppd_etc_rw_t:dir { getattr read search };
|
||||
allow pptp_t pppd_etc_rw_t:file { read getattr };
|
||||
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
|
||||
allow pptp_t pppd_etc_rw_t:file read_file_perms;
|
||||
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
|
||||
can_exec(pptp_t, pppd_etc_rw_t)
|
||||
|
||||
# Allow pptp to append to pppd log files
|
||||
allow pptp_t pppd_log_t:file append;
|
||||
allow pptp_t pppd_log_t:file append_file_perms;
|
||||
|
||||
allow pptp_t pptp_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(pptp_t, pptp_log_t, file)
|
||||
|
|
|
|||
|
|
@ -73,10 +73,10 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
|||
# this component preprocesses mail from stdin and invokes qmail-queue
|
||||
#
|
||||
|
||||
allow qmail_inject_t self:fifo_file write;
|
||||
allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
||||
allow qmail_inject_t self:process signal_perms;
|
||||
|
||||
allow qmail_inject_t qmail_queue_exec_t:file read;
|
||||
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
|
||||
|
||||
corecmd_search_bin(qmail_inject_t)
|
||||
|
||||
|
|
@ -95,7 +95,7 @@ qmail_read_config(qmail_inject_t)
|
|||
# this component delivers a mail message
|
||||
#
|
||||
|
||||
allow qmail_local_t self:fifo_file write;
|
||||
allow qmail_local_t self:fifo_file write_file_perms;
|
||||
allow qmail_local_t self:process signal_perms;
|
||||
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
|
|
@ -104,7 +104,7 @@ manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
|||
|
||||
can_exec(qmail_local_t, qmail_local_exec_t)
|
||||
|
||||
allow qmail_local_t qmail_queue_exec_t:file read;
|
||||
allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
|
||||
|
||||
allow qmail_local_t qmail_spool_t:file read_file_perms;
|
||||
|
||||
|
|
@ -132,12 +132,12 @@ qmail_domtrans_queue(qmail_local_t)
|
|||
|
||||
allow qmail_lspawn_t self:capability { setuid setgid };
|
||||
allow qmail_lspawn_t self:process signal_perms;
|
||||
allow qmail_lspawn_t self:fifo_file { read write };
|
||||
allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
|
||||
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
can_exec(qmail_lspawn_t, qmail_exec_t)
|
||||
|
||||
allow qmail_lspawn_t qmail_local_exec_t:file read;
|
||||
allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
|
||||
|
||||
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
|
||||
|
||||
|
|
@ -154,10 +154,10 @@ files_search_tmp(qmail_lspawn_t)
|
|||
#
|
||||
|
||||
allow qmail_queue_t qmail_lspawn_t:fd use;
|
||||
allow qmail_queue_t qmail_lspawn_t:fifo_file write;
|
||||
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
|
||||
|
||||
allow qmail_queue_t qmail_smtpd_t:fd use;
|
||||
allow qmail_queue_t qmail_smtpd_t:fifo_file read;
|
||||
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
|
||||
allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
||||
|
||||
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
||||
|
|
@ -206,9 +206,9 @@ sysnet_read_config(qmail_remote_t)
|
|||
#
|
||||
|
||||
allow qmail_rspawn_t self:process signal_perms;
|
||||
allow qmail_rspawn_t self:fifo_file read;
|
||||
allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
|
||||
|
||||
allow qmail_rspawn_t qmail_remote_exec_t:file read;
|
||||
allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
|
||||
|
||||
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
|
||||
|
||||
|
|
@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
|
|||
#
|
||||
|
||||
allow qmail_send_t self:process signal_perms;
|
||||
allow qmail_send_t self:fifo_file write;
|
||||
allow qmail_send_t self:fifo_file write_fifo_file_perms;
|
||||
|
||||
manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
|
||||
manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
|
||||
|
|
@ -240,10 +240,10 @@ optional_policy(`
|
|||
#
|
||||
|
||||
allow qmail_smtpd_t self:process signal_perms;
|
||||
allow qmail_smtpd_t self:fifo_file write;
|
||||
allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
|
||||
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow qmail_smtpd_t qmail_queue_exec_t:file read;
