change over to some perm set macros. add indentation
This commit is contained in:
parent
36e54b81f7
commit
0c73cd2526
@ -302,7 +302,7 @@ tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
|
|||||||
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
|
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$(JAVABYTE) doctool: $(JAVASRC)
|
$(JAVABYTE): $(JAVASRC)
|
||||||
javac $(JAVASRC)
|
javac $(JAVASRC)
|
||||||
|
|
||||||
html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT)
|
html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT)
|
||||||
|
@ -4,23 +4,26 @@
|
|||||||
# consoletype_transition(domain)
|
# consoletype_transition(domain)
|
||||||
#
|
#
|
||||||
define(`consoletype_transition',`
|
define(`consoletype_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 consoletype_exec_t:file { getattr read execute };
|
|
||||||
allow $1 consoletype_t:process transition;
|
allow $1 consoletype_exec_t:file { getattr read execute };
|
||||||
type_transition $1 consoletype_exec_t:process consoletype_t;
|
allow $1 consoletype_t:process transition;
|
||||||
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 consoletype_exec_t:process consoletype_t;
|
||||||
allow $1 consoletype_t:fd use;
|
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
|
||||||
allow consoletype_t $1:fd use;
|
|
||||||
allow consoletype_t $1:fifo_file rw_file_perms;
|
allow $1 consoletype_t:fd use;
|
||||||
allow consoletype_t $1:process sigchld;
|
allow consoletype_t $1:fd use;
|
||||||
|
allow consoletype_t $1:fifo_file rw_file_perms;
|
||||||
|
allow consoletype_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`consoletype_transition_depend',`
|
define(`consoletype_transition_depend',`
|
||||||
type consoletype_t, consoletype_exec_t;
|
type consoletype_t, consoletype_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
|
|||||||
# consoletype_execute(domain)
|
# consoletype_execute(domain)
|
||||||
#
|
#
|
||||||
define(`consoletype_execute',`
|
define(`consoletype_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`consoletype_execute_depend',`
|
define(`consoletype_execute_depend',`
|
||||||
type consoletype_exec_t;
|
type consoletype_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
@ -51,15 +51,15 @@ libraries_use_dynamic_loader(consoletype_t)
|
|||||||
libraries_use_shared_libraries(consoletype_t)
|
libraries_use_shared_libraries(consoletype_t)
|
||||||
|
|
||||||
tunable_policy(`distro_redhat', `
|
tunable_policy(`distro_redhat', `
|
||||||
filesystem_use_tmpfs_character_devices(consoletype_t)
|
filesystem_use_tmpfs_character_devices(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`authlogin.te', `
|
optional_policy(`authlogin.te', `
|
||||||
authlogin_pam_read_runtime_data(consoletype_t)
|
authlogin_pam_read_runtime_data(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
|
userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`dmesg_transition',`
|
define(`dmesg_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 dmesg_exec_t:file { getattr read execute };
|
|
||||||
allow $1 dmesg_t:process transition;
|
allow $1 dmesg_exec_t:file { getattr read execute };
|
||||||
type_transition $1 dmesg_exec_t:process dmesg_t;
|
allow $1 dmesg_t:process transition;
|
||||||
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 dmesg_exec_t:process dmesg_t;
|
||||||
allow $1 dmesg_t:fd use;
|
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
|
||||||
allow dmesg_t $1:fd use;
|
|
||||||
allow dmesg_t $1:fifo_file rw_file_perms;
|
allow $1 dmesg_t:fd use;
|
||||||
allow dmesg_t $1:process sigchld;
|
allow dmesg_t $1:fd use;
|
||||||
|
allow dmesg_t $1:fifo_file rw_file_perms;
|
||||||
|
allow dmesg_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dmesg_transition_depend',`
|
define(`dmesg_transition_depend',`
|
||||||
type dmesg_t, dmesg_exec_t;
|
type dmesg_t, dmesg_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -44,13 +47,15 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`dmesg_execute',`
|
define(`dmesg_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`dmesg_execute_depend',`
|
define(`dmesg_execute_depend',`
|
||||||
type dmesg_exec_t;
|
type dmesg_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -50,17 +50,17 @@ userdomain_use_admin_terminals(dmesg_t)
|
|||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(dmesg_t)
|
terminal_ignore_use_general_physical_terminal(dmesg_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(dmesg_t)
|
terminal_ignore_use_general_pseudoterminal(dmesg_t)
|
||||||
files_ignore_read_rootfs_file(dmesg_t)
|
files_ignore_read_rootfs_file(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(dmesg_t)
|
selinux_newrole_sigchld(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(dmesg_t)
|
udev_read_database(dmesg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -4,23 +4,26 @@
|
|||||||
# netutils_transition(domain)
|
# netutils_transition(domain)
|
||||||
#
|
#
|
||||||
define(`netutils_transition',`
|
define(`netutils_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 netutils_exec_t:file { getattr read execute };
|
|
||||||
allow $1 netutils_t:process transition;
|
allow $1 netutils_exec_t:file { getattr read execute };
|
||||||
type_transition $1 netutils_exec_t:process netutils_t;
|
allow $1 netutils_t:process transition;
|
||||||
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 netutils_exec_t:process netutils_t;
|
||||||
allow $1 netutils_t:fd use;
|
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
|
||||||
allow netutils_t $1:fd use;
|
|
||||||
allow netutils_t $1:fifo_file rw_file_perms;
|
allow $1 netutils_t:fd use;
|
||||||
allow netutils_t $1:process sigchld;
|
allow netutils_t $1:fd use;
|
||||||
|
allow netutils_t $1:fifo_file rw_file_perms;
|
||||||
|
allow netutils_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`netutils_transition_depend',`
|
define(`netutils_transition_depend',`
|
||||||
type netutils_t, netutils_exec_t;
|
type netutils_t, netutils_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -28,11 +31,13 @@ class fifo_file rw_file_perms;
|
|||||||
# netutils_execute(domain)
|
# netutils_execute(domain)
|
||||||
#
|
#
|
||||||
define(`netutils_execute',`
|
define(`netutils_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`netutils_execute_depend',`
|
define(`netutils_execute_depend',`
|
||||||
type netutils_exec_t;
|
type netutils_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_transition',`
|
define(`rpm_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 rpm_exec_t:file { getattr read execute };
|
|
||||||
allow $1 rpm_t:process transition;
|
allow $1 rpm_exec_t:file { getattr read execute };
|
||||||
type_transition $1 rpm_exec_t:process rpm_t;
|
allow $1 rpm_t:process transition;
|
||||||
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 rpm_exec_t:process rpm_t;
|
||||||
allow $1 rpm_t:fd use;
|
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
|
||||||
allow rpm_t $1:fd use;
|
|
||||||
allow rpm_t $1:fifo_file rw_file_perms;
|
allow $1 rpm_t:fd use;
|
||||||
allow rpm_t $1:process sigchld;
|
allow rpm_t $1:fd use;
|
||||||
|
allow rpm_t $1:fifo_file rw_file_perms;
|
||||||
|
allow rpm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_transition_depend',`
|
define(`rpm_transition_depend',`
|
||||||
type rpm_t, rpm_exec_t;
|
type rpm_t, rpm_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -50,16 +53,18 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_transition_add_role_use_terminal',`
|
define(`rpm_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
rpm_transition($1)
|
|
||||||
role $2 types rpm_t;
|
rpm_transition($1)
|
||||||
role $2 types rpm_script_t;
|
role $2 types rpm_t;
|
||||||
allow rpm_t $3:chr_file { getattr read write ioctl };
|
role $2 types rpm_script_t;
|
||||||
|
allow rpm_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_transition_add_role_use_terminal_depend',`
|
define(`rpm_transition_add_role_use_terminal_depend',`
|
||||||
type rpm_t, rpm_script_t;
|
type rpm_t, rpm_script_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_use_file_descriptors',`
|
define(`rpm_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 rpm_t:fd use;
|
|
||||||
|
allow $1 rpm_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_use_file_descriptors_depend',`
|
define(`rpm_use_file_descriptors_depend',`
|
||||||
type rpm_t;
|
type rpm_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -95,13 +102,15 @@ class fd use;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_read_pipe',`
|
define(`rpm_read_pipe',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 rpm_t:fifo_file { getattr read };
|
|
||||||
|
allow $1 rpm_t:fifo_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_read_pipe_depend',`
|
define(`rpm_read_pipe_depend',`
|
||||||
type rpm_t;
|
type rpm_t;
|
||||||
class fifo_file { getattr read };
|
|
||||||
|
class fifo_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -116,17 +125,19 @@ class fifo_file { getattr read };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`rpm_read_package_database',`
|
define(`rpm_read_package_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 rpm_var_lib_t:dir { getattr read search };
|
|
||||||
allow $1 rpm_var_lib_t:file { read getattr };
|
allow $1 rpm_var_lib_t:dir { getattr read search };
|
||||||
allow $1 rpm_var_lib_t:lnk_file { getattr read };
|
allow $1 rpm_var_lib_t:file { read getattr };
|
||||||
|
allow $1 rpm_var_lib_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_read_package_database_depend',`
|
define(`rpm_read_package_database_depend',`
|
||||||
type rpm_var_lib_t_t;
|
type rpm_var_lib_t_t;
|
||||||
class dir { search getattr read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { search getattr read };
|
||||||
class file { getattr read };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -134,17 +145,19 @@ class file { getattr read };
|
|||||||
# rpm_manage_package_database(domain)
|
# rpm_manage_package_database(domain)
|
||||||
#
|
#
|
||||||
define(`rpm_manage_package_database',`
|
define(`rpm_manage_package_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
|
|
||||||
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
|
allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
|
||||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
|
||||||
|
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`rpm_manage_package_database_depend',`
|
define(`rpm_manage_package_database_depend',`
|
||||||
type rpm_var_lib_t_t;
|
type rpm_var_lib_t_t;
|
||||||
class dir { search getattr read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { search getattr read };
|
||||||
class file { getattr read };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_chfn_transition',`
|
define(`usermanage_chfn_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 chfn_exec_t:file { getattr read execute };
|
|
||||||
allow $1 chfn_t:process transition;
|
allow $1 chfn_exec_t:file { getattr read execute };
|
||||||
type_transition $1 chfn_exec_t:process chfn_t;
|
allow $1 chfn_t:process transition;
|
||||||
dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 chfn_exec_t:process chfn_t;
|
||||||
allow $1 chfn_t:fd use;
|
dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
|
||||||
allow chfn_t $1:fd use;
|
|
||||||
allow chfn_t $1:fifo_file rw_file_perms;
|
allow $1 chfn_t:fd use;
|
||||||
allow chfn_t $1:process sigchld;
|
allow chfn_t $1:fd use;
|
||||||
|
allow chfn_t $1:fifo_file rw_file_perms;
|
||||||
|
allow chfn_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_chfn_transition_depend',`
|
define(`usermanage_chfn_transition_depend',`
|
||||||
type chfn_t, chfn_exec_t;
|
type chfn_t, chfn_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_chfn_transition_add_role_use_terminal',`
|
define(`usermanage_chfn_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
usermanage_chfn_transition($1)
|
|
||||||
role $2 types chfn_t;
|
usermanage_chfn_transition($1)
|
||||||
allow chfn_t $3:chr_file { getattr read write ioctl };
|
role $2 types chfn_t;
|
||||||
|
allow chfn_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
||||||
type chfn_t;
|
type chfn_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,23 +79,26 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_groupadd_transition',`
|
define(`usermanage_groupadd_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 groupadd_exec_t:file { getattr read execute };
|
|
||||||
allow $1 groupadd_t:process transition;
|
allow $1 groupadd_exec_t:file { getattr read execute };
|
||||||
type_transition $1 groupadd_exec_t:process groupadd_t;
|
allow $1 groupadd_t:process transition;
|
||||||
dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 groupadd_exec_t:process groupadd_t;
|
||||||
allow $1 groupadd_t:fd use;
|
dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
|
||||||
allow groupadd_t $1:fd use;
|
|
||||||
allow groupadd_t $1:fifo_file rw_file_perms;
|
allow $1 groupadd_t:fd use;
|
||||||
allow groupadd_t $1:process sigchld;
|
allow groupadd_t $1:fd use;
|
||||||
|
allow groupadd_t $1:fifo_file rw_file_perms;
|
||||||
|
allow groupadd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_groupadd_transition_depend',`
|
define(`usermanage_groupadd_transition_depend',`
|
||||||
type groupadd_t, groupadd_exec_t;
|
type groupadd_t, groupadd_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -112,15 +120,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_groupadd_transition_add_role_use_terminal',`
|
define(`usermanage_groupadd_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
usermanage_groupadd_transition($1)
|
|
||||||
role $2 types groupadd_t;
|
usermanage_groupadd_transition($1)
|
||||||
allow groupadd_t $3:chr_file { getattr read write ioctl };
|
role $2 types groupadd_t;
|
||||||
|
allow groupadd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
|
||||||
type groupadd_t;
|
type groupadd_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -135,23 +145,26 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_passwd_transition',`
|
define(`usermanage_passwd_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 passwd_exec_t:file { getattr read execute };
|
|
||||||
allow $1 passwd_t:process transition;
|
allow $1 passwd_exec_t:file { getattr read execute };
|
||||||
type_transition $1 passwd_exec_t:process passwd_t;
|
allow $1 passwd_t:process transition;
|
||||||
dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 passwd_exec_t:process passwd_t;
|
||||||
allow $1 passwd_t:fd use;
|
dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
|
||||||
allow passwd_t $1:fd use;
|
|
||||||
allow passwd_t $1:fifo_file rw_file_perms;
|
allow $1 passwd_t:fd use;
|
||||||
allow passwd_t $1:process sigchld;
|
allow passwd_t $1:fd use;
|
||||||
|
allow passwd_t $1:fifo_file rw_file_perms;
|
||||||
|
allow passwd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_passwd_transition_depend',`
|
define(`usermanage_passwd_transition_depend',`
|
||||||
type passwd_t, passwd_exec_t;
|
type passwd_t, passwd_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -173,15 +186,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_passwd_transition_add_role_use_terminal',`
|
define(`usermanage_passwd_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
usermanage_passwd_transition($1)
|
|
||||||
role $2 types passwd_t;
|
usermanage_passwd_transition($1)
|
||||||
allow passwd_t $3:chr_file { getattr read write ioctl };
|
role $2 types passwd_t;
|
||||||
|
allow passwd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
|
||||||
type passwd_t;
|
type passwd_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -196,23 +211,26 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_useradd_transition',`
|
define(`usermanage_useradd_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 useradd_exec_t:file { getattr read execute };
|
|
||||||
allow $1 useradd_t:process transition;
|
allow $1 useradd_exec_t:file { getattr read execute };
|
||||||
type_transition $1 useradd_exec_t:process useradd_t;
|
allow $1 useradd_t:process transition;
|
||||||
dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 useradd_exec_t:process useradd_t;
|
||||||
allow $1 useradd_t:fd use;
|
dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
|
||||||
allow useradd_t $1:fd use;
|
|
||||||
allow useradd_t $1:fifo_file rw_file_perms;
|
allow $1 useradd_t:fd use;
|
||||||
allow useradd_t $1:process sigchld;
|
allow useradd_t $1:fd use;
|
||||||
|
allow useradd_t $1:fifo_file rw_file_perms;
|
||||||
|
allow useradd_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_useradd_transition_depend',`
|
define(`usermanage_useradd_transition_depend',`
|
||||||
type useradd_t, useradd_exec_t;
|
type useradd_t, useradd_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -234,15 +252,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`usermanage_useradd_transition_add_role_use_terminal',`
|
define(`usermanage_useradd_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
usermanage_useradd_transition($1)
|
|
||||||
role $2 types useradd_t;
|
usermanage_useradd_transition($1)
|
||||||
allow useradd_t $3:chr_file { getattr read write ioctl };
|
role $2 types useradd_t;
|
||||||
|
allow useradd_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
|
define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
|
||||||
type useradd_t;
|
type useradd_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -6,333 +6,342 @@
|
|||||||
# gpg_per_userdomain_template(userdomain_prefix)
|
# gpg_per_userdomain_template(userdomain_prefix)
|
||||||
#
|
#
|
||||||
define(`gpg_per_userdomain_template',`
|
define(`gpg_per_userdomain_template',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type $1_gpg_t;
|
type $1_gpg_t;
|
||||||
domain_make_domain($1_gpg_t)
|
domain_make_domain($1_gpg_t)
|
||||||
domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
|
domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
|
||||||
role $1_r types $1_gpg_t;
|
role $1_r types $1_gpg_t;
|
||||||
|
|
||||||
type $1_gpg_agent_t;
|
type $1_gpg_agent_t;
|
||||||
domain_make_domain($1_gpg_agent_t)
|
domain_make_domain($1_gpg_agent_t)
|
||||||
domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
|
domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
|
||||||
role $1_r types $1_gpg_agent_t;
|
role $1_r types $1_gpg_agent_t;
|
||||||
|
|
||||||
type $1_gpg_agent_tmp_t;
|
type $1_gpg_agent_tmp_t;
|
||||||
files_make_temporary_file($1_gpg_agent_tmp_t)
|
files_make_temporary_file($1_gpg_agent_tmp_t)
|
||||||
|
|
||||||
type $1_gpg_secret_t; #, $1_file_type;
|
type $1_gpg_secret_t; #, $1_file_type;
|
||||||
files_make_file($1_gpg_secret_t)
|
files_make_file($1_gpg_secret_t)
|
||||||
|
|
||||||
type $1_gpg_helper_t;
|
type $1_gpg_helper_t;
|
||||||
domain_make_domain($1_gpg_helper_t)
|
domain_make_domain($1_gpg_helper_t)
|
||||||
role $1_r types $1_gpg_helper_t;
|
role $1_r types $1_gpg_helper_t;
|
||||||
|
|
||||||
type $1_gpg_pinentry_t;
|
type $1_gpg_pinentry_t;
|
||||||
domain_make_domain($1_gpg_pinentry_t)
|
domain_make_domain($1_gpg_pinentry_t)
|
||||||
role $1_r types $1_gpg_pinentry_t;
|
role $1_r types $1_gpg_pinentry_t;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# GPG local policy
|
# GPG local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# transition from the userdomain to the derived domain
|
# transition from the userdomain to the derived domain
|
||||||
allow $1_t $1_gpg_t:process transition;
|
allow $1_t $1_gpg_t:process transition;
|
||||||
allow $1_t gpg_exec_t:file { getattr read execute };
|
allow $1_t gpg_exec_t:file { getattr read execute };
|
||||||
type_transition $1_t gpg_exec_t:process $1_gpg_t;
|
type_transition $1_t gpg_exec_t:process $1_gpg_t;
|
||||||
allow $1_t $1_gpg_t:fd use;
|
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
||||||
allow $1_gpg_t $1_t:fd use;
|
|
||||||
allow $1_gpg_t $1_t:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
allow $1_gpg_t self:capability { ipc_lock setuid };
|
allow $1_t $1_gpg_t:fd use;
|
||||||
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
allow $1_gpg_t $1_t:fd use;
|
||||||
# setrlimit is for ulimit -c 0
|
allow $1_gpg_t $1_t:fifo_file rw_file_perms;
|
||||||
allow $1_gpg_t self:process { setrlimit setcap };
|
allow $1_gpg_t $1_t:process sigchld;
|
||||||
|
|
||||||
allow $1_gpg_t self:fifo_file { getattr read write };
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
||||||
allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
||||||
|
# setrlimit is for ulimit -c 0
|
||||||
|
allow $1_gpg_t self:process { setrlimit setcap };
|
||||||
|
|
||||||
allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
|
allow $1_gpg_t self:fifo_file { getattr read write };
|
||||||
allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||||
allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
|
|
||||||
|
|
||||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
|
allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
|
allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
|
allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
|
||||||
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
|
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
|
|
||||||
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
|
|
||||||
corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
|
|
||||||
corenetwork_bind_udp_on_all_nodes($1_gpg_t)
|
|
||||||
|
|
||||||
devices_get_random_data($1_gpg_t)
|
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
|
||||||
devices_get_pseudorandom_data($1_gpg_t)
|
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
|
||||||
|
corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
|
||||||
|
corenetwork_bind_udp_on_all_nodes($1_gpg_t)
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes($1_gpg_t)
|
devices_get_random_data($1_gpg_t)
|
||||||
|
devices_get_pseudorandom_data($1_gpg_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_gpg_t)
|
filesystem_get_persistent_filesystem_attributes($1_gpg_t)
|
||||||
files_read_general_application_resources($1_gpg_t)
|
|
||||||
|
|
||||||
libraries_use_shared_libraries($1_gpg_t)
|
files_read_general_system_config($1_gpg_t)
|
||||||
libraries_use_dynamic_loader($1_gpg_t)
|
files_read_general_application_resources($1_gpg_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_gpg_t)
|
libraries_use_shared_libraries($1_gpg_t)
|
||||||
|
libraries_use_dynamic_loader($1_gpg_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_gpg_t)
|
miscfiles_read_localization($1_gpg_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_gpg_t)
|
logging_send_system_log_message($1_gpg_t)
|
||||||
|
|
||||||
# Legacy
|
sysnetwork_read_network_config($1_gpg_t)
|
||||||
if (allow_gpg_execstack) {
|
|
||||||
allow $1_gpg_t self:process execmem;
|
|
||||||
libraries_legacy_use_shared_libraries($1_gpg_t)
|
|
||||||
libraries_legacy_use_dynamic_loader($1_gpg_t)
|
|
||||||
miscfiles_legacy_read_localization($1_gpg_t)
|
|
||||||
# Not quite sure why this is needed...
|
|
||||||
allow $1_gpg_t gpg_exec_t:file execmod;
|
|
||||||
}
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
# Legacy
|
||||||
|
if (allow_gpg_execstack) {
|
||||||
|
allow $1_gpg_t self:process execmem;
|
||||||
|
libraries_legacy_use_shared_libraries($1_gpg_t)
|
||||||
|
libraries_legacy_use_dynamic_loader($1_gpg_t)
|
||||||
|
miscfiles_legacy_read_localization($1_gpg_t)
|
||||||
|
# Not quite sure why this is needed...
|
||||||
|
allow $1_gpg_t gpg_exec_t:file execmod;
|
||||||
|
}
|
||||||
|
|
||||||
can_ypbind($1_gpg_t)
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow $1_t $1_gpg_secret_t:file getattr;
|
can_ypbind($1_gpg_t)
|
||||||
|
|
||||||
access_terminal($1_gpg_t, $1)
|
allow $1_t $1_gpg_secret_t:file getattr;
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
|
||||||
|
|
||||||
# Inherit and use descriptors
|
access_terminal($1_gpg_t, $1)
|
||||||
allow $1_gpg_t { privfd $1_t }:fd use;
|
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
# allow ps to show gpg
|
# Inherit and use descriptors
|
||||||
can_ps($1_t, $1_gpg_t)
|
allow $1_gpg_t { privfd $1_t }:fd use;
|
||||||
|
|
||||||
# should not need read access...
|
# allow ps to show gpg
|
||||||
allow $1_gpg_t home_root_t:dir { read search };
|
can_ps($1_t, $1_gpg_t)
|
||||||
|
|
||||||
# use $1_gpg_secret_t for files it creates
|
# should not need read access...
|
||||||
# NB we are doing the type transition for directory creation only!
|
allow $1_gpg_t home_root_t:dir { read search };
|
||||||
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
|
||||||
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
|
||||||
# a file and write output to your home directory it will use user_home_t.
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
|
||||||
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
# use $1_gpg_secret_t for files it creates
|
||||||
create_dir_file($1_gpg_t, $1_home_t)
|
# NB we are doing the type transition for directory creation only!
|
||||||
|
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
||||||
|
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
||||||
|
# a file and write output to your home directory it will use user_home_t.
|
||||||
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
||||||
|
|
||||||
# allow the usual access to /tmp
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
||||||
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
create_dir_file($1_gpg_t, $1_home_t)
|
||||||
|
|
||||||
if (use_nfs_home_dirs) {
|
# allow the usual access to /tmp
|
||||||
create_dir_file($1_gpg_t, nfs_t)
|
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
||||||
}
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
create_dir_file($1_gpg_t, cifs_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
rw_dir_create_file($1_gpg_t, $1_file_type)
|
if (use_nfs_home_dirs) {
|
||||||
|
create_dir_file($1_gpg_t, nfs_t)
|
||||||
|
}
|
||||||
|
if (use_samba_home_dirs) {
|
||||||
|
create_dir_file($1_gpg_t, cifs_t)
|
||||||
|
}
|
||||||
|
|
||||||
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
rw_dir_create_file($1_gpg_t, $1_file_type)
|
||||||
|
|
||||||
dontaudit $1_gpg_t var_t:dir search;
|
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
||||||
') dnl end TODO
|
|
||||||
|
|
||||||
########################################
|
dontaudit $1_gpg_t var_t:dir search;
|
||||||
#
|
') dnl end TODO
|
||||||
# GPG helper local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
# for helper programs (which automatically fetch keys)
|
########################################
|
||||||
# Note: this is only tested with the hkp interface. If you use eg the
|
#
|
||||||
# mail interface you will likely need additional permissions.
|
# GPG helper local policy
|
||||||
|
#
|
||||||
|
|
||||||
# transition from the gpg domain to the helper domain
|
# for helper programs (which automatically fetch keys)
|
||||||
allow $1_gpg_t $1_gpg_helper_t:process transition;
|
# Note: this is only tested with the hkp interface. If you use eg the
|
||||||
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
|
# mail interface you will likely need additional permissions.
|
||||||
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
|
|
||||||
allow $1_gpg_t $1_gpg_helper_t:fd use;
|
|
||||||
allow $1_gpg_helper_t $1_t:fd use;
|
|
||||||
allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
# transition from the gpg domain to the helper domain
|
||||||
|
allow $1_gpg_t $1_gpg_helper_t:process transition;
|
||||||
|
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
|
||||||
|
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
|
||||||
|
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
allow $1_gpg_t $1_gpg_helper_t:fd use;
|
||||||
allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
allow $1_gpg_helper_t $1_gpg_t:fd use;
|
||||||
|
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
|
||||||
|
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
|
||||||
|
|
||||||
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||||
|
|
||||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
|
allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
|
allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
|
|
||||||
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
|
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
|
|
||||||
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
|
|
||||||
corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
|
|
||||||
corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
|
|
||||||
|
|
||||||
devices_get_pseudorandom_data($1_gpg_helper_t)
|
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
||||||
|
|
||||||
files_read_general_system_config($1_gpg_helper_t)
|
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
|
||||||
# for nscd
|
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
|
||||||
files_ignore_search_system_state_data_directory($1_gpg_helper_t)
|
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
|
||||||
|
corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
|
||||||
|
corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_helper_t)
|
devices_get_pseudorandom_data($1_gpg_helper_t)
|
||||||
libraries_use_shared_libraries($1_gpg_helper_t)
|
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_gpg_helper_t)
|
files_read_general_system_config($1_gpg_helper_t)
|
||||||
|
# for nscd
|
||||||
|
files_ignore_search_system_state_data_directory($1_gpg_helper_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
libraries_use_dynamic_loader($1_gpg_helper_t)
|
||||||
|
libraries_use_shared_libraries($1_gpg_helper_t)
|
||||||
|
|
||||||
if (use_nfs_home_dirs) {
|
sysnetwork_read_network_config($1_gpg_helper_t)
|
||||||
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
|
||||||
}
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
|
||||||
}
|
|
||||||
|
|
||||||
# communicate with the user
|
ifdef(`TODO',`
|
||||||
allow $1_gpg_helper_t $1_t:fd use;
|
|
||||||
allow $1_gpg_helper_t $1_t:fifo_file write;
|
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
if (use_nfs_home_dirs) {
|
||||||
dontaudit $1_gpg_t xdm_t:fd use;
|
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
||||||
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
}
|
||||||
|
if (use_samba_home_dirs) {
|
||||||
|
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
||||||
|
}
|
||||||
|
|
||||||
|
# communicate with the user
|
||||||
|
allow $1_gpg_helper_t $1_t:fd use;
|
||||||
|
allow $1_gpg_helper_t $1_t:fifo_file write;
|
||||||
|
|
||||||
|
ifdef(`xdm.te', `
|
||||||
|
dontaudit $1_gpg_t xdm_t:fd use;
|
||||||
|
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# GPG agent local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
# rlimit: gpg-agent wants to prevent coredumps
|
||||||
|
allow $1_gpg_agent_t self:process setrlimit;
|
||||||
|
|
||||||
|
allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||||
|
allow $1_gpg_agent_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
|
allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||||
|
|
||||||
|
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
|
||||||
|
|
||||||
|
libraries_use_dynamic_loader($1_gpg_agent_t)
|
||||||
|
libraries_use_shared_libraries($1_gpg_agent_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization($1_gpg_agent_t)
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
# Transition from the user domain to the derived domain.
|
||||||
|
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
||||||
|
|
||||||
|
allow $1_gpg_agent_t xdm_t:fd use;
|
||||||
|
|
||||||
|
# Write to the user domain tty.
|
||||||
|
access_terminal($1_gpg_agent_t, $1)
|
||||||
|
|
||||||
|
# Allow the user shell to signal the gpg-agent program.
|
||||||
|
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
||||||
|
# allow ps to show gpg-agent
|
||||||
|
can_ps($1_t, $1_gpg_agent_t)
|
||||||
|
|
||||||
|
allow $1_gpg_agent_t proc_t:dir search;
|
||||||
|
allow $1_gpg_agent_t proc_t:lnk_file read;
|
||||||
|
|
||||||
|
allow $1_gpg_agent_t device_t:dir { getattr read };
|
||||||
|
|
||||||
|
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
||||||
|
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
||||||
|
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
||||||
|
if (use_nfs_home_dirs) {
|
||||||
|
create_dir_file($1_gpg_agent_t, nfs_t)
|
||||||
|
}
|
||||||
|
if (use_samba_home_dirs) {
|
||||||
|
create_dir_file($1_gpg_agent_t, cifs_t)
|
||||||
|
}
|
||||||
|
|
||||||
|
# gpg connect
|
||||||
|
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
||||||
|
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
||||||
|
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
||||||
|
') dnl endif TODO
|
||||||
|
|
||||||
|
##############################
|
||||||
|
#
|
||||||
|
# Pinentry local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
||||||
|
# from the user.
|
||||||
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
|
||||||
|
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
|
||||||
|
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
|
||||||
|
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
|
||||||
|
|
||||||
|
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
|
||||||
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
|
||||||
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
|
||||||
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
|
||||||
|
|
||||||
|
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
||||||
|
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
|
# read /proc/meminfo
|
||||||
|
kernel_read_system_state($1_gpg_pinentry_t)
|
||||||
|
|
||||||
|
files_read_general_application_resources($1_gpg_pinentry_t)
|
||||||
|
# read /etc/X11/qtrc
|
||||||
|
files_read_general_system_config($1_gpg_pinentry_t)
|
||||||
|
|
||||||
|
libraries_use_dynamic_loader($1_gpg_pinentry_t)
|
||||||
|
libraries_use_shared_libraries($1_gpg_pinentry_t)
|
||||||
|
|
||||||
|
miscfiles_read_fonts($1_gpg_pinentry_t)
|
||||||
|
miscfiles_read_localization($1_gpg_pinentry_t)
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
allow $1_gpg_agent_t bin_t:dir search;
|
||||||
|
|
||||||
|
ifdef(`xdm.te', `
|
||||||
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
||||||
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
||||||
|
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
||||||
|
allow $1_gpg_pinentry_t xdm_t:fd use;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
||||||
|
|
||||||
|
# for .Xauthority
|
||||||
|
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
|
||||||
|
allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
|
||||||
|
# wants to put some lock files into the user home dir, seems to work fine without
|
||||||
|
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
|
||||||
|
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
|
||||||
|
|
||||||
|
if (use_nfs_home_dirs) {
|
||||||
|
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
|
||||||
|
allow $1_gpg_pinentry_t nfs_t:file { getattr read };
|
||||||
|
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
|
||||||
|
dontaudit $1_gpg_pinentry_t nfs_t:file write;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (use_samba_home_dirs) {
|
||||||
|
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
|
||||||
|
allow $1_gpg_pinentry_t cifs_t:file { getattr read };
|
||||||
|
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
|
||||||
|
dontaudit $1_gpg_pinentry_t cifs_t:file write;
|
||||||
|
}
|
||||||
|
|
||||||
|
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
|
||||||
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# GPG agent local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
# rlimit: gpg-agent wants to prevent coredumps
|
|
||||||
allow $1_gpg_agent_t self:process setrlimit;
|
|
||||||
|
|
||||||
allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
|
||||||
allow $1_gpg_agent_t self:fifo_file { getattr read write };
|
|
||||||
|
|
||||||
allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
||||||
allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
||||||
allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
||||||
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
|
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_agent_t)
|
|
||||||
libraries_use_shared_libraries($1_gpg_agent_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization($1_gpg_agent_t)
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
# Transition from the user domain to the derived domain.
|
|
||||||
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
|
||||||
|
|
||||||
allow $1_gpg_agent_t xdm_t:fd use;
|
|
||||||
|
|
||||||
# Write to the user domain tty.
|
|
||||||
access_terminal($1_gpg_agent_t, $1)
|
|
||||||
|
|
||||||
# Allow the user shell to signal the gpg-agent program.
|
|
||||||
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
|
||||||
# allow ps to show gpg-agent
|
|
||||||
can_ps($1_t, $1_gpg_agent_t)
|
|
||||||
|
|
||||||
allow $1_gpg_agent_t proc_t:dir search;
|
|
||||||
allow $1_gpg_agent_t proc_t:lnk_file read;
|
|
||||||
|
|
||||||
allow $1_gpg_agent_t device_t:dir { getattr read };
|
|
||||||
|
|
||||||
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
|
||||||
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
|
||||||
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
|
||||||
if (use_nfs_home_dirs) {
|
|
||||||
create_dir_file($1_gpg_agent_t, nfs_t)
|
|
||||||
}
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
create_dir_file($1_gpg_agent_t, cifs_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