|
||||
allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
|
||||
|
||||
dev_read_rand(qmail_smtpd_t)
|
||||
dev_read_urand(qmail_smtpd_t)
|
||||
|
|
@ -280,7 +280,7 @@ miscfiles_read_localization(qmail_splogger_t)
|
|||
|
||||
allow qmail_start_t self:capability { setgid setuid };
|
||||
dontaudit qmail_start_t self:capability sys_tty_config;
|
||||
allow qmail_start_t self:fifo_file { getattr read write };
|
||||
allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
||||
allow qmail_start_t self:process signal_perms;
|
||||
|
||||
can_exec(qmail_start_t, qmail_start_exec_t)
|
||||
|
|
@ -305,7 +305,7 @@ optional_policy(`
|
|||
# this component sets up TCP-related environment variables
|
||||
#
|
||||
|
||||
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
|
||||
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
|
||||
|
||||
corecmd_search_bin(qmail_tcp_env_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
|
|||
dontaudit resmgrd_t self:capability sys_tty_config;
|
||||
allow resmgrd_t self:process signal_perms;
|
||||
|
||||
allow resmgrd_t resmgrd_etc_t:file { getattr read };
|
||||
allow resmgrd_t resmgrd_etc_t:file read_file_perms;
|
||||
files_search_etc(resmgrd_t)
|
||||
|
||||
allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ files_lock_file(ricci_modstorage_lock_t)
|
|||
|
||||
allow ricci_t self:capability { setuid sys_nice sys_boot };
|
||||
allow ricci_t self:process setsched;
|
||||
allow ricci_t self:fifo_file { read write };
|
||||
allow ricci_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow ricci_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
|
|
@ -362,7 +362,7 @@ optional_policy(`
|
|||
# ricci_modrpm local policy
|
||||
#
|
||||
|
||||
allow ricci_modrpm_t self:fifo_file { getattr read };
|
||||
allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(ricci_modrpm_t)
|
||||
|
||||
|
|
@ -390,7 +390,7 @@ optional_policy(`
|
|||
#
|
||||
|
||||
allow ricci_modservice_t self:capability { dac_override sys_nice };
|
||||
allow ricci_modservice_t self:fifo_file { getattr read write };
|
||||
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ricci_modservice_t self:process setsched;
|
||||
|
||||
kernel_read_kernel_sysctls(ricci_modservice_t)
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ optional_policy(`
|
|||
|
||||
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
||||
|
||||
allow nfsd_t exports_t:file { getattr read };
|
||||
allow nfsd_t exports_t:file read_file_perms;
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
|
||||
# for /proc/fs/nfs/exports - should we have a new type?
|
||||
|
|
|
|||
|
|
@ -220,7 +220,7 @@ allow smbd_t self:msg { send receive };
|
|||
allow smbd_t self:msgq create_msgq_perms;
|
||||
allow smbd_t self:sem create_sem_perms;
|
||||
allow smbd_t self:shm create_shm_perms;
|
||||
allow smbd_t self:sock_file read_file_perms;
|
||||
allow smbd_t self:sock_file read_sock_file_perms;
|
||||
allow smbd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow smbd_t self:udp_socket create_socket_perms;
|
||||
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
|
|
@ -405,7 +405,7 @@ allow nmbd_t self:msg { send receive };
|
|||
allow nmbd_t self:msgq create_msgq_perms;
|
||||
allow nmbd_t self:sem create_sem_perms;
|
||||
allow nmbd_t self:shm create_shm_perms;
|
||||
allow nmbd_t self:sock_file read_file_perms;
|
||||
allow nmbd_t self:sock_file read_sock_file_perms;
|
||||
allow nmbd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow nmbd_t self:udp_socket create_socket_perms;
|
||||
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
|
|
@ -572,17 +572,17 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|||
allow swat_t self:tcp_socket create_stream_socket_perms;
|
||||
allow swat_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow swat_t nmbd_exec_t:file { execute read };
|
||||
allow swat_t nmbd_exec_t:file mmap_file_perms;
|
||||
|
||||
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
append_files_pattern(swat_t, samba_log_t, samba_log_t)
|
||||
|
||||
allow swat_t smbd_exec_t:file execute ;
|
||||