# gpg connect
|
|
||||||
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
|
||||||
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
|
||||||
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
|
||||||
') dnl endif TODO
|
|
||||||
|
|
||||||
##############################
|
|
||||||
#
|
|
||||||
# Pinentry local policy
|
|
||||||
#
|
|
||||||
|
|
||||||
# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
|
||||||
# from the user.
|
|
||||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
|
|
||||||
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
|
|
||||||
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
|
|
||||||
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
|
|
||||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
|
|
||||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
|
||||||
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
|
|
||||||
|
|
||||||
# read /proc/meminfo
|
|
||||||
kernel_read_system_state($1_gpg_pinentry_t)
|
|
||||||
|
|
||||||
files_read_general_application_resources($1_gpg_pinentry_t)
|
|
||||||
# read /etc/X11/qtrc
|
|
||||||
files_read_general_system_config($1_gpg_pinentry_t)
|
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_gpg_pinentry_t)
|
|
||||||
libraries_use_shared_libraries($1_gpg_pinentry_t)
|
|
||||||
|
|
||||||
miscfiles_read_fonts($1_gpg_pinentry_t)
|
|
||||||
miscfiles_read_localization($1_gpg_pinentry_t)
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
|
|
||||||
allow $1_gpg_agent_t bin_t:dir search;
|
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
|
||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
|
||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
|
||||||
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
|
||||||
allow $1_gpg_pinentry_t xdm_t:fd use;
|
|
||||||
')dnl end ig xdm.te
|
|
||||||
|
|
||||||
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
|
||||||
|
|
||||||
# for .Xauthority
|
|
||||||
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
|
|
||||||
allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
|
|
||||||
# wants to put some lock files into the user home dir, seems to work fine without
|
|
||||||
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
|
|
||||||
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
|
|
||||||
|
|
||||||
if (use_nfs_home_dirs) {
|
|
||||||
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
|
|
||||||
allow $1_gpg_pinentry_t nfs_t:file { getattr read };
|
|
||||||
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
|
|
||||||
dontaudit $1_gpg_pinentry_t nfs_t:file write;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
|
|
||||||
allow $1_gpg_pinentry_t cifs_t:file { getattr read };
|
|
||||||
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
|
|
||||||
dontaudit $1_gpg_pinentry_t cifs_t:file write;
|
|
||||||
}
|
|
||||||
|
|
||||||
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
|
|
||||||
') dnl end TODO
|
|
||||||
') dnl end gpg_per_userdomain_template
|
|
||||||
|
|
||||||
|
@ -146,35 +146,39 @@ allow bootloader_t boot_t:file relabelfrom;
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`distro_redhat', `
|
tunable_policy(`distro_redhat', `
|
||||||
# for memlock
|
# for memlock
|
||||||
allow bootloader_t self:capability ipc_lock;
|
allow bootloader_t self:capability ipc_lock;
|
||||||
# new file system defaults to file_t, granting file_t access is still bad.
|
|
||||||
allow bootloader_t boot_runtime_t:file { read getattr unlink };
|
# new file system defaults to file_t, granting file_t access is still bad.
|
||||||
# mkinitrd mount initrd on bootloader temp dir
|
allow bootloader_t boot_runtime_t:file { read getattr unlink };
|
||||||
files_make_mountpoint(bootloader_tmp_t)
|
|
||||||
# for mke2fs
|
# mkinitrd mount initrd on bootloader temp dir
|
||||||
mount_transition(bootloader_t)
|
files_make_mountpoint(bootloader_tmp_t)
|
||||||
|
|
||||||
|
# for mke2fs
|
||||||
|
mount_transition(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`filesystemtools.te', `
|
optional_policy(`filesystemtools.te', `
|
||||||
filesystemtools_execute(bootloader_t)
|
filesystemtools_execute(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# LVM2 / Device Mapper's /dev/mapper/control
|
# LVM2 / Device Mapper's /dev/mapper/control
|
||||||
# maybe we should change the labeling for this
|
# maybe we should change the labeling for this
|
||||||
optional_policy(`lvm.te', `
|
optional_policy(`lvm.te', `
|
||||||
devices_use_lvm_control_channel(bootloader_t)
|
devices_use_lvm_control_channel(bootloader_t)
|
||||||
lvm_transition(bootloader_t)
|
|
||||||
lvm_read_config(bootloader_t)
|
lvm_transition(bootloader_t)
|
||||||
|
lvm_read_config(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_insmod_execute(insmod_t)
|
modutils_insmod_execute(insmod_t)
|
||||||
modutils_read_kernel_module_dependencies(bootloader_t)
|
modutils_read_kernel_module_dependencies(bootloader_t)
|
||||||
modutils_read_kernel_module_loading_config(bootloader_t)
|
modutils_read_kernel_module_loading_config(bootloader_t)
|
||||||
modutils_insmod_execute(bootloader_t)
|
modutils_insmod_execute(bootloader_t)
|
||||||
modutils_depmod_execute(bootloader_t)
|
modutils_depmod_execute(bootloader_t)
|
||||||
modutils_update_modules_execute(bootloader_t)
|
modutils_update_modules_execute(bootloader_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -187,22 +191,23 @@ allow bootloader_t var_t:dir search;
|
|||||||
allow bootloader_t var_t:file { getattr read };
|
allow bootloader_t var_t:file { getattr read };
|
||||||
|
|
||||||
tunable_policy(`distro_debian', `
|
tunable_policy(`distro_debian', `
|
||||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
||||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
|
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
|
||||||
allow bootloader_t tmpfs_t:dir r_dir_perms;
|
allow bootloader_t tmpfs_t:dir r_dir_perms;
|
||||||
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
|
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
|
||||||
allow bootloader_t var_lib_t:dir search;
|
allow bootloader_t var_lib_t:dir search;
|
||||||
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
||||||
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
||||||
# for /usr/share/initrd-tools/scripts
|
|
||||||
can_exec(bootloader_t, usr_t)
|
# for /usr/share/initrd-tools/scripts
|
||||||
|
can_exec(bootloader_t, usr_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`distro_redhat', `
|
tunable_policy(`distro_redhat', `
|
||||||
# new file system defaults to file_t, granting file_t access is still bad.
|
# new file system defaults to file_t, granting file_t access is still bad.
|
||||||
allow bootloader_t file_t:dir create_dir_perms;
|
allow bootloader_t file_t:dir create_dir_perms;
|
||||||
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
||||||
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit bootloader_t selinux_config_t:dir search;
|
dontaudit bootloader_t selinux_config_t:dir search;
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -14,14 +14,16 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_get_fixed_disk_attributes',`
|
define(`storage_get_fixed_disk_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_fixed_disk_attributes_depend',`
|
define(`storage_get_fixed_disk_attributes_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -37,13 +39,15 @@ class blk_file getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_ignore_get_fixed_disk_attributes',`
|
define(`storage_ignore_get_fixed_disk_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
|
||||||
|
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_ignore_get_fixed_disk_attributes_depend',`
|
define(`storage_ignore_get_fixed_disk_attributes_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -59,14 +63,16 @@ class blk_file getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_set_fixed_disk_attributes',`
|
define(`storage_set_fixed_disk_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_fixed_disk_attributes_depend',`
|
define(`storage_set_fixed_disk_attributes_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
class blk_file setattr;
|
|
||||||
|
class blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -84,16 +90,19 @@ class blk_file setattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_read_fixed_disk',`
|
define(`storage_raw_read_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
|
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
||||||
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_read_fixed_disk_depend',`
|
define(`storage_raw_read_fixed_disk_depend',`
|
||||||
type fixed_disk_device_t;
|
attribute fixed_disk_raw_read;
|
||||||
attribute fixed_disk_raw_read;
|
|
||||||
class blk_file { getattr read ioctl };
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
|
class blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -111,16 +120,19 @@ class blk_file { getattr read ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_write_fixed_disk',`
|
define(`storage_raw_write_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 fixed_disk_raw_write;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||||
|
typeattribute $1 fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_write_fixed_disk_depend',`
|
define(`storage_raw_write_fixed_disk_depend',`
|
||||||
type fixed_disk_device_t;
|
attribute fixed_disk_raw_write;
|
||||||
attribute fixed_disk_raw_write;
|
|
||||||
class blk_file { getattr write ioctl };
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
|
class blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -135,12 +147,17 @@ class blk_file { getattr write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_create_fixed_disk_dev_entry',`
|
define(`storage_create_fixed_disk_dev_entry',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
|
|
||||||
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||||
|
devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
|
||||||
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_create_fixed_disk_dev_entry_depend',`
|
define(`storage_create_fixed_disk_dev_entry_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
|
class blk_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -155,17 +172,19 @@ type fixed_disk_device_t;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_manage_fixed_disk',`
|
define(`storage_manage_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
devices_list_device_nodes($1)
|
||||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||||
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_manage_fixed_disk_depend',`
|
define(`storage_manage_fixed_disk_depend',`
|
||||||
attribute fixed_disk_raw_read;
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||||
attribute fixed_disk_raw_write;
|
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
||||||
|
class blk_file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -183,16 +202,19 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_read_lvm_volume',`
|
define(`storage_raw_read_lvm_volume',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 fixed_disk_raw_read;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 lvm_vg_t:blk_file { getattr read ioctl };
|
allow $1 lvm_vg_t:blk_file r_file_perms;
|
||||||
|
typeattribute $1 fixed_disk_raw_read;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_read_lvm_volume_depend',`
|
define(`storage_raw_read_lvm_volume_depend',`
|
||||||
type lvm_vg_t;
|
attribute fixed_disk_raw_read;
|
||||||
attribute fixed_disk_raw_read;
|
|
||||||
class blk_file { getattr read ioctl };
|
type lvm_vg_t;
|
||||||
|
|
||||||
|
class blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -210,16 +232,19 @@ class blk_file { getattr read ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_write_lvm_volume',`
|
define(`storage_raw_write_lvm_volume',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 fixed_disk_raw_write;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
||||||
|
typeattribute $1 fixed_disk_raw_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_write_lvm_volume_depend',`
|
define(`storage_raw_write_lvm_volume_depend',`
|
||||||
type lvm_vg_t;
|
attribute fixed_disk_raw_write;
|
||||||
attribute fixed_disk_raw_write;
|
|
||||||
class blk_file { getattr write ioctl };
|
type lvm_vg_t;
|
||||||
|
|
||||||
|
class blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -238,16 +263,19 @@ class blk_file { getattr write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_read_scsi_generic',`
|
define(`storage_read_scsi_generic',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 scsi_generic_read;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
|
allow $1 scsi_generic_device_t:blk_file r_file_perms;
|
||||||
|
typeattribute $1 scsi_generic_read;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_read_scsi_generic_depend',`
|
define(`storage_read_scsi_generic_depend',`
|
||||||
type scsi_generic_device_t;
|
attribute scsi_generic_read;
|
||||||
attribute scsi_generic_read;
|
|
||||||
class blk_file { getattr read ioctl };
|
type scsi_generic_device_t;
|
||||||
|
|
||||||
|
class blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -266,16 +294,19 @@ class blk_file { getattr read ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_write_scsi_generic',`
|
define(`storage_write_scsi_generic',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 scsi_generic_write;
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
||||||
|
typeattribute $1 scsi_generic_write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_write_scsi_generic_depend',`
|
define(`storage_write_scsi_generic_depend',`
|
||||||
type scsi_generic_device_t;
|
attribute scsi_generic_write;
|
||||||
attribute scsi_generic_write;
|
|
||||||
class blk_file { getattr write ioctl };
|
type scsi_generic_device_t;
|
||||||
|
|
||||||
|
class blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -283,14 +314,16 @@ class blk_file { getattr write ioctl };
|
|||||||
# storage_get_scsi_generic_attributes(domain)
|
# storage_get_scsi_generic_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`storage_get_scsi_generic_attributes',`
|
define(`storage_get_scsi_generic_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_scsi_generic_attributes_depend',`
|
define(`storage_get_scsi_generic_attributes_depend',`
|
||||||
type scsi_generic_device_t;
|
type scsi_generic_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -298,14 +331,16 @@ class blk_file getattr;
|
|||||||
# storage_set_scsi_generic_attributes(domain)
|
# storage_set_scsi_generic_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`storage_set_scsi_generic_attributes',`
|
define(`storage_set_scsi_generic_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 scsi_generic_device_t:blk_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_scsi_generic_attributes_depend',`
|
define(`storage_set_scsi_generic_attributes_depend',`
|
||||||
type scsi_generic_device_t;
|
type scsi_generic_device_t;
|
||||||
class blk_file setattr;
|
|
||||||
|
class blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -321,14 +356,16 @@ class blk_file setattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_get_removable_device_attributes',`
|
define(`storage_get_removable_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 removable_device_t:blk_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_removable_device_attributes_depend',`
|
define(`storage_get_removable_device_attributes_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -344,13 +381,15 @@ class blk_file getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_ignore_get_removable_device_attributes',`
|
define(`storage_ignore_get_removable_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 removable_device_t:blk_file getattr;
|
|
||||||
|
dontaudit $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_ignore_get_removable_device_attributes_depend',`
|
define(`storage_ignore_get_removable_device_attributes_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -358,14 +397,16 @@ class blk_file getattr;
|
|||||||
# storage_set_removable_device_attributes(domain)
|
# storage_set_removable_device_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`storage_set_removable_device_attributes',`
|
define(`storage_set_removable_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 removable_device_t:blk_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 removable_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_removable_device_attributes_depend',`
|
define(`storage_set_removable_device_attributes_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
class blk_file setattr;
|
|
||||||
|
class blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -373,14 +414,16 @@ class blk_file setattr;
|
|||||||
# storage_raw_read_removable_device(domain)
|
# storage_raw_read_removable_device(domain)
|
||||||
#
|
#
|
||||||
define(`storage_raw_read_removable_device',`
|
define(`storage_raw_read_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 removable_device_t:blk_file { getattr read ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 removable_device_t:blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_read_removable_device_depend',`
|
define(`storage_raw_read_removable_device_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
class blk_file { getattr read ioctl };
|
|
||||||
|
class blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -388,14 +431,16 @@ class blk_file { getattr read ioctl };
|
|||||||
# storage_raw_write_removable_device(domain)
|
# storage_raw_write_removable_device(domain)
|
||||||
#
|
#
|
||||||
define(`storage_raw_write_removable_device',`
|
define(`storage_raw_write_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_raw_write_removable_device_depend',`
|
define(`storage_raw_write_removable_device_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
class blk_file { getattr write ioctl };
|
|
||||||
|
class blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -403,14 +448,16 @@ class blk_file { getattr write ioctl };
|
|||||||
# storage_read_tape_device(domain)
|
# storage_read_tape_device(domain)
|
||||||
#
|
#
|
||||||
define(`storage_read_tape_device',`
|
define(`storage_read_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tape_device_t:blk_file { getattr read ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tape_device_t:blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_read_tape_device_depend',`
|
define(`storage_read_tape_device_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
class blk_file { getattr read ioctl };
|
|
||||||
|
class blk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -418,14 +465,16 @@ class blk_file { getattr read ioctl };
|
|||||||
# storage_write_tape_device(domain)
|
# storage_write_tape_device(domain)
|
||||||
#
|
#
|
||||||
define(`storage_write_tape_device',`
|
define(`storage_write_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_write_tape_device_depend',`
|
define(`storage_write_tape_device_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
class blk_file { getattr write ioctl };
|
|
||||||
|
class blk_file { getattr write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -433,14 +482,16 @@ class blk_file { getattr write ioctl };
|
|||||||
# storage_get_tape_device_attributes(domain)
|
# storage_get_tape_device_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`storage_get_tape_device_attributes',`
|
define(`storage_get_tape_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tape_device_t:blk_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tape_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_tape_device_attributes_depend',`
|
define(`storage_get_tape_device_attributes_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
class blk_file getattr;
|
|
||||||
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -448,14 +499,15 @@ class blk_file getattr;
|
|||||||
# storage_set_tape_device_attributes(domain)
|
# storage_set_tape_device_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`storage_set_tape_device_attributes',`
|
define(`storage_set_tape_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tape_device_t:blk_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tape_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_tape_device_attributes_depend',`
|
define(`storage_set_tape_device_attributes_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
class blk_file setattr;
|
class blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -6,15 +6,18 @@
|
|||||||
# terminal_make_pseudoterminal(type)
|
# terminal_make_pseudoterminal(type)
|
||||||
#
|
#
|
||||||
define(`terminal_make_pseudoterminal',`
|
define(`terminal_make_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 devpts_t:filesystem associate;
|
|
||||||
typeattribute $1 ptynode;
|
allow $1 devpts_t:filesystem associate;
|
||||||
|
typeattribute $1 ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_make_pseudoterminal_depend',`
|
define(`terminal_make_pseudoterminal_depend',`
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
type devpts_t;
|
|
||||||
class filesystem associate;
|
type devpts_t;
|
||||||
|
|
||||||
|
class filesystem associate;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -22,13 +25,14 @@ class filesystem associate;
|
|||||||
# terminal_make_user_pseudoterminal(domain,type)
|
# terminal_make_user_pseudoterminal(domain,type)
|
||||||
#
|
#
|
||||||
define(`terminal_make_user_pseudoterminal',`
|
define(`terminal_make_user_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
terminal_make_pseudoterminal($1)
|
|
||||||
type_change $1 server_ptynode:chr_file $2;
|
terminal_make_pseudoterminal($1)
|
||||||
|
type_change $1 server_ptynode:chr_file $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_make_user_pseudoterminal_depend',`
|
define(`terminal_make_user_pseudoterminal_depend',`
|
||||||
attribute server_ptynode;
|
attribute server_ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -36,13 +40,14 @@ attribute server_ptynode;
|
|||||||
# terminal_make_service_pseudoterminal(type)
|
# terminal_make_service_pseudoterminal(type)
|
||||||
#
|
#
|
||||||
define(`terminal_make_service_pseudoterminal',`
|
define(`terminal_make_service_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
terminal_make_pseudoterminal($1)
|
|
||||||
typeattribute $1 server_ptynode;
|
terminal_make_pseudoterminal($1)
|
||||||
|
typeattribute $1 server_ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_make_service_pseudoterminal_depend',`
|
define(`terminal_make_service_pseudoterminal_depend',`
|
||||||
attribute server_ptynode;
|
attribute server_ptynode;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -50,22 +55,26 @@ attribute server_ptynode;
|
|||||||
# terminal_make_physical_terminal(domain,type)
|
# terminal_make_physical_terminal(domain,type)
|
||||||
#
|
#
|
||||||
define(`terminal_make_physical_terminal',`
|
define(`terminal_make_physical_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $2 ttynode;
|
|
||||||
type_change $1 tty_device_t:chr_file $2;
|
typeattribute $2 ttynode;