allow swat_t smbd_exec_t:file mmap_file_perms ;
|
||||
|
||||
allow swat_t smbd_t:process signull;
|
||||
|
||||
allow swat_t smbd_var_run_t:file read;
|
||||
allow swat_t smbd_var_run_t:file read_file_perms;
|
||||
|
||||
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
||||
|
|
@ -591,7 +591,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
|||
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
||||
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
||||
|
||||
allow swat_t winbind_exec_t:file execute;
|
||||
allow swat_t winbind_exec_t:file mmap_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(swat_t)
|
||||
kernel_read_system_state(swat_t)
|
||||
|
|
@ -654,7 +654,7 @@ optional_policy(`
|
|||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
allow winbind_t self:process signal_perms;
|
||||
allow winbind_t self:fifo_file { read write };
|
||||
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow winbind_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
@ -761,7 +761,7 @@ allow winbind_helper_t samba_etc_t:dir list_dir_perms;
|
|||
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
|
||||
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
allow winbind_helper_t samba_var_t:dir search;
|
||||
allow winbind_helper_t samba_var_t:dir search_dir_perms;
|
||||
files_list_var_lib(winbind_helper_t)
|
||||
|
||||
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ files_pid_file(saslauthd_var_run_t)
|
|||
allow saslauthd_t self:capability setuid;
|
||||
dontaudit saslauthd_t self:capability sys_tty_config;
|
||||
allow saslauthd_t self:process signal_perms;
|
||||
allow saslauthd_t self:fifo_file { read write };
|
||||
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow saslauthd_t self:tcp_socket create_socket_perms;
|
||||
|
|
|
|||
|
|
@ -88,8 +88,7 @@ template(`spamassassin_per_role_template',`
|
|||
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
|
||||
|
||||
# Allow connecting to a local spamd
|
||||
allow $1_spamc_t spamd_t:unix_stream_socket connectto;
|
||||
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
|
||||
stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
|
||||
|
||||
domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ allow stunnel_t self:fifo_file rw_fifo_file_perms;
|
|||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||
allow stunnel_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow stunnel_t stunnel_etc_t:dir { getattr read search };
|
||||
allow stunnel_t stunnel_etc_t:file { read getattr };
|
||||
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
|
||||
allow stunnel_t stunnel_etc_t:file read_file_perms;
|
||||
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
|
||||
|
||||
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
|||
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit tftpd_t self:capability sys_tty_config;
|
||||
|
||||
allow tftpd_t tftpdir_t:dir { getattr read search };
|
||||
allow tftpd_t tftpdir_t:file { read getattr };
|
||||
allow tftpd_t tftpdir_t:dir list_dir_perms;
|
||||
allow tftpd_t tftpdir_t:file read_file_perms;
|
||||
allow tftpd_t tftpdir_t:lnk_file { getattr read };
|
||||
|
||||
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ files_pid_file(tor_var_run_t)
|
|||
#
|
||||
|
||||
allow tor_t self:capability { setgid setuid };
|
||||
allow tor_t self:fifo_file { read write };
|
||||
allow tor_t self:fifo_file rw_fifo_file_perms;
|
||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow tor_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ optional_policy(`
|
|||
#
|
||||
|
||||
allow ucspitcp_t self:capability { setgid setuid };
|
||||
allow ucspitcp_t self:fifo_file { read write };
|
||||
allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ucspitcp_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ files_pid_file(uptimed_var_run_t)
|
|||
|
||||
dontaudit uptimed_t self:capability sys_tty_config;
|
||||
allow uptimed_t self:process signal_perms;
|
||||
allow uptimed_t self:fifo_file { getattr write };
|
||||
allow uptimed_t self:fifo_file write_file_perms;
|
||||
|
||||
allow uptimed_t uptimed_etc_t:file { getattr read };
|
||||
allow uptimed_t uptimed_etc_t:file read_file_perms;
|
||||
files_search_etc(uptimed_t)
|
||||
|
||||
allow uptimed_t uptimed_spool_t:file manage_file_perms;
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ optional_policy(`
|
|||
#
|
||||
|
||||
allow uux_t self:capability { setuid setgid };
|
||||
allow uux_t self:fifo_file { getattr write };
|
||||
allow uux_t self:fifo_file write_file_perms;
|
||||
|
||||
uucp_append_log(uux_t)
|
||||
uucp_manage_spool(uux_t)
|
||||
|
|
|
|||
|
|
@ -427,7 +427,7 @@ allow xdm_xserver_t xdm_t:shm rw_shm_perms;
|
|||
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
|
||||
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
|
||||
|
||||
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
|
||||
allow xdm_xserver_t xdm_var_run_t:file read_file_perms;
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ files_pid_file(zebra_var_run_t)
|
|||
allow zebra_t self:capability { setgid setuid net_admin net_raw };
|
||||
dontaudit zebra_t self:capability sys_tty_config;
|
||||
allow zebra_t self:process { signal_perms getcap setcap };
|
||||
allow zebra_t self:file { ioctl read write getattr lock append };
|
||||
allow zebra_t self:file rw_file_perms;
|
||||
allow zebra_t self:unix_dgram_socket create_socket_perms;
|
||||
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
|
|
|||
|
|
@ -871,7 +871,7 @@ interface(`auth_manage_var_auth',`
|
|||
files_search_var($1)
|
||||
allow $1 var_auth_t:dir manage_dir_perms;
|
||||
allow $1 var_auth_t:file rw_file_perms;
|
||||
allow $1 var_auth_t:lnk_file rw_file_perms;
|
||||
allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -263,7 +263,7 @@ optional_policy(`
|
|||
# System check password local policy
|
||||
#
|
||||
|
||||
allow system_chkpwd_t shadow_t:file { getattr read };
|
||||
allow system_chkpwd_t shadow_t:file read_file_perms;
|
||||
|
||||
corecmd_search_bin(system_chkpwd_t)
|
||||
|
||||
|
|
@ -289,7 +289,7 @@ ifdef(`distro_ubuntu',`
|
|||
#
|
||||
|
||||
allow updpwd_t self:process setfscreate;
|
||||
allow updpwd_t self:fifo_file { read write };
|
||||
allow updpwd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow updpwd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ role system_r types hwclock_t;
|
|||
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
|
||||
dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t self:process signal_perms;
|
||||
allow hwclock_t self:fifo_file { getattr read write };
|
||||
allow hwclock_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
# Allow hwclock to store & retrieve correction factors.
|
||||
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
|
||||
|
|
|
|||
|
|
@ -774,7 +774,7 @@ interface(`init_read_state',`
|
|||
|
||||
allow $1 init_t:dir search_dir_perms;
|
||||
allow $1 init_t:file read_file_perms;
|
||||
allow $1 init_t:lnk_file read_file_perms;
|
||||
allow $1 init_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ allow ipsec_t self:process signal;
|
|||
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_t self:key_socket { create write read setopt };
|
||||
allow ipsec_t self:fifo_file { read getattr };
|
||||
allow ipsec_t self:fifo_file read_file_perms;
|
||||
|
||||
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
|
||||
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
|
||||
|
|
@ -186,7 +186,7 @@ read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
|
|||
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
|
||||
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
|
||||
|
||||
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
|
||||
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
|
||||
|
||||
manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
|
||||
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ files_pid_file(iscsi_var_run_t)
|
|||
|
||||
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
|
||||
allow iscsid_t self:process { setrlimit setsched signal };
|
||||
allow iscsid_t self:fifo_file { read write };
|
||||
allow iscsid_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow iscsid_t self:unix_dgram_socket create_socket_perms;