|
||||||
# Debian login is from shadow utils and does not allow resetting the perms.
|
type_change $1 tty_device_t:chr_file $2;
|
||||||
# have to fix this!
|
|
||||||
tunable_policy(`distro_debian',`
|
# Debian login is from shadow utils and does not allow resetting the perms.
|
||||||
type_change $1 ttyfile:chr_file $2;
|
# have to fix this!
|
||||||
')
|
tunable_policy(`distro_debian',`
|
||||||
tunable_policy(`distro_redhat',`
|
type_change $1 ttyfile:chr_file $2;
|
||||||
filesystem_tmpfs_associate($2)
|
')
|
||||||
')
|
|
||||||
|
tunable_policy(`distro_redhat',`
|
||||||
|
filesystem_tmpfs_associate($2)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_make_physical_terminal_depend',`
|
define(`terminal_make_physical_terminal_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
type tty_device_t;
|
|
||||||
|
type tty_device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -73,20 +82,22 @@ type tty_device_t;
|
|||||||
# terminal_create_private_pseudoterminal(domain,ptytype)
|
# terminal_create_private_pseudoterminal(domain,ptytype)
|
||||||
#
|
#
|
||||||
define(`terminal_create_private_pseudoterminal',`
|
define(`terminal_create_private_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ptmx_t:chr_file { getattr read write };
|
devices_list_device_nodes($1)
|
||||||
allow $1 devpts_t:dir { getattr search read };
|
allow $1 ptmx_t:chr_file { getattr read write };
|
||||||
allow $1 devpts_t:filesystem getattr;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
allow $1 devpts_t:filesystem getattr;
|
||||||
type_transition $1 devpts_t:chr_file $2;
|
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
|
||||||
|
type_transition $1 devpts_t:chr_file $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_create_pseudoterminal_depend',`
|
define(`terminal_create_pseudoterminal_depend',`
|
||||||
type ptmx_t, devpts_t;
|
type ptmx_t, devpts_t;
|
||||||
class filesystem getattr;
|
|
||||||
class dir { getattr search read };
|
class filesystem getattr;
|
||||||
class chr_file { getattr read write };
|
class dir r_dir_perms;
|
||||||
|
class chr_file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -94,17 +105,20 @@ class chr_file { getattr read write };
|
|||||||
# terminal_use_all_terminals(domain)
|
# terminal_use_all_terminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_all_terminals',`
|
define(`terminal_use_all_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devpts_t:dir r_dir_perms;
|
devices_list_device_nodes($1)
|
||||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
|
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_all_terminals_depend',`
|
define(`terminal_use_all_terminals_depend',`
|
||||||
attribute ttynode, ptynode;
|
attribute ttynode, ptynode;
|
||||||
type console_device_t, devpts_t, tty_device_t;
|
|
||||||
class dir r_dir_perms;
|
type console_device_t, devpts_t, tty_device_t;
|
||||||
class chr_file rw_file_perms;
|
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -142,14 +156,16 @@ define(`terminal_use_console_depend',`
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`terminal_use_console',`
|
define(`terminal_use_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 console_device_t:chr_file rw_file_perms;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 console_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_console_depend',`
|
define(`terminal_use_console_depend',`
|
||||||
type console_device_t;
|
type console_device_t;
|
||||||
class chr_file rw_file_perms;
|
|
||||||
|
class chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -164,13 +180,15 @@ class chr_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_console',`
|
define(`terminal_ignore_use_console',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 console_device_t:chr_file { read write };
|
|
||||||
|
dontaudit $1 console_device_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_console_depend',`
|
define(`terminal_ignore_use_console_depend',`
|
||||||
type console_device_t;
|
type console_device_t;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -178,15 +196,16 @@ class chr_file { read write };
|
|||||||
# terminal_set_console_attributes(domain)
|
# terminal_set_console_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_set_console_attributes',`
|
define(`terminal_set_console_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1,optional)
|
|
||||||
allow $1 console_device_t:chr_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 console_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_set_console_attributes_depend',`
|
define(`terminal_set_console_attributes_depend',`
|
||||||
type console_device_t;
|
type console_device_t;
|
||||||
class chr_file setattr;
|
|
||||||
devices_list_device_nodes_depend
|
class chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -194,15 +213,16 @@ devices_list_device_nodes_depend
|
|||||||
# terminal_list_pseudoterminals(domain)
|
# terminal_list_pseudoterminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_list_pseudoterminals',`
|
define(`terminal_list_pseudoterminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devpts_t:dir { getattr search read };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_list_pseudoterminals_depend',`
|
define(`terminal_list_pseudoterminals_depend',`
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
class dir { getattr search read };
|
|
||||||
devices_list_device_nodes_depend
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -210,13 +230,15 @@ devices_list_device_nodes_depend
|
|||||||
# terminal_ignore_list_pseudoterminals(domain)
|
# terminal_ignore_list_pseudoterminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_list_pseudoterminals',`
|
define(`terminal_ignore_list_pseudoterminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 devpts_t:dir { getattr search read };
|
|
||||||
|
dontaudit $1 devpts_t:dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_list_pseudoterminals_depend',`
|
define(`terminal_ignore_list_pseudoterminals_depend',`
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
class dir { getattr search read };
|
|
||||||
|
class dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -224,14 +246,16 @@ class dir { getattr search read };
|
|||||||
# terminal_use_general_pseudoterminal(domain)
|
# terminal_use_general_pseudoterminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_general_pseudoterminal',`
|
define(`terminal_use_general_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devpts_t:chr_file { read write };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 devpts_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_general_pseudoterminal_depend',`
|
define(`terminal_use_general_pseudoterminal_depend',`
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -239,13 +263,15 @@ class chr_file { read write };
|
|||||||
# terminal_ignore_use_general_pseudoterminal(domain)
|
# terminal_ignore_use_general_pseudoterminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_general_pseudoterminal',`
|
define(`terminal_ignore_use_general_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 devpts_t:chr_file { read write };
|
|
||||||
|
dontaudit $1 devpts_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_general_pseudoterminal_depend',`
|
define(`terminal_ignore_use_general_pseudoterminal_depend',`
|
||||||
type devpts_t;
|
type devpts_t;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -253,14 +279,16 @@ class chr_file { read write };
|
|||||||
# terminal_use_controlling_terminal(domain)
|
# terminal_use_controlling_terminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_controlling_terminal',`
|
define(`terminal_use_controlling_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devtty_t:chr_file { getattr read write ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 devtty_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_controlling_terminal_depend',`
|
define(`terminal_use_controlling_terminal_depend',`
|
||||||
type devtty_t;
|
type devtty_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -268,13 +296,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# terminal_ignore_use_pseudoterminal_multiplexer(domain)
|
# terminal_ignore_use_pseudoterminal_multiplexer(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_pseudoterminal_multiplexer',`
|
define(`terminal_ignore_use_pseudoterminal_multiplexer',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 ptmx_t:chr_file { getattr read write };
|
|
||||||
|
dontaudit $1 ptmx_t:chr_file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
|
define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
|
||||||
type ptmx_t;
|
type ptmx_t;
|
||||||
class chr_file { getattr read write };
|
|
||||||
|
class chr_file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -282,16 +312,18 @@ class chr_file { getattr read write };
|
|||||||
# terminal_get_all_private_pseudoterminal_attributes(domain)
|
# terminal_get_all_private_pseudoterminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_get_all_private_pseudoterminal_attributes',`
|
define(`terminal_get_all_private_pseudoterminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devpts_t:dir { getattr search read };
|
devices_list_device_nodes($1)
|
||||||
allow $1 ptynode:chr_file getattr;
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
|
allow $1 ptynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_get_all_private_pseudoterminal_attributes_depend',`
|
define(`terminal_get_all_private_pseudoterminal_attributes_depend',`
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
class dir { getattr search read };
|
|
||||||
class chr_file getattr;
|
class dir r_dir_perms;
|
||||||
|
class chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -299,16 +331,18 @@ class chr_file getattr;
|
|||||||
# terminal_use_all_private_pseudoterminals(domain)
|
# terminal_use_all_private_pseudoterminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_all_private_pseudoterminals',`
|
define(`terminal_use_all_private_pseudoterminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 devpts_t:dir { getattr read search };
|
devices_list_device_nodes($1)
|
||||||
allow $1 ptynode:chr_file { getattr read write ioctl };
|
allow $1 devpts_t:dir r_dir_perms;
|
||||||
|
allow $1 ptynode:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_all_private_pseudoterminals_depend',`
|
define(`terminal_use_all_private_pseudoterminals_depend',`
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
class dir { getattr search read };
|
|
||||||
class chr_file { getattr read write ioctl };
|
class dir r_dir_perms;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -316,13 +350,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# terminal_ignore_use_all_private_pseudoterminals(domain)
|
# terminal_ignore_use_all_private_pseudoterminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_all_private_pseudoterminals',`
|
define(`terminal_ignore_use_all_private_pseudoterminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 ptynode:chr_file { read write };
|
|
||||||
|
dontaudit $1 ptynode:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_all_private_pseudoterminals_depend',`
|
define(`terminal_ignore_use_all_private_pseudoterminals_depend',`
|
||||||
attribute ptynode;
|
attribute ptynode;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -330,14 +366,16 @@ class chr_file { read write };
|
|||||||
# terminal_get_general_physical_terminal_attributes(domain)
|
# terminal_get_general_physical_terminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_get_general_physical_terminal_attributes',`
|
define(`terminal_get_general_physical_terminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tty_device_t:chr_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tty_device_t:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_get_general_physical_terminal_attributes_depend',`
|
define(`terminal_get_general_physical_terminal_attributes_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file getattr;
|
|
||||||
|
class chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -345,14 +383,16 @@ class chr_file getattr;
|
|||||||
# terminal_set_general_physical_terminal_attributes(domain)
|
# terminal_set_general_physical_terminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_set_general_physical_terminal_attributes',`
|
define(`terminal_set_general_physical_terminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tty_device_t:chr_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tty_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_set_general_physical_terminal_attributes_depend',`
|
define(`terminal_set_general_physical_terminal_attributes_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file setattr;
|
|
||||||
|
class chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -360,14 +400,16 @@ class chr_file setattr;
|
|||||||
# terminal_relabel_general_physical_terminal(domain)
|
# terminal_relabel_general_physical_terminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_relabel_general_physical_terminal',`
|
define(`terminal_relabel_general_physical_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_relabel_general_physical_terminal_depend',`
|
define(`terminal_relabel_general_physical_terminal_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file { relabelfrom relabelto };
|
|
||||||
|
class chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -375,16 +417,18 @@ class chr_file { relabelfrom relabelto };
|
|||||||
# terminal_reset_physical_terminal_labels(domain)
|
# terminal_reset_physical_terminal_labels(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_reset_physical_terminal_labels',`
|
define(`terminal_reset_physical_terminal_labels',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file relabelfrom;
|
devices_list_device_nodes($1)
|
||||||
allow $1 tty_device_t:chr_file relabelto;
|
allow $1 ttynode:chr_file relabelfrom;
|
||||||
|
allow $1 tty_device_t:chr_file relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_reset_physical_terminal_labels_depend',`
|
define(`terminal_reset_physical_terminal_labels_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
type tty_device_t;
|
|
||||||
class chr_file { relabelfrom relabelto };
|
type tty_device_t;
|
||||||
|
class chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -400,14 +444,16 @@ class chr_file { relabelfrom relabelto };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`terminal_write_general_physical_terminal',`
|
define(`terminal_write_general_physical_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tty_device_t:chr_file { getattr write };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tty_device_t:chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_write_general_physical_terminal_depend',`
|
define(`terminal_write_general_physical_terminal_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -415,14 +461,16 @@ class chr_file { read write };
|
|||||||
# terminal_use_general_physical_terminal(domain)
|
# terminal_use_general_physical_terminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_general_physical_terminal',`
|
define(`terminal_use_general_physical_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_general_physical_terminal_depend',`
|
define(`terminal_use_general_physical_terminal_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -430,13 +478,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# terminal_ignore_use_general_physical_terminal(domain)
|
# terminal_ignore_use_general_physical_terminal(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_general_physical_terminal',`
|
define(`terminal_ignore_use_general_physical_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 tty_device_t:chr_file { read write };
|
|
||||||
|
dontaudit $1 tty_device_t:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_general_physical_terminal_depend',`
|
define(`terminal_ignore_use_general_physical_terminal_depend',`
|
||||||
type tty_device_t;
|
type tty_device_t;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -444,14 +494,16 @@ class chr_file { read write };
|
|||||||
# terminal_get_all_private_physical_terminal_attributes(domain)
|
# terminal_get_all_private_physical_terminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_get_all_private_physical_terminal_attributes',`
|
define(`terminal_get_all_private_physical_terminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file getattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 ttynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_get_all_private_physical_terminal_attributes_depend',`
|
define(`terminal_get_all_private_physical_terminal_attributes_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file getattr;
|
|
||||||
|
class chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -459,14 +511,16 @@ class chr_file getattr;
|
|||||||
# terminal_set_all_private_physical_terminal_attributes(domain)
|
# terminal_set_all_private_physical_terminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_set_all_private_physical_terminal_attributes',`
|
define(`terminal_set_all_private_physical_terminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file setattr;
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 ttynode:chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_set_all_private_physical_terminal_attributes_depend',`
|
define(`terminal_set_all_private_physical_terminal_attributes_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file setattr;
|
|
||||||
|
class chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -474,13 +528,15 @@ class chr_file setattr;
|
|||||||
# terminal_ignore_get_all_private_physical_terminal_attributes(domain)
|
# terminal_ignore_get_all_private_physical_terminal_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
|
define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 ttynode:chr_file getattr;
|
|
||||||
|
dontaudit $1 ttynode:chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',`
|
define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file getattr;
|
|
||||||
|
class chr_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -488,14 +544,16 @@ class chr_file getattr;
|
|||||||
# terminal_relabel_all_private_physical_terminals(domain)
|
# terminal_relabel_all_private_physical_terminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_relabel_all_private_physical_terminals',`
|
define(`terminal_relabel_all_private_physical_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_relabel_all_private_physical_terminals_depend',`
|
define(`terminal_relabel_all_private_physical_terminals_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file { relabelfrom relabelto };
|
|
||||||
|
class chr_file { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -511,14 +569,16 @@ class chr_file { relabelfrom relabelto };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`terminal_write_all_private_physical_terminals',`
|
define(`terminal_write_all_private_physical_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file { getattr write };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 ttynode:chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_write_all_private_physical_terminals_depend',`
|
define(`terminal_write_all_private_physical_terminals_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file { getattr write };
|
|
||||||
|
class chr_file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -526,14 +586,16 @@ class chr_file { getattr write };
|
|||||||
# terminal_use_all_private_physical_terminals(domain)
|
# terminal_use_all_private_physical_terminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_use_all_private_physical_terminals',`
|
define(`terminal_use_all_private_physical_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
devices_list_device_nodes($1)
|
|
||||||
allow $1 ttynode:chr_file { getattr read write ioctl };
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 ttynode:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_use_all_private_physical_terminals_depend',`
|
define(`terminal_use_all_private_physical_terminals_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -541,13 +603,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# terminal_ignore_use_all_private_physical_terminals(domain)
|
# terminal_ignore_use_all_private_physical_terminals(domain)
|
||||||
#
|
#
|
||||||
define(`terminal_ignore_use_all_private_physical_terminals',`
|
define(`terminal_ignore_use_all_private_physical_terminals',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 ttynode:chr_file { read write };
|
|
||||||
|
dontaudit $1 ttynode:chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`terminal_ignore_use_all_private_physical_terminals_depend',`
|
define(`terminal_ignore_use_all_private_physical_terminals_depend',`
|
||||||
attribute ttynode;
|
attribute ttynode;
|
||||||
class chr_file { read write };