|
||||
allow iscsid_t self:sem create_sem_perms;
|
||||
|
|
|
|||
|
|
@ -451,7 +451,7 @@ interface(`logging_send_syslog_msg',`
|
|||
')
|
||||
|
||||
allow $1 devlog_t:lnk_file read;
|
||||
allow $1 devlog_t:sock_file rw_file_perms;
|
||||
allow $1 devlog_t:sock_file rw_sock_file_perms;
|
||||
|
||||
# the type of socket depends on the syslog daemon
|
||||
allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||
|
|
|
|||
|
|
@ -127,7 +127,7 @@ logging_send_syslog_msg(auditctl_t)
|
|||
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
|
||||
dontaudit auditd_t self:capability sys_tty_config;
|
||||
allow auditd_t self:process { signal_perms setpgid setsched };
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t self:file rw_file_perms;
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
||||
allow auditd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
@ -227,7 +227,7 @@ allow audisp_t self:fifo_file rw_file_perms;
|
|||
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow audisp_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
|
||||
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
|
||||
|
||||
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
|
||||
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
|
||||
|
|
|
|||
|
|
@ -440,7 +440,7 @@ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
|||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
allow semanage_t policy_config_t:file rw_file_perms;
|
||||
|
||||
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
|
||||
allow semanage_t semanage_tmp_t:file manage_file_perms;
|
||||
|
|
|
|||
|
|
@ -56,7 +56,6 @@ allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
|
|||
read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
|
||||
exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
|
||||
|
||||
allow dhcpc_t dhcp_state_t:file { getattr read };
|
||||
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
|
||||
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
|
||||
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem ex
|
|||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_fifo_file_perms;
|
||||
allow udev_t self:sock_file read_file_perms;
|
||||
allow udev_t self:sock_file read_sock_file_perms;
|
||||
allow udev_t self:shm create_shm_perms;
|
||||
allow udev_t self:sem create_sem_perms;
|
||||
allow udev_t self:msgq create_msgq_perms;
|
||||
|
|
|
|||
|
|
@ -123,10 +123,7 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
|
|||
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
|
||||
|
||||
# transition to store
|
||||
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
|
||||
allow xenstored_t xend_t:fd use;
|
||||
allow xenstored_t xend_t:process sigchld;
|
||||
allow xenstored_t xend_t:fifo_file write;
|
||||
domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
|
||||
|
||||
# transition to console
|
||||
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
|
||||
|
|
@ -224,7 +221,7 @@ optional_policy(`
|
|||
|
||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenconsoled_t self:fifo_file { read write };
|
||||
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
|
||||
|
||||
|
|
@ -318,7 +315,7 @@ xen_append_log(xenstored_t)
|
|||
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xm_t self:fifo_file { read write };
|
||||
allow xm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xm_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# This file contains the policy capabilites
|
||||
# that are enabled in this policy, not a
|
||||
# declaration of DAC capabilites such as
|
||||
# CAP_DAC_OVERRIDE.
|
||||
# dac_override.
|
||||
#
|
||||
# The affected object classes and their
|
||||
# permissions should also be listed in
|
||||
|
|
@ -25,9 +25,8 @@
|
|||
# Checks enabled:
|
||||
# dir: open
|
||||
# file: open
|
||||
# lnk_file: open
|
||||
# fifo_file: open
|
||||
# chr_file: open
|
||||
# blk_file: open
|
||||
#
|
||||
#policycap open_perms;
|
||||
policycap open_perms;
|
||||
|
|
|
|||
|
|
@ -59,22 +59,22 @@ define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please us