|
|
||||||
|
class chr_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -6,215 +6,210 @@
|
|||||||
|
|
||||||
define(`cron_per_userdomain_template',`
|
define(`cron_per_userdomain_template',`
|
||||||
|
|
||||||
# Type of user crontabs once moved to cron spool.
|
# Type of user crontabs once moved to cron spool.
|
||||||
type $1_cron_spool_t;
|
type $1_cron_spool_t;
|
||||||
files_make_file($1_cron_spool_t)
|
files_make_file($1_cron_spool_t)
|
||||||
|
|
||||||
type $1_crond_t; # user_crond_domain;
|
type $1_crond_t; # user_crond_domain;
|
||||||
domain_make_domain($1_crond_t);
|
domain_make_domain($1_crond_t);
|
||||||
corecommands_make_shell_entrypoint($1_crond_t)
|
corecommands_make_shell_entrypoint($1_crond_t)
|
||||||
role $1_r types $1_crond_t;
|
role $1_r types $1_crond_t;
|
||||||
|
|
||||||
type $1_crontab_t;
|
type $1_crontab_t;
|
||||||
domain_make_domain($1_crontab_t)
|
domain_make_domain($1_crontab_t)
|
||||||
domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
|
domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
|
||||||
role $1_r types $1_crontab_t;
|
role $1_r types $1_crontab_t;
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_crond_t local policy
|
# $1_crond_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow $1_crond_t self:capability dac_override;
|
allow $1_crond_t self:capability dac_override;
|
||||||
allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
|
allow $1_crond_t self:process { sigkill sigstop signull signal setsched };
|
||||||
allow $1_crond_t self:fifo_file { read getattr write append };
|
allow $1_crond_t self:fifo_file { read getattr write append };
|
||||||
allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
allow $1_crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||||
allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
allow $1_crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
|
|
||||||
# The entrypoint interface is not used as this is not
|
# The entrypoint interface is not used as this is not
|
||||||
# a regular entrypoint. Since crontab files are
|
# a regular entrypoint. Since crontab files are
|
||||||
# not directly executed, crond must ensure that
|
# not directly executed, crond must ensure that
|
||||||
# the crontab file has a type that is appropriate
|
# the crontab file has a type that is appropriate
|
||||||
# for the domain of the user cron job. It
|
# for the domain of the user cron job. It
|
||||||
# performs an entrypoint permission check
|
# performs an entrypoint permission check
|
||||||
# for this purpose.
|
# for this purpose.
|
||||||
allow $1_crond_t $1_cron_spool_t:file entrypoint;
|
allow $1_crond_t $1_cron_spool_t:file entrypoint;
|
||||||
|
|
||||||
# Permit a transition from the crond_t domain to this domain.
|
# Permit a transition from the crond_t domain to this domain.
|
||||||
# The transition is requested explicitly by the modified crond
|
# The transition is requested explicitly by the modified crond
|
||||||
# via setexeccon. There is no way to set up an automatic
|
# via setexeccon. There is no way to set up an automatic
|
||||||
# transition, since crontabs are configuration files, not executables.
|
# transition, since crontabs are configuration files, not executables.
|
||||||
allow crond_t $1_crond_t:process transition;
|
allow crond_t $1_crond_t:process transition;
|
||||||
dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
|
dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
|
||||||
allow crond_t $1_crond_t:fd use;
|
allow crond_t $1_crond_t:fd use;
|
||||||
allow $1_crond_t crond_t:fd use;
|
allow $1_crond_t crond_t:fd use;
|
||||||
allow $1_crond_t crond_t:fifo_file rw_file_perms;
|
allow $1_crond_t crond_t:fifo_file rw_file_perms;
|
||||||
allow $1_crond_t crond_t:process sigchld;
|
allow $1_crond_t crond_t:process sigchld;
|
||||||
|
|
||||||
kernel_read_system_state($1_crond_t)
|
kernel_read_system_state($1_crond_t)
|
||||||
kernel_read_kernel_sysctl($1_crond_t)
|
kernel_read_kernel_sysctl($1_crond_t)
|
||||||
|
|
||||||
# ps does not need to access /boot when run from cron
|
# ps does not need to access /boot when run from cron
|
||||||
bootloader_ignore_search_bootloader_data_directory($1_crond_t)
|
bootloader_ignore_search_bootloader_data_directory($1_crond_t)
|
||||||
|
|
||||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
|
corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
|
corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
|
corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
|
||||||
corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
|
corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
|
corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
|
corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
|
||||||
corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
|
corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
|
||||||
corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
|
corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
|
||||||
corenetwork_bind_tcp_on_all_nodes($1_crond_t)
|
corenetwork_bind_tcp_on_all_nodes($1_crond_t)
|
||||||
corenetwork_bind_udp_on_all_nodes($1_crond_t)
|
corenetwork_bind_udp_on_all_nodes($1_crond_t)
|
||||||
|
|
||||||
devices_get_pseudorandom_data($1_crond_t)
|
devices_get_pseudorandom_data($1_crond_t)
|
||||||
|
|
||||||
filesystem_get_all_filesystems_attributes($1_crond_t)
|
filesystem_get_all_filesystems_attributes($1_crond_t)
|
||||||
|
|
||||||
domain_execute_all_entrypoint_programs($1_crond_t)
|
domain_execute_all_entrypoint_programs($1_crond_t)
|
||||||
|
|
||||||
files_read_general_application_resources($1_crond_t)
|
files_read_general_application_resources($1_crond_t)
|
||||||
files_execute_system_config_script($1_crond_t)
|
files_execute_system_config_script($1_crond_t)
|
||||||
# for nscd:
|
# for nscd:
|
||||||
files_ignore_search_runtime_data_directory($1_crond_t)
|
files_ignore_search_runtime_data_directory($1_crond_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs($1_crond_t)
|
corecommands_execute_general_programs($1_crond_t)
|
||||||
corecommands_execute_system_programs($1_crond_t)
|
corecommands_execute_system_programs($1_crond_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_crond_t)
|
libraries_use_dynamic_loader($1_crond_t)
|
||||||
libraries_use_shared_libraries($1_crond_t)
|
libraries_use_shared_libraries($1_crond_t)
|
||||||
libraries_execute_library_scripts($1_crond_t)
|
libraries_execute_library_scripts($1_crond_t)
|
||||||
libraries_execute_dynamic_loader($1_crond_t)
|
libraries_execute_dynamic_loader($1_crond_t)
|
||||||
|
|
||||||
files_read_runtime_system_config($1_crond_t)
|
files_read_runtime_system_config($1_crond_t)
|
||||||
|
|
||||||
logging_search_system_log_directory($1_crond_t)
|
logging_search_system_log_directory($1_crond_t)
|
||||||
|
|
||||||
selinux_read_config($1_crond_t)
|
selinux_read_config($1_crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_crond_t)
|
miscfiles_read_localization($1_crond_t)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
tunable_policy(`fcron_crond', `
|
||||||
allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow crond_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Access user files and dirs.
|
# Access user files and dirs.
|
||||||
allow $1_crond_t home_root_t:dir search;
|
allow $1_crond_t home_root_t:dir search;
|
||||||
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
|
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
|
||||||
|
|
||||||
# Run scripts in user home directory and access shared libs.
|
# Run scripts in user home directory and access shared libs.
|
||||||
can_exec($1_crond_t, $1_home_t)
|
can_exec($1_crond_t, $1_home_t)
|
||||||
|
|
||||||
file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
|
file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
|
||||||
|
|
||||||
ifdef(`mta.te', `
|
ifdef(`mta.te', `
|
||||||
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
|
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
|
||||||
allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
|
allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
|
||||||
|
|
||||||
# $1_mail_t should only be reading from the cron fifo not needing to write
|
# $1_mail_t should only be reading from the cron fifo not needing to write
|
||||||
dontaudit $1_mail_t crond_t:fifo_file write;
|
dontaudit $1_mail_t crond_t:fifo_file write;
|
||||||
allow mta_user_agent $1_crond_t:fd use;
|
allow mta_user_agent $1_crond_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
# This domain is granted permissions common to most domains.
|
# This domain is granted permissions common to most domains.
|
||||||
can_ypbind($1_crond_t)
|
can_ypbind($1_crond_t)
|
||||||
allow $1_crond_t var_spool_t:dir search;
|
allow $1_crond_t var_spool_t:dir search;
|
||||||
allow $1_crond_t var_t:dir r_dir_perms;
|
allow $1_crond_t var_t:dir r_dir_perms;
|
||||||
allow $1_crond_t var_t:file { getattr read ioctl };
|
allow $1_crond_t var_t:file { getattr read ioctl };
|
||||||
|
|
||||||
# quiet other ps operations
|
# quiet other ps operations
|
||||||
dontaudit $1_crond_t domain:dir { getattr search };
|
dontaudit $1_crond_t domain:dir { getattr search };
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_crontab_t local policy
|
# $1_crontab_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# for ^Z
|
# for ^Z
|
||||||
allow $1_t $1_crontab_t:process signal;
|
allow $1_t $1_crontab_t:process signal;
|
||||||
|
|
||||||
# Allow crond to read those crontabs in cron spool.
|
# Allow crond to read those crontabs in cron spool.
|
||||||
allow crond_t $1_cron_spool_t:file { getattr read };
|
allow crond_t $1_cron_spool_t:file { getattr read };
|
||||||
|
|
||||||
# dac_override is to create the file in the directory under /tmp
|
# dac_override is to create the file in the directory under /tmp
|
||||||
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
|
allow $1_crontab_t self:capability { setuid setgid chown dac_override };
|
||||||
allow $1_crontab_t self:process { sigkill sigstop signull signal };
|
allow $1_crontab_t self:process { sigkill sigstop signull signal };
|
||||||
|
|
||||||
# create files in /var/spool/cron
|
# create files in /var/spool/cron
|
||||||
allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1_crontab_t $1_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
|
allow $1_crontab_t cron_spool_t:dir { getattr search read write add_name remove_name };
|
||||||
type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
|
type_transition $1_crontab_t $1_cron_spool_t:file system_crond_tmp_t;
|
||||||
|
|
||||||
# crontab signals crond by updating the mtime on the spooldir
|
# crontab signals crond by updating the mtime on the spooldir
|
||||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||||
|
|
||||||
allow $1_crontab_t crond_log_t:file { getattr read append };
|
allow $1_crontab_t crond_log_t:file { getattr read append };
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes($1_crontab_t)
|
filesystem_get_persistent_filesystem_attributes($1_crontab_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_crontab_t)
|
domain_use_widely_inheritable_file_descriptors($1_crontab_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_crontab_t)
|
files_read_general_system_config($1_crontab_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_crontab_t)
|
libraries_use_dynamic_loader($1_crontab_t)
|
||||||
libraries_use_shared_libraries($1_crontab_t)
|
libraries_use_shared_libraries($1_crontab_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_crontab_t)
|
logging_send_system_log_message($1_crontab_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_crontab_t)
|
miscfiles_read_localization($1_crontab_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
tunable_policy(`fcron_crond', `
|
||||||
|
# fcron wants an instant update of a crontab change for the administrator
|
||||||
|
# also crontab does a security check for crontab -u
|
||||||
|
dontaudit $1_crontab_t crond_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
# Transition from the user domain to the derived domain.
|
ifdef(`TODO',`
|
||||||
domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
|
|
||||||
|
|
||||||
can_ps($1_t, $1_crontab_t)
|
# Transition from the user domain to the derived domain.
|
||||||
|
domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
|
||||||
|
|
||||||
dontaudit $1_crontab_t proc_t:dir search;
|
can_ps($1_t, $1_crontab_t)
|
||||||
dontaudit $1_crontab_t selinux_config_t:dir search;
|
|
||||||
# for the checks used by crontab -u
|
|
||||||
dontaudit $1_crontab_t security_t:dir search;
|
|
||||||
|
|
||||||
# Type for temporary files.
|
dontaudit $1_crontab_t proc_t:dir search;
|
||||||
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
|
dontaudit $1_crontab_t selinux_config_t:dir search;
|
||||||
|
# for the checks used by crontab -u
|
||||||
|
dontaudit $1_crontab_t security_t:dir search;
|
||||||
|
|
||||||
# Use the type when creating files in /var/spool/cron.
|
# Type for temporary files.
|
||||||
allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
|
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
# Use the type when creating files in /var/spool/cron.
|
||||||
# fcron wants an instant update of a crontab change for the administrator
|
allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
|
||||||
# also crontab does a security check for crontab -u
|
|
||||||
ifelse(`$1', `sysadm', `
|
|
||||||
allow $1_crontab_t self:process setfscreate;
|
|
||||||
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
|
||||||
', `
|
|
||||||
dontaudit $1_crontab_t crond_t:process signal;
|
|
||||||
')dnl end ifelse
|
|
||||||
')dnl end ifdef fcron
|
|
||||||
|
|
||||||
# Run helper programs as $1_t
|
# Run helper programs as $1_t
|
||||||
allow $1_crontab_t { bin_t sbin_t }:dir search;
|
allow $1_crontab_t { bin_t sbin_t }:dir search;
|
||||||
allow $1_crontab_t bin_t:lnk_file read;
|
allow $1_crontab_t bin_t:lnk_file read;
|
||||||
domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
|
domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
|
||||||
|
|
||||||
# Read user crontabs
|
# Read user crontabs
|
||||||
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
|
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
|
||||||
allow $1_crontab_t $1_home_t:file r_file_perms;
|
allow $1_crontab_t $1_home_t:file r_file_perms;
|
||||||
dontaudit $1_crontab_t $1_home_dir_t:dir write;
|
dontaudit $1_crontab_t $1_home_dir_t:dir write;
|
||||||
|
|
||||||
# Access terminals.
|
# Access terminals.
|
||||||
allow $1_crontab_t devpts_t:dir { read search getattr };
|
allow $1_crontab_t devpts_t:dir { read search getattr };
|
||||||
allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
|
allow $1_crontab_t $1_tty_device_t:chr_file { read write getattr ioctl };
|
||||||
allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
|
allow $1_crontab_t $1_devpts_t:chr_file { read write getattr ioctl };
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
dontaudit $1_crontab_t var_run_t:dir search;
|
dontaudit $1_crontab_t var_run_t:dir search;
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -223,19 +218,25 @@ dontaudit $1_crontab_t var_run_t:dir search;
|
|||||||
#
|
#
|
||||||
|
|
||||||
define(`cron_admin_template',`
|
define(`cron_admin_template',`
|
||||||
|
logging_read_system_logs($1_crond_t)
|
||||||
|
|
||||||
logging_read_system_logs($1_crond_t)
|
# Allow our crontab domain to unlink a user cron spool file.
|
||||||
|
#allow $1_crontab_t user_cron_spool_t:file unlink;
|
||||||
|
|
||||||
# Allow our crontab domain to unlink a user cron spool file.
|
# Manipulate other users crontab.
|
||||||
#allow $1_crontab_t user_cron_spool_t:file unlink;
|
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
||||||
|
kernel_validate_selinux_context($1_crontab_t)
|
||||||
|
kernel_compute_selinux_access_vector($1_crontab_t)
|
||||||
|
kernel_compute_selinux_create_context($1_crontab_t)
|
||||||
|
kernel_compute_selinux_relabel_context($1_crontab_t)
|
||||||
|
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
|
||||||
|
|
||||||
# Manipulate other users crontab.
|
tunable_policy(`fcron_crond', `
|
||||||
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
# fcron wants an instant update of a crontab change for the administrator
|
||||||
kernel_validate_selinux_context($1_crontab_t)
|
# also crontab does a security check for crontab -u
|
||||||
kernel_compute_selinux_access_vector($1_crontab_t)
|
allow $1_crontab_t self:process setfscreate;
|
||||||
kernel_compute_selinux_create_context($1_crontab_t)
|
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
||||||
kernel_compute_selinux_relabel_context($1_crontab_t)
|
')
|
||||||
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -243,11 +244,13 @@ kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
|
|||||||
# cron_modify_log(domain)
|
# cron_modify_log(domain)
|
||||||
#
|
#
|
||||||
define(`cron_modify_log',`
|
define(`cron_modify_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 crond_log_t:file { getattr read write ioctl lock append };
|
|
||||||
|
allow $1 crond_log_t:file { getattr read write ioctl lock append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`cron_modify_log_depend',`
|
define(`cron_modify_log_depend',`
|
||||||
type crond_log_t;
|
type crond_log_t;
|
||||||
class file rw_file_perms;
|
|
||||||
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
@ -121,17 +121,17 @@ miscfiles_read_localization(crond_t)
|
|||||||
userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
|
userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
|
||||||
|
|
||||||
tunable_policy(`fcron_crond', `
|
tunable_policy(`fcron_crond', `
|
||||||
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(crond_t)
|
terminal_ignore_use_general_physical_terminal(crond_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(crond_t)
|
terminal_ignore_use_general_pseudoterminal(crond_t)
|
||||||
files_ignore_read_rootfs_file(crond_t)
|
files_ignore_read_rootfs_file(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(crond_t)
|
udev_read_database(crond_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -293,15 +293,15 @@ miscfiles_manage_man_page_cache(system_crond_t)
|
|||||||
selinux_read_config(system_crond_t)
|
selinux_read_config(system_crond_t)
|
||||||
|
|
||||||
if (cron_can_relabel) {
|
if (cron_can_relabel) {
|
||||||
selinux_setfiles_transition(system_crond_t)
|
selinux_setfiles_transition(system_crond_t)
|
||||||
} else {
|
} else {
|
||||||
kernel_get_selinuxfs_mount_point(system_crond_t)
|
kernel_get_selinuxfs_mount_point(system_crond_t)
|
||||||
kernel_validate_selinux_context(system_crond_t)
|
kernel_validate_selinux_context(system_crond_t)
|
||||||
kernel_compute_selinux_access_vector(system_crond_t)
|
kernel_compute_selinux_access_vector(system_crond_t)
|
||||||
kernel_compute_selinux_create_context(system_crond_t)
|
kernel_compute_selinux_create_context(system_crond_t)
|
||||||
kernel_compute_selinux_relabel_context(system_crond_t)
|
kernel_compute_selinux_relabel_context(system_crond_t)
|
||||||
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
|
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
|
||||||
selinux_read_file_contexts(system_crond_t)
|
selinux_read_file_contexts(system_crond_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -8,133 +8,135 @@
|
|||||||
# mta_per_userdomain_template(userdomain_prefix)
|
# mta_per_userdomain_template(userdomain_prefix)
|
||||||
#
|
#
|
||||||
define(`mta_per_userdomain_template',`
|
define(`mta_per_userdomain_template',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
|
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
|
||||||
domain_make_domain($1_mail_t)
|
domain_make_domain($1_mail_t)
|
||||||
role $1_r types $1_mail_t;
|
role $1_r types $1_mail_t;
|
||||||
|
|
||||||
type $1_mail_tmp_t;
|
type $1_mail_tmp_t;
|
||||||
files_make_temporary_file($1_mail_tmp_t)
|
files_make_temporary_file($1_mail_tmp_t)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
# $1_mail_t local policy
|
# $1_mail_t local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow $1_mail_t self:capability { setuid setgid chown };
|
allow $1_mail_t self:capability { setuid setgid chown };
|
||||||
allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
|
allow $1_mail_t self:process { sigkill sigstop signull signal setrlimit };
|
||||||
|
|
||||||
# tcp networking
|
# tcp networking
|
||||||
allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
allow $1_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
|
||||||
|
|
||||||
# re-exec itself
|
# re-exec itself
|
||||||
allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
|
allow $1_mail_t sendmail_exec_t:file { getattr read execute execute_no_trans };
|
||||||
allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
|
allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
|
||||||
|
|
||||||
# Transition from the user domain to the derived domain.
|
# Transition from the user domain to the derived domain.
|
||||||
allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
|
allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
|
||||||
allow $1_t sendmail_exec_t:lnk_file { getattr read };
|
allow $1_t sendmail_exec_t:lnk_file { getattr read };
|
||||||
allow $1_t $1_mail_t:process transition;
|
allow $1_t $1_mail_t:process transition;
|
||||||
type_transition $1_t sendmail_exec_t:process $1_mail_t;
|
type_transition $1_t sendmail_exec_t:process $1_mail_t;
|
||||||
allow $1_t $1_mail_t:fd use;
|
dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };
|
||||||
allow $1_mail_t $1_t:fd use;
|
|
||||||
allow $1_mail_t $1_t:fifo_file rw_file_perms;
|
|
||||||
allow $1_mail_t $1_t:process sigchld;
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctl($1_mail_t)
|
allow $1_t $1_mail_t:fd use;
|
||||||
|
allow $1_mail_t $1_t:fd use;
|
||||||
|
allow $1_mail_t $1_t:fifo_file rw_file_perms;
|
||||||
|
allow $1_mail_t $1_t:process sigchld;
|
||||||
|
|
||||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
|
kernel_read_kernel_sysctl($1_mail_t)
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
|
|
||||||
corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
|
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
|
|
||||||
corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
|
|
||||||
corenetwork_bind_tcp_on_all_nodes($1_mail_t)
|
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_mail_t)
|
corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
|
||||||
|
corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
|
||||||
|
corenetwork_bind_tcp_on_all_nodes($1_mail_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_mail_t)
|
domain_use_widely_inheritable_file_descriptors($1_mail_t)
|
||||||
libraries_use_shared_libraries($1_mail_t)
|
|
||||||
|
|
||||||
corecommands_execute_general_programs($1_mail_t)
|
libraries_use_dynamic_loader($1_mail_t)
|
||||||
|
libraries_use_shared_libraries($1_mail_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_mail_t)
|
corecommands_execute_general_programs($1_mail_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_mail_t)
|
files_read_general_system_config($1_mail_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_mail_t)
|
logging_send_system_log_message($1_mail_t)
|
||||||
|
|
||||||
sysnetwork_read_network_config($1_mail_t)
|
miscfiles_read_localization($1_mail_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
sysnetwork_read_network_config($1_mail_t)
|
||||||
allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
|
|
||||||
corenetwork_bind_udp_on_all_nodes($1_mail_t)
|
|
||||||
corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`procmail.te',`
|
tunable_policy(`use_dns',`
|
||||||
procmail_execute($1_mail_t)
|
allow $1_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
')
|
corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
|
||||||
|
corenetwork_bind_udp_on_all_nodes($1_mail_t)
|
||||||
|
corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`procmail.te',`
|
||||||
|
procmail_execute($1_mail_t)
|
||||||
|
')
|
||||||
|
|
||||||
can_ypbind($1_mail_t)
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow $1_mail_t device_t:dir search;
|
can_ypbind($1_mail_t)
|
||||||
allow $1_mail_t { var_t var_spool_t }:dir search;
|
|
||||||
allow $1_mail_t sbin_t:dir search;
|
|
||||||
|
|
||||||
# It wants to check for nscd
|
allow $1_mail_t device_t:dir search;
|
||||||
dontaudit $1_mail_t var_run_t:dir search;
|
allow $1_mail_t { var_t var_spool_t }:dir search;
|
||||||
|
allow $1_mail_t sbin_t:dir search;
|
||||||
|
|
||||||
# For when the user wants to send mail via port 25 localhost
|
# It wants to check for nscd
|
||||||
can_tcp_connect($1_t, mail_server_domain)
|
dontaudit $1_mail_t var_run_t:dir search;
|
||||||
|
|
||||||
# Read user temporary files.
|
# For when the user wants to send mail via port 25 localhost
|
||||||
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
can_tcp_connect($1_t, mail_server_domain)
|
||||||
dontaudit $1_mail_t $1_tmp_t:file append;
|
|
||||||
ifdef(`postfix.te', `
|
|
||||||
# postfix seems to need write access if the file handle is opened read/write
|
|
||||||
allow $1_mail_t $1_tmp_t:file write;
|
|
||||||
')dnl end if postfix
|
|
||||||
|
|
||||||
allow mta_user_agent $1_tmp_t:file { read getattr };
|
# Read user temporary files.
|
||||||
|
allow $1_mail_t $1_tmp_t:file r_file_perms;
|
||||||
|
dontaudit $1_mail_t $1_tmp_t:file append;
|
||||||
|
ifdef(`postfix.te', `
|
||||||
|
# postfix seems to need write access if the file handle is opened read/write
|
||||||
|
allow $1_mail_t $1_tmp_t:file write;
|
||||||
|
')
|
||||||
|
|
||||||
# Write to the user domain tty.
|
allow mta_user_agent $1_tmp_t:file { read getattr };
|
||||||
allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
|
|
||||||
allow mta_user_agent devpts_t:dir { read search getattr };
|
|
||||||
allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
|
|
||||||
|
|
||||||
allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
|
# Write to the user domain tty.
|
||||||
allow $1_mail_t devpts_t:dir { read search getattr };
|
allow mta_user_agent $1_tty_device_t:chr_file { read write getattr ioctl };
|
||||||
allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
|
allow mta_user_agent devpts_t:dir { read search getattr };
|
||||||
|
allow mta_user_agent $1_devpts_t:chr_file { read write getattr ioctl };
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
allow $1_mail_t $1_tty_device_t:chr_file { read write getattr ioctl };
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
allow $1_mail_t devpts_t:dir { read search getattr };
|
||||||
|
allow $1_mail_t $1_devpts_t:chr_file { read write getattr ioctl };
|
||||||
|
|
||||||
# Create dead.letter in user home directories.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
if (use_samba_home_dirs) {
|
# Create dead.letter in user home directories.
|
||||||
rw_dir_create_file($1_mail_t, cifs_t)
|
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
|
||||||
}
|
|
||||||
|
|
||||||
# if you do not want to allow dead.letter then use the following instead
|
if (use_samba_home_dirs) {
|
||||||
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
rw_dir_create_file($1_mail_t, cifs_t)
|
||||||
#allow $1_mail_t $1_home_t:file r_file_perms;
|
}
|
||||||
|
|
||||||
# for reading .forward - maybe we need a new type for it?
|
# if you do not want to allow dead.letter then use the following instead
|
||||||
# also for delivering mail to maildir
|
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
|
||||||
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
|
#allow $1_mail_t $1_home_t:file r_file_perms;
|
||||||
|
|
||||||
ifdef(`qmail.te', `
|
# for reading .forward - maybe we need a new type for it?
|
||||||
allow $1_mail_t qmail_etc_t:dir search;
|
# also for delivering mail to maildir
|
||||||
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
|
||||||
')dnl end if qmail
|
|
||||||
|
|
||||||
') dnl end TODO
|
ifdef(`qmail.te', `
|
||||||
|
allow $1_mail_t qmail_etc_t:dir search;
|
||||||
|
allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
|
||||||
|
')
|
||||||
|
|
||||||
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_per_userdomain_template_depend',`
|
define(`mta_per_userdomain_template_depend',`
|
||||||
@ -146,13 +148,14 @@ define(`mta_per_userdomain_template_depend',`
|
|||||||
# mta_make_mailserver_domain(domain,entrypointtype)
|
# mta_make_mailserver_domain(domain,entrypointtype)
|
||||||
#
|
#
|
||||||
define(`mta_make_mailserver_domain',`
|
define(`mta_make_mailserver_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
init_make_daemon_domain($1,$2)
|
|
||||||
typeattribute $1 mailserver_domain;
|
init_make_daemon_domain($1,$2)
|
||||||
|
typeattribute $1 mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_make_mailserver_domain_depend',`
|
define(`mta_make_mailserver_domain_depend',`
|
||||||
attribute mailserver_domain;
|
attribute mailserver_domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -160,12 +163,13 @@ attribute mailserver_domain;
|
|||||||
# mta_make_sendmail_mailserver_domain(domain,entrypointtype)
|
# mta_make_sendmail_mailserver_domain(domain,entrypointtype)
|
||||||
#
|
#
|
||||||
define(`mta_make_sendmail_mailserver_domain',`
|
define(`mta_make_sendmail_mailserver_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
mta_make_mailserver_domain($1,sendmail_exec_t)
|
|
||||||
|
mta_make_mailserver_domain($1,sendmail_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_make_sendmail_mailserver_domain_depend',`
|
define(`mta_make_sendmail_mailserver_domain_depend',`
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -173,25 +177,28 @@ type sendmail_exec_t;
|
|||||||
# mta_send_mail(domain)
|
# mta_send_mail(domain)
|
||||||
#
|
#
|
||||||
define(`mta_send_mail',`
|
define(`mta_send_mail',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sendmail_exec_t:lnk_file { getattr read };
|
|
||||||
allow $1 sendmail_exec_t:file { getattr read execute };
|
allow $1 sendmail_exec_t:lnk_file { getattr read };
|
||||||
allow $1 system_mail_t:process transition;
|
allow $1 sendmail_exec_t:file { getattr read execute };
|
||||||
type_transition $1 sendmail_exec_t:process system_mail_t;
|
allow $1 system_mail_t:process transition;
|
||||||
dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 sendmail_exec_t:process system_mail_t;
|
||||||
allow $1 system_mail_t:fd use;
|
dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
|
||||||
allow system_mail_t $1:fd use;
|
|
||||||
allow system_mail_t $1:fifo_file rw_file_perms;
|
allow $1 system_mail_t:fd use;
|
||||||
allow system_mail_t $1:process sigchld;
|
allow system_mail_t $1:fd use;
|
||||||
|
allow system_mail_t $1:fifo_file rw_file_perms;
|
||||||
|
allow system_mail_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_send_mail_depend',`
|
define(`mta_send_mail_depend',`
|
||||||
type system_mail_t, sendmail_exec_t;
|
type system_mail_t, sendmail_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class lnk_file { getattr read };
|
class file { getattr read execute };
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class lnk_file { getattr read };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file { ioctl read getattr lock write append };
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -199,13 +206,15 @@ class fifo_file { ioctl read getattr lock write append };
|
|||||||
# mta_execute(domain)
|
# mta_execute(domain)
|
||||||
#
|
#
|
||||||
define(`mta_execute',`
|
define(`mta_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_execute_depend',`
|
define(`mta_execute_depend',`
|
||||||
type sendmail_exec_t;
|
type sendmail_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -220,13 +229,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mta_read_mail_aliases',`
|
define(`mta_read_mail_aliases',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 etc_aliases_t:file { getattr read };
|
|
||||||
|
allow $1 etc_aliases_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_read_mail_aliases_depend',`
|
define(`mta_read_mail_aliases_depend',`
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -234,13 +245,15 @@ class file { getattr read };
|
|||||||
# mta_modify_mail_aliases(domain)
|
# mta_modify_mail_aliases(domain)
|
||||||
#
|
#
|
||||||
define(`mta_modify_mail_aliases',`
|
define(`mta_modify_mail_aliases',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
|
|
||||||
|
allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_modify_mail_aliases_depend',`
|
define(`mta_modify_mail_aliases_depend',`
|
||||||
type etc_aliases_t;
|
type etc_aliases_t;
|
||||||
class file { getattr read write append setattr };
|
|
||||||
|
class file { getattr read write append setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -248,18 +261,20 @@ class file { getattr read write append setattr };
|
|||||||
# mta_get_mail_spool_attributes(domain)
|
# mta_get_mail_spool_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`mta_get_mail_spool_attributes',`
|
define(`mta_get_mail_spool_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_spool_directory($1)
|
|
||||||
allow $1 mail_spool_t:dir r_dir_perms;
|
files_search_system_spool_directory($1)
|
||||||
allow $1 mail_spool_t:lnk_file read;
|
allow $1 mail_spool_t:dir r_dir_perms;
|
||||||
allow $1 mail_spool_t:file getattr;
|
allow $1 mail_spool_t:lnk_file read;
|
||||||
|
allow $1 mail_spool_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_get_mail_spool_attributes_depend',`
|
define(`mta_get_mail_spool_attributes_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class file getattr;
|
class dir r_dir_perms;
|
||||||
class lnk_file read;
|
class file getattr;
|
||||||
|
class lnk_file read;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -267,16 +282,18 @@ class lnk_file read;
|
|||||||
# mta_modify_mail_spool(domain)
|
# mta_modify_mail_spool(domain)
|
||||||
#
|
#
|
||||||
define(`mta_modify_mail_spool',`
|
define(`mta_modify_mail_spool',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_spool_directory($1)
|
|
||||||
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
files_search_system_spool_directory($1)
|
||||||
allow $1 mail_spool_t:file { getattr read write append setattr };
|
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
allow $1 mail_spool_t:file { getattr read write append setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_modify_mail_spool_depend',`
|
define(`mta_modify_mail_spool_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -284,16 +301,18 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# mta_manage_mail_spool(domain)
|
# mta_manage_mail_spool(domain)
|
||||||
#
|
#
|
||||||
define(`mta_manage_mail_spool',`
|
define(`mta_manage_mail_spool',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_spool_directory($1)
|
|
||||||
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
files_search_system_spool_directory($1)
|
||||||
allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_manage_mail_spool_depend',`
|
define(`mta_manage_mail_spool_depend',`
|
||||||
type mail_spool_t;
|
type mail_spool_t;
|
||||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -301,15 +320,17 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# mta_manage_mail_queue(domain)
|
# mta_manage_mail_queue(domain)
|
||||||
#
|
#
|
||||||
define(`mta_manage_mail_queue',`
|
define(`mta_manage_mail_queue',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
|
||||||
allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mta_manage_mail_queue_depend',`
|
define(`mta_manage_mail_queue_depend',`
|
||||||
type mqueue_spool_t;
|
type mqueue_spool_t;
|
||||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename }
|
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename }
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -83,15 +83,15 @@ miscfiles_read_localization(system_mail_t)
|
|||||||
sysnetwork_read_network_config(system_mail_t)
|
sysnetwork_read_network_config(system_mail_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
allow system_mail_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
|
corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
|
||||||
corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
|
corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
|
||||||
corenetwork_bind_udp_on_all_nodes(system_mail_t)
|
corenetwork_bind_udp_on_all_nodes(system_mail_t)
|
||||||
corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
|
corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`procmail.te',`
|
optional_policy(`procmail.te',`
|
||||||
procmail_execute(system_mail_t)
|
procmail_execute(system_mail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -89,17 +89,17 @@ mta_manage_mail_spool(sendmail_t)
|
|||||||
sysnetwork_read_network_config(sendmail_t)
|
sysnetwork_read_network_config(sendmail_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(sendmail_t)
|
terminal_ignore_use_general_physical_terminal(sendmail_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(sendmail_t)
|
terminal_ignore_use_general_pseudoterminal(sendmail_t)
|
||||||
files_ignore_read_rootfs_file(sendmail_t)
|
files_ignore_read_rootfs_file(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(sendmail_t)
|
selinux_newrole_sigchld(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(sendmail_t)
|
udev_read_database(sendmail_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -52,17 +52,17 @@ libraries_use_shared_libraries(auditd_t)
|
|||||||
miscfiles_read_localization(auditd_t)
|
miscfiles_read_localization(auditd_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(auditd_t)
|
terminal_ignore_use_general_physical_terminal(auditd_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
||||||
files_ignore_read_rootfs_file(auditd_t)
|
files_ignore_read_rootfs_file(auditd_t)
|
||||||
')dnl end targeted_policy tunable
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(auditd_t)
|
selinux_newrole_sigchld(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(auditd_t)
|
udev_read_database(auditd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -8,87 +8,91 @@
|
|||||||
# authlogin_per_userdomain_template(userdomain_prefix)
|
# authlogin_per_userdomain_template(userdomain_prefix)
|
||||||
#
|
#
|
||||||
define(`authlogin_per_userdomain_template',`
|
define(`authlogin_per_userdomain_template',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
||||||
domain_make_domain($1_chkpwd_t)
|
domain_make_domain($1_chkpwd_t)
|
||||||
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
|
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
|
||||||
role $1_r types $1_chkpwd_t;
|
role $1_r types $1_chkpwd_t;
|
||||||
role $1_r types system_chkpwd_t;
|
role $1_r types system_chkpwd_t;
|
||||||
|
|
||||||
allow $1_chkpwd_t self:capability setuid;
|
allow $1_chkpwd_t self:capability setuid;
|
||||||
allow $1_chkpwd_t self:process getattr;
|
allow $1_chkpwd_t self:process getattr;
|
||||||
|
|
||||||
files_read_general_system_config_directory($1_chkpwd_t)
|
files_read_general_system_config_directory($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
kernel_read_system_state($1_chkpwd_t)
|
kernel_read_system_state($1_chkpwd_t)
|
||||||
|
|
||||||
filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
|
filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
|
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader($1_chkpwd_t)
|
libraries_use_dynamic_loader($1_chkpwd_t)
|
||||||
libraries_use_shared_libraries($1_chkpwd_t)
|
libraries_use_shared_libraries($1_chkpwd_t)
|
||||||
|
|
||||||
files_read_general_system_config($1_chkpwd_t)
|
files_read_general_system_config($1_chkpwd_t)
|
||||||
# for nscd
|
# for nscd
|
||||||
files_ignore_search_system_state_data_directory($1_chkpwd_t)
|
files_ignore_search_system_state_data_directory($1_chkpwd_t)
|
||||||
|
|
||||||
logging_send_system_log_message($1_chkpwd_t)
|
logging_send_system_log_message($1_chkpwd_t)
|
||||||
|
|
||||||
miscfiles_read_localization($1_chkpwd_t)
|
miscfiles_read_localization($1_chkpwd_t)
|
||||||
|
|
||||||
selinux_read_config($1_chkpwd_t)
|
selinux_read_config($1_chkpwd_t)
|
||||||
|
|
||||||
#can_ypbind($1_chkpwd_t)
|
#can_ypbind($1_chkpwd_t)
|
||||||
#can_kerberos($1_chkpwd_t)
|
#can_kerberos($1_chkpwd_t)
|
||||||
#can_ldap($1_chkpwd_t)
|
#can_ldap($1_chkpwd_t)