|
|||
#
|
||||
# Permissions for executing files.
|
||||
#
|
||||
define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
|
||||
define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
|
||||
|
||||
#
|
||||
# Permissions for reading files and their attributes.
|
||||
#
|
||||
define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
|
||||
define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
|
||||
|
||||
#
|
||||
# Permissions for reading and executing files.
|
||||
#
|
||||
define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
|
||||
define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
|
||||
|
||||
#
|
||||
# Permissions for reading and appending to files.
|
||||
#
|
||||
define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
|
||||
define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
|
||||
|
||||
#
|
||||
# Permissions for linking, unlinking and renaming files.
|
||||
|
|
@ -89,17 +89,12 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } r
|
|||
#
|
||||
# Permissions for reading directories and their attributes.
|
||||
#
|
||||
define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
|
||||
|
||||
#
|
||||
# Permissions for reading and writing directories and their attributes.
|
||||
#
|
||||
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
|
||||
define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
|
||||
|
||||
#
|
||||
# Permissions for reading and adding names to directories.
|
||||
#
|
||||
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
|
||||
define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
|
||||
|
||||
|
||||
#
|
||||
|
|
@ -187,9 +182,10 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
|
|||
define(`getattr_dir_perms',`{ getattr }')
|
||||
define(`setattr_dir_perms',`{ setattr }')
|
||||
define(`search_dir_perms',`{ getattr search }')
|
||||
define(`list_dir_perms',`{ getattr search read lock ioctl }')
|
||||
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
|
||||
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
|
||||
define(`list_dir_perms',`{ getattr search open read lock ioctl }')
|
||||
define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
|
||||
define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
|
||||
define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
|
||||
define(`create_dir_perms',`{ getattr create }')
|
||||
define(`rename_dir_perms',`{ getattr rename }')
|
||||
define(`delete_dir_perms',`{ getattr rmdir }')
|
||||
|
|
@ -203,12 +199,12 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
define(`getattr_file_perms',`{ getattr }')
|
||||
define(`setattr_file_perms',`{ setattr }')
|
||||
define(`read_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr read execute ioctl }')
|
||||
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
|
||||
define(`append_file_perms',`{ getattr append lock ioctl }')
|
||||
define(`write_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`rw_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`read_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
|
||||
define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
|
||||
define(`append_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
|
||||
define(`create_file_perms',`{ getattr create open }')
|
||||
define(`rename_file_perms',`{ getattr rename }')
|
||||
define(`delete_file_perms',`{ getattr unlink }')
|
||||
|
|
@ -239,10 +235,10 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
define(`getattr_fifo_file_perms',`{ getattr }')
|
||||
define(`setattr_fifo_file_perms',`{ setattr }')
|
||||
define(`read_fifo_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`append_fifo_file_perms',`{ getattr append lock ioctl }')
|
||||
define(`write_fifo_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
|
||||
define(`create_fifo_file_perms',`{ getattr create open }')
|
||||
define(`rename_fifo_file_perms',`{ getattr rename }')
|
||||
define(`delete_fifo_file_perms',`{ getattr unlink }')
|
||||
|
|
@ -272,10 +268,10 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
define(`getattr_blk_file_perms',`{ getattr }')
|
||||
define(`setattr_blk_file_perms',`{ setattr }')
|
||||
define(`read_blk_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`append_blk_file_perms',`{ getattr append lock ioctl }')
|
||||
define(`write_blk_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
|
||||
define(`create_blk_file_perms',`{ getattr create }')
|
||||
define(`rename_blk_file_perms',`{ getattr rename }')
|
||||
define(`delete_blk_file_perms',`{ getattr unlink }')
|
||||
|
|
@ -289,10 +285,10 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
define(`getattr_chr_file_perms',`{ getattr }')
|
||||
define(`setattr_chr_file_perms',`{ setattr }')
|
||||
define(`read_chr_file_perms',`{ getattr read lock ioctl }')
|
||||
define(`append_chr_file_perms',`{ getattr append lock ioctl }')
|
||||
define(`write_chr_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
|
||||
define(`create_chr_file_perms',`{ getattr create }')
|
||||
define(`rename_chr_file_perms',`{ getattr rename }')
|
||||
define(`delete_chr_file_perms',`{ getattr unlink }')
|
||||
|
|
@ -309,7 +305,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
|
|||
#
|
||||
# Use (read and write) terminals
|
||||
#
|
||||
define(`rw_term_perms', `{ getattr read write ioctl }')
|
||||
define(`rw_term_perms', `{ getattr open read write ioctl }')
|
||||
|
||||
#
|
||||
# Sockets
|
||||
|
|
|
|||
Loading…
Reference in New Issue