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
# Transition from the user domain to this domain.
|
||||||
allow $1_t chkpwd_exec_t:file { getattr read execute };
|
allow $1_t chkpwd_exec_t:file { getattr read execute };
|
||||||
allow $1_t $1_chkpwd_t:process transition;
|
allow $1_t $1_chkpwd_t:process transition;
|
||||||
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
|
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
|
||||||
allow $1_chkpwd_t $1_t:fd use;
|
dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh };
|
||||||
allow $1_t $1_chkpwd_t:fd use;
|
|
||||||
allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
|
|
||||||
allow $1_chkpwd_t $1_t:process sigchld;
|
|
||||||
|
|
||||||
# Write to the user domain tty.
|
allow $1_chkpwd_t $1_t:fd use;
|
||||||
#userdomain_use_$1_terminal($1_chkpwd_t)
|
allow $1_t $1_chkpwd_t:fd use;
|
||||||
#userdomain_use_$1_pty($1_chkpwd_t)
|
allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
|
||||||
|
allow $1_chkpwd_t $1_t:process sigchld;
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Write to the user domain tty.
|
||||||
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
#userdomain_use_$1_terminal($1_chkpwd_t)
|
||||||
|
#userdomain_use_$1_pty($1_chkpwd_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
|
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
|
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
|
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
|
|
||||||
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
|
|
||||||
corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
|
|
||||||
sysnetwork_read_network_config($1_chkpwd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
tunable_policy(`use_dns',`
|
||||||
selinux_newrole_use_file_descriptors($1_chkpwd_t)
|
allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
')
|
corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
|
||||||
|
corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
|
||||||
|
corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
|
||||||
|
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
|
||||||
|
corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
|
||||||
|
sysnetwork_read_network_config($1_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`selinux.te',`
|
||||||
|
selinux_newrole_use_file_descriptors($1_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
') dnl end authlogin_per_userdomain_template
|
') dnl end authlogin_per_userdomain_template
|
||||||
|
|
||||||
define(`authlogin_per_userdomain_template_depend',`
|
define(`authlogin_per_userdomain_template_depend',`
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
|
||||||
class file { getattr read execute };
|
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
||||||
class process { getattr transition sigchld };
|
|
||||||
class capability setuid;
|
class file { getattr read execute };
|
||||||
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
class process { getattr transition sigchld };
|
||||||
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
class capability setuid;
|
||||||
class fd use;
|
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
class fifo_file rw_file_perms;
|
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -96,13 +100,13 @@ class fifo_file rw_file_perms;
|
|||||||
# authlogin_make_login_program_entrypoint(domain)
|
# authlogin_make_login_program_entrypoint(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_make_login_program_entrypoint',`
|
define(`authlogin_make_login_program_entrypoint',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
domain_make_entrypoint_file($1,login_exec_t)
|
|
||||||
|
domain_make_entrypoint_file($1,login_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_make_login_program_entrypoint_depend',`
|
define(`authlogin_make_login_program_entrypoint_depend',`
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
domain_make_entrypoint_file_depend
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -120,24 +124,27 @@ domain_make_entrypoint_file_depend
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_login_program_transition',`
|
define(`authlogin_login_program_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search bin_t
|
|
||||||
allow $1 login_exec_t:file { getattr read execute };
|
# FIXME: search bin_t
|
||||||
allow $1 $2:process transition;
|
allow $1 login_exec_t:file { getattr read execute };
|
||||||
type_transition $1 login_exec_t:process $2;
|
allow $1 $2:process transition;
|
||||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
type_transition $1 login_exec_t:process $2;
|
||||||
allow $1 $2:fd use;
|
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||||
allow $2 $1:fd use;
|
|
||||||
allow $2 $1:fifo_file rw_file_perms;
|
allow $1 $2:fd use;
|
||||||
allow $2 $1:process sigchld;
|
allow $2 $1:fd use;
|
||||||
|
allow $2 $1:fifo_file rw_file_perms;
|
||||||
|
allow $2 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_login_program_transition_depend',`
|
define(`authlogin_login_program_transition_depend',`
|
||||||
type login_exec_t;
|
type login_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -145,41 +152,43 @@ class fifo_file rw_file_perms;
|
|||||||
# authlogin_check_password_transition(domain)
|
# authlogin_check_password_transition(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_check_password_transition',`
|
define(`authlogin_check_password_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 chkpwd_exec_t:file { getattr read execute };
|
|
||||||
allow $1 system_chkpwd_t:process transition;
|
|
||||||
type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
|
|
||||||
allow $1 system_chkpwd_t:fd use;
|
|
||||||
allow system_chkpwd_t $1:fd use;
|
|
||||||
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
|
||||||
allow system_chkpwd_t $1:process sigchld;
|
|
||||||
|
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
allow $1 chkpwd_exec_t:file { getattr read execute };
|
||||||
#allow $1_t sbin_t:dir search;
|
allow $1 system_chkpwd_t:process transition;
|
||||||
#can_ypbind($1_t)
|
type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
|
||||||
#can_kerberos($1_t)
|
|
||||||
#can_ldap($1_t)
|
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
allow $1 system_chkpwd_t:fd use;
|
||||||
allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
allow system_chkpwd_t $1:fd use;
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces($1)
|
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces($1)
|
allow system_chkpwd_t $1:process sigchld;
|
||||||
corenetwork_sendrecv_udp_on_all_nodes($1)
|
|
||||||
corenetwork_sendrecv_raw_on_all_nodes($1)
|
|
||||||
corenetwork_bind_udp_on_all_nodes($1)
|
|
||||||
corenetwork_sendrecv_udp_on_dns_port($1)
|
|
||||||
sysnetwork_read_network_config($1)
|
|
||||||
') dnl end use_dns
|
|
||||||
|
|
||||||
') dnl end check_password_transition
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
|
#allow $1_t sbin_t:dir search;
|
||||||
|
#can_ypbind($1_t)
|
||||||
|
#can_kerberos($1_t)
|
||||||
|
#can_ldap($1_t)
|
||||||
|
|
||||||
|
tunable_policy(`use_dns',`
|
||||||
|
allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
|
corenetwork_sendrecv_udp_on_all_interfaces($1)
|
||||||
|
corenetwork_sendrecv_raw_on_all_interfaces($1)
|
||||||
|
corenetwork_sendrecv_udp_on_all_nodes($1)
|
||||||
|
corenetwork_sendrecv_raw_on_all_nodes($1)
|
||||||
|
corenetwork_bind_udp_on_all_nodes($1)
|
||||||
|
corenetwork_sendrecv_udp_on_dns_port($1)
|
||||||
|
sysnetwork_read_network_config($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
define(`authlogin_check_password_transition_depend',`
|
define(`authlogin_check_password_transition_depend',`
|
||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition sigchld };
|
class file { getattr read execute };
|
||||||
class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
class process { transition sigchld };
|
||||||
class fd use;
|
class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -187,13 +196,15 @@ class fifo_file rw_file_perms;
|
|||||||
# authlogin_ignore_get_shadow_passwords_attributes(domain)
|
# authlogin_ignore_get_shadow_passwords_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_get_shadow_passwords_attributes',`
|
define(`authlogin_ignore_get_shadow_passwords_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 shadow_t:file getattr;
|
|
||||||
|
dontaudit $1 shadow_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
|
define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
class file getattr;
|
|
||||||
|
class file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -201,16 +212,19 @@ class file getattr;
|
|||||||
# authlogin_read_shadow_passwords(domain)
|
# authlogin_read_shadow_passwords(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_read_shadow_passwords',`
|
define(`authlogin_read_shadow_passwords',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_general_system_config_directory($1)
|
|
||||||
allow $1 shadow_t:file { getattr read };
|
files_read_general_system_config_directory($1)
|
||||||
typeattribute $1 can_read_shadow_passwords;
|
allow $1 shadow_t:file { getattr read };
|
||||||
|
typeattribute $1 can_read_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_shadow_passwords_depend',`
|
define(`authlogin_read_shadow_passwords_depend',`
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
type shadow_t;
|
|
||||||
class file { getattr read };
|
type shadow_t;
|
||||||
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -218,13 +232,15 @@ class file { getattr read };
|
|||||||
# authlogin_ignore_read_shadow_passwords(domain)
|
# authlogin_ignore_read_shadow_passwords(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_read_shadow_passwords',`
|
define(`authlogin_ignore_read_shadow_passwords',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
|
||||||
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_ignore_read_shadow_passwords_depend',`
|
define(`authlogin_ignore_read_shadow_passwords_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -232,18 +248,18 @@ class file { getattr read };
|
|||||||
# authlogin_modify_shadow_passwords(domain)
|
# authlogin_modify_shadow_passwords(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_shadow_passwords',`
|
define(`authlogin_modify_shadow_passwords',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_general_system_config_directory($1)
|
|
||||||
allow $1 shadow_t:file { getattr read write };
|
files_read_general_system_config_directory($1)
|
||||||
typeattribute $1 can_read_shadow_passwords;
|
allow $1 shadow_t:file rw_file_perms;
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_shadow_passwords_depend',`
|
define(`authlogin_modify_shadow_passwords_depend',`
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
attribute can_write_shadow_passwords;
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
class file { getattr read write };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -251,18 +267,20 @@ class file { getattr read write };
|
|||||||
# authlogin_manage_shadow_passwords(domain)
|
# authlogin_manage_shadow_passwords(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_manage_shadow_passwords',`
|
define(`authlogin_manage_shadow_passwords',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_create_private_config($1,shadow_t,file)
|
|
||||||
allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 shadow_t:file create_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords;
|
files_create_private_config($1,shadow_t,file)
|
||||||
typeattribute $1 can_write_shadow_passwords;
|
|
||||||
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_manage_shadow_passwords_depend',`
|
define(`authlogin_manage_shadow_passwords_depend',`
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
attribute can_write_shadow_passwords;
|
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
||||||
|
class file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -270,16 +288,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# authlogin_relabel_to_shadow_passwords(domain)
|
# authlogin_relabel_to_shadow_passwords(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_relabel_to_shadow_passwords',`
|
define(`authlogin_relabel_to_shadow_passwords',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_general_system_config_directory($1)
|
|
||||||
allow $1 shadow_t:file relabelto;
|
files_search_general_system_config_directory($1)
|
||||||
typeattribute $1 can_relabelto_shadow_passwords;
|
allow $1 shadow_t:file relabelto;
|
||||||
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_relabel_to_shadow_passwords_depend',`
|
define(`authlogin_relabel_to_shadow_passwords_depend',`
|
||||||
attribute can_relabelto_shadow_passwords;
|
attribute can_relabelto_shadow_passwords;
|
||||||
type shadow_t;
|
|
||||||
class file relabelto;
|
type shadow_t;
|
||||||
|
|
||||||
|
class file relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -287,14 +308,16 @@ class file relabelto;
|
|||||||
# authlogin_modify_login_failure_records(domain)
|
# authlogin_modify_login_failure_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_login_failure_records',`
|
define(`authlogin_modify_login_failure_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
logging_search_system_log_directory($1)
|
|
||||||
allow $1 faillog_t:file { read write append };
|
allow $1 faillog_t:file rw_file_perms;
|
||||||
|
logging_search_system_log_directory($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_login_failure_records_depend',`
|
define(`authlogin_modify_login_failure_records_depend',`
|
||||||
type faillog_t;
|
type faillog_t;
|
||||||
class file { read write append };
|
|
||||||
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -302,14 +325,16 @@ class file { read write append };
|
|||||||
# authlogin_modify_last_login_log(domain)
|
# authlogin_modify_last_login_log(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_last_login_log',`
|
define(`authlogin_modify_last_login_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
logging_search_system_log_directory($1)
|
|
||||||
allow $1 lastlog_t:file { getattr read write setattr };
|
logging_search_system_log_directory($1)
|
||||||
|
allow $1 lastlog_t:file { getattr read write setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_last_login_log_depend',`
|
define(`authlogin_modify_last_login_log_depend',`
|
||||||
type lastlog_t;
|
type lastlog_t;
|
||||||
class file { getattr read write setattr };
|
|
||||||
|
class file { getattr read write setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -324,23 +349,26 @@ class file { getattr read write setattr };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_transition',`
|
define(`authlogin_pam_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 pam_exec_t:file { getattr read execute };
|
|
||||||
allow $1 pam_t:process transition;
|
allow $1 pam_exec_t:file { getattr read execute };
|
||||||
type_transition $1 pam_exec_t:process pam_t;
|
allow $1 pam_t:process transition;
|
||||||
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 pam_exec_t:process pam_t;
|
||||||
allow $1 pam_t:fd use;
|
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
|
||||||
allow pam_t $1:fd use;
|
|
||||||
allow pam_t $1:fifo_file rw_file_perms;
|
allow $1 pam_t:fd use;
|
||||||
allow pam_t $1:process sigchld;
|
allow pam_t $1:fd use;
|
||||||
|
allow pam_t $1:fifo_file rw_file_perms;
|
||||||
|
allow pam_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_transition_depend',`
|
define(`authlogin_pam_transition_depend',`
|
||||||
type pam_t, pam_exec_t;
|
type pam_t, pam_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -361,15 +389,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_transition_add_role_use_terminal',`
|
define(`authlogin_pam_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
authlogin_pam_transition($1)
|
|
||||||
role $2 types pam_t;
|
authlogin_pam_transition($1)
|
||||||
allow pam_t $3:chr_file { getattr read write ioctl };
|
role $2 types pam_t;
|
||||||
|
allow pam_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_transition_add_role_use_terminal_depend',`
|
define(`authlogin_pam_transition_add_role_use_terminal_depend',`
|
||||||
type pam_t;
|
type pam_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -377,13 +407,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# authlogin_pam_execute(domain)
|
# authlogin_pam_execute(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_execute',`
|
define(`authlogin_pam_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_execute_depend',`
|
define(`authlogin_pam_execute_depend',`
|
||||||
type pam_exec_t;
|
type pam_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -391,17 +423,19 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# authlogin_pam_read_runtime_data(domain)
|
# authlogin_pam_read_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_read_runtime_data',`
|
define(`authlogin_pam_read_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
files_search_runtime_data_directory($1)
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 pam_var_run_t:dir { getattr search read };
|
files_search_runtime_data_directory($1)
|
||||||
allow $1 pam_var_run_t:file { getattr read };
|
allow $1 pam_var_run_t:dir { getattr search read };
|
||||||
|
allow $1 pam_var_run_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_read_runtime_data_depend',`
|
define(`authlogin_pam_read_runtime_data_depend',`
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -409,17 +443,19 @@ class file { getattr read };
|
|||||||
# authlogin_pam_remove_runtime_data(domain)
|
# authlogin_pam_remove_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_remove_runtime_data',`
|
define(`authlogin_pam_remove_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
files_search_runtime_data_directory($1)
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
files_search_runtime_data_directory($1)
|
||||||
allow $1 pam_var_run_t:file { getattr unlink };
|
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
||||||
|
allow $1 pam_var_run_t:file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_remove_runtime_data_depend',`
|
define(`authlogin_pam_remove_runtime_data_depend',`
|
||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
class dir { getattr search read write remove_name };
|
|
||||||
class file { getattr unlink };
|
class dir { getattr search read write remove_name };
|
||||||
|
class file { getattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -427,23 +463,26 @@ class file { getattr unlink };
|
|||||||
# authlogin_pam_console_transition(domain)
|
# authlogin_pam_console_transition(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_transition',`
|
define(`authlogin_pam_console_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 pam_console_exec_t:file { getattr read execute };
|
|
||||||
allow $1 pam_console_t:process transition;
|
allow $1 pam_console_exec_t:file { getattr read execute };
|
||||||
type_transition $1 pam_console_exec_t:process pam_console_t;
|
allow $1 pam_console_t:process transition;
|
||||||
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 pam_console_exec_t:process pam_console_t;
|
||||||
allow $1 pam_console_t:fd use;
|
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
|
||||||
allow pam_console_t $1:fd use;
|
|
||||||
allow pam_console_t $1:fifo_file rw_file_perms;
|
allow $1 pam_console_t:fd use;
|
||||||
allow pam_console_t $1:process sigchld;
|
allow pam_console_t $1:fd use;
|
||||||
|
allow pam_console_t $1:fifo_file rw_file_perms;
|
||||||
|
allow pam_console_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_transition_depend',`
|
define(`authlogin_pam_console_transition_depend',`
|
||||||
type pam_console_t, pam_console_exec_t;
|
type pam_console_t, pam_console_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -451,15 +490,17 @@ class fifo_file rw_file_perms;
|
|||||||
# authlogin_pam_console_read_runtime_data_dir(domain)
|
# authlogin_pam_console_read_runtime_data_dir(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_read_runtime_data_dir',`
|
define(`authlogin_pam_console_read_runtime_data_dir',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
files_search_runtime_data_directory($1)
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 pam_var_console_t:dir { getattr search read };
|
files_search_runtime_data_directory($1)
|
||||||
|
allow $1 pam_var_console_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_read_runtime_data_dir_depend',`
|
define(`authlogin_pam_console_read_runtime_data_dir_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
class dir { getattr search read };
|
|
||||||
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -467,17 +508,19 @@ class dir { getattr search read };
|
|||||||
# authlogin_pam_console_read_runtime_data(domain)
|
# authlogin_pam_console_read_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_read_runtime_data',`
|
define(`authlogin_pam_console_read_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
files_search_runtime_data_directory($1)
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 pam_var_console_t:dir { getattr search read };
|
files_search_runtime_data_directory($1)
|
||||||
allow $1 pam_var_console_t:file { getattr read };
|
allow $1 pam_var_console_t:dir r_dir_perms;
|
||||||
|
allow $1 pam_var_console_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_read_runtime_data_depend',`
|
define(`authlogin_pam_console_read_runtime_data_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -485,19 +528,21 @@ class file { getattr read };
|
|||||||
# authlogin_pam_console_manage_runtime_data(domain)
|
# authlogin_pam_console_manage_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_pam_console_manage_runtime_data',`
|
define(`authlogin_pam_console_manage_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
files_search_runtime_data_directory($1)
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
|
files_search_runtime_data_directory($1)
|
||||||
allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
|
allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_pam_console_manage_runtime_data_depend',`
|
define(`authlogin_pam_console_manage_runtime_data_depend',`
|
||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
class lnk_file { create read getattr setattr link unlink rename };
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
class lnk_file { create read getattr setattr link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -518,12 +563,13 @@ class lnk_file { create read getattr setattr link unlink rename };
|
|||||||
#
|
#
|
||||||
|
|
||||||
define(`authlogin_relabel_all_files_except_shadow',`
|
define(`authlogin_relabel_all_files_except_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_relabel_all_files($1,$2 -shadow_t)
|
|
||||||
|
files_relabel_all_files($1,$2 -shadow_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_relabel_all_files_except_shadow_depend',`
|
define(`authlogin_relabel_all_files_except_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -544,12 +590,13 @@ type shadow_t;
|
|||||||
#
|
#
|
||||||
|
|
||||||
define(`authlogin_manage_all_files_except_shadow',`
|
define(`authlogin_manage_all_files_except_shadow',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_manage_all_files($1,$2 -shadow_t)
|
|
||||||
|
files_manage_all_files($1,$2 -shadow_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_manage_all_files_except_shadow_depend',`
|
define(`authlogin_manage_all_files_except_shadow_depend',`
|
||||||
type shadow_t;
|
type shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -564,23 +611,26 @@ type shadow_t;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_utempter_transition',`
|
define(`authlogin_utempter_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 utempter_exec_t:file { getattr read execute };
|
|
||||||
allow $1 utempter_t:process transition;
|
allow $1 utempter_exec_t:file { getattr read execute };
|
||||||
type_transition $1 utempter_exec_t:process utempter_t;
|
allow $1 utempter_t:process transition;
|
||||||
dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 utempter_exec_t:process utempter_t;
|
||||||
allow $1 utempter_t:fd use;
|
dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
|
||||||
allow utempter_t $1:fd use;
|
|
||||||
allow utempter_t $1:fifo_file rw_file_perms;
|
allow $1 utempter_t:fd use;
|
||||||
allow utempter_t $1:process sigchld;
|
allow utempter_t $1:fd use;
|
||||||
|
allow utempter_t $1:fifo_file rw_file_perms;
|
||||||
|
allow utempter_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_utempter_transition_depend',`
|
define(`authlogin_utempter_transition_depend',`
|
||||||
type utempter_t, utempter_exec_t;
|
type utempter_t, utempter_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -601,15 +651,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`authlogin_utempter_transition_add_role_use_terminal',`
|
define(`authlogin_utempter_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
authlogin_utempter_transition($1)
|
|
||||||
role $2 types utempter_t;
|
authlogin_utempter_transition($1)
|
||||||
allow utempter_t $3:chr_file { getattr read write ioctl };
|
role $2 types utempter_t;
|
||||||
|
allow utempter_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
|
define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
|
||||||
type utempter_t;
|
type utempter_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -617,14 +669,16 @@ class chr_file { getattr read write ioctl };
|
|||||||
# authlogin_read_login_records(domain)
|
# authlogin_read_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_read_login_records',`
|
define(`authlogin_read_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
logging_search_system_log_directory($1)
|
|
||||||
allow $1 wtmp_t:file { getattr read };
|
logging_search_system_log_directory($1)
|
||||||
|
allow $1 wtmp_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_login_records_depend',`
|
define(`authlogin_read_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -632,13 +686,15 @@ class file { getattr read };
|
|||||||
# authlogin_ignore_write_login_records(domain)
|
# authlogin_ignore_write_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_ignore_write_login_records',`
|
define(`authlogin_ignore_write_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 wtmp_t:file write;
|
|
||||||
|
dontaudit $1 wtmp_t:file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_read_login_records_depend',`
|
define(`authlogin_read_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
class file write;
|
|
||||||
|
class file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -646,14 +702,15 @@ class file write;
|
|||||||
# authlogin_modify_login_records(domain)
|
# authlogin_modify_login_records(domain)
|
||||||
#
|
#
|
||||||
define(`authlogin_modify_login_records',`
|
define(`authlogin_modify_login_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
logging_search_system_log_directory($1)
|
|
||||||
allow $1 wtmp_t:file { getattr read write append setattr lock };
|
allow $1 wtmp_t:file rw_file_perms;
|
||||||
|
logging_search_system_log_directory($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`authlogin_modify_login_records_depend',`
|
define(`authlogin_modify_login_records_depend',`
|
||||||
type wtmp_t;
|
type wtmp_t;
|
||||||
class file { getattr read write append setattr lock };
|
class file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -109,13 +109,13 @@ logging_send_system_log_message(pam_t)
|
|||||||
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
|
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
|
||||||
|
|
||||||
optional_policy(`locallogin.te',`
|
optional_policy(`locallogin.te',`
|
||||||
locallogin_use_file_descriptors(pam_t)
|
locallogin_use_file_descriptors(pam_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
can_ypbind(pam_t)
|
can_ypbind(pam_t)
|
||||||
ifdef(`automount.te', `
|
ifdef(`automount.te', `
|
||||||
allow pam_t autofs_t:dir { search getattr };
|
allow pam_t autofs_t:dir { search getattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
||||||
@ -171,18 +171,18 @@ selinux_read_file_contexts(pam_console_t)
|
|||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
|
||||||
|
|
||||||
tunable_policy(`direct_sysadm_daemon', `
|
tunable_policy(`direct_sysadm_daemon', `
|
||||||
dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
|
dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(pam_console_t)
|
terminal_ignore_use_general_physical_terminal(pam_console_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
||||||
files_ignore_read_rootfs_file(pam_console_t)
|
files_ignore_read_rootfs_file(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te', `
|
optional_policy(`hotplug.te', `
|
||||||
hotplug_use_file_descriptors(pam_console_t)
|
hotplug_use_file_descriptors(pam_console_t)
|
||||||
hotplug_ignore_search_config_directory(pam_console_t)
|
hotplug_ignore_search_config_directory(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
@ -190,14 +190,14 @@ selinux_newrole_sigchld(pam_console_t)
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(pam_console_t)
|
udev_read_database(pam_console_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
optional_policy(`rhgb.te', `
|
optional_policy(`rhgb.te', `
|
||||||
allow pam_console_t rhgb_t:process sigchld;
|
allow pam_console_t rhgb_t:process sigchld;
|
||||||
allow pam_console_t rhgb_t:fd use;
|
allow pam_console_t rhgb_t:fd use;
|
||||||
allow pam_console_t rhgb_t:fifo_file { read write };
|
allow pam_console_t rhgb_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
allow pam_console_t autofs_t:dir { search getattr };
|
allow pam_console_t autofs_t:dir { search getattr };
|
||||||
|
|
||||||
@ -215,11 +215,11 @@ scsi_generic_device_t
|
|||||||
}:chr_file { getattr setattr };
|
}:chr_file { getattr setattr };
|
||||||
|
|
||||||
ifdef(`gpm.te', `
|
ifdef(`gpm.te', `
|
||||||
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te', `
|
||||||
allow pam_console_t xdm_var_run_t:file { getattr read };
|
allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||||
')
|
')
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
@ -254,14 +254,14 @@ miscfiles_read_localization(system_chkpwd_t)
|
|||||||
selinux_read_config(system_chkpwd_t)
|
selinux_read_config(system_chkpwd_t)
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
|
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
|
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
|
||||||
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
|
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
|
||||||
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
|
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
|
||||||
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
|
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
|
||||||
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
|
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
|
||||||
sysnetwork_read_network_config(system_chkpwd_t)
|
sysnetwork_read_network_config(system_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -270,7 +270,7 @@ can_kerberos(system_chkpwd_t)
|
|||||||
can_ldap(system_chkpwd_t)
|
can_ldap(system_chkpwd_t)
|
||||||
|
|
||||||
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
||||||
')
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_transition',`
|
define(`clock_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hwclock_exec_t:file { getattr read execute };
|
|
||||||
allow $1 hwclock_t:process transition;
|
allow $1 hwclock_exec_t:file { getattr read execute };
|
||||||
type_transition $1 hwclock_exec_t:process hwclock_t;
|
allow $1 hwclock_t:process transition;
|
||||||
dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 hwclock_exec_t:process hwclock_t;
|
||||||
allow $1 hwclock_t:fd use;
|
dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
|
||||||
allow hwclock_t $1:fd use;
|
|
||||||
allow hwclock_t $1:fifo_file rw_file_perms;
|
allow $1 hwclock_t:fd use;
|
||||||
allow hwclock_t $1:process sigchld;
|
allow hwclock_t $1:fd use;
|
||||||
|
allow hwclock_t $1:fifo_file rw_file_perms;
|
||||||
|
allow hwclock_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_transition_depend',`
|
define(`clock_transition_depend',`
|
||||||
type hwclock_t, hwclock_exec_t;
|
type hwclock_t, hwclock_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_transition_add_role_use_terminal',`
|
define(`clock_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
clock_transition($1)
|
|
||||||
role $2 types hwclock_t;
|
clock_transition($1)
|
||||||
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
role $2 types hwclock_t;
|
||||||
|
allow hwclock_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_transition_add_role_use_terminal_depend',`
|
define(`clock_transition_add_role_use_terminal_depend',`
|
||||||
type hwclock_t;
|
type hwclock_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -67,13 +72,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# clock_execute(domain)
|
# clock_execute(domain)
|
||||||
#
|
#
|
||||||
define(`clock_execute',`
|
define(`clock_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_execute_depend',`
|
define(`clock_execute_depend',`
|
||||||
type hwclock_exec_t;
|
type hwclock_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -81,14 +88,16 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# clock_modify_drift_records(domain)
|
# clock_modify_drift_records(domain)
|
||||||
#
|
#
|
||||||
define(`clock_modify_drift_records',`
|
define(`clock_modify_drift_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 adjtime_t:file { getattr read write ioctl lock append };
|
|
||||||
files_read_general_system_config_directory($1)
|
allow $1 adjtime_t:file { getattr read write ioctl lock append };
|
||||||
|
files_read_general_system_config_directory($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`clock_modify_drift_records_depend',`
|
define(`clock_modify_drift_records_depend',`
|
||||||
type adjtime_t;
|
type adjtime_t;
|
||||||
class file { getattr read write ioctl lock append };
|
|
||||||
|
class file { getattr read write ioctl lock append };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -58,21 +58,21 @@ logging_send_system_log_message(hwclock_t)
|
|||||||
miscfiles_read_localization(hwclock_t)
|
miscfiles_read_localization(hwclock_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(hwclock_t)
|
terminal_ignore_use_general_physical_terminal(hwclock_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hwclock_t)
|
terminal_ignore_use_general_pseudoterminal(hwclock_t)
|
||||||
files_ignore_read_rootfs_file(hwclock_t)
|
files_ignore_read_rootfs_file(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(hwclock_t)
|
selinux_newrole_sigchld(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(hwclock_t)
|
udev_read_database(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`userdomain.te',`
|
optional_policy(`userdomain.te',`
|
||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -9,12 +9,13 @@
|
|||||||
# corecommands_make_shell_entrypoint(domain)
|
# corecommands_make_shell_entrypoint(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_make_shell_entrypoint',`
|
define(`corecommands_make_shell_entrypoint',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
domain_make_entrypoint_file($1,shell_exec_t)
|
|
||||||
|
domain_make_entrypoint_file($1,shell_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_make_shell_entrypoint_depend',`
|
define(`corecommands_make_shell_entrypoint_depend',`
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -22,13 +23,15 @@ type shell_exec_t;
|
|||||||
# corecommands_search_general_programs_directory(domain)
|
# corecommands_search_general_programs_directory(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_search_general_programs_directory',`
|
define(`corecommands_search_general_programs_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir search;
|
|
||||||
|
allow $1 bin_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_search_general_programs_directory_depend',`
|
define(`corecommands_search_general_programs_directory_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
class dir search;
|
|
||||||
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -36,13 +39,15 @@ class dir search;
|
|||||||
# corecommands_read_general_programs_directory(domain)
|
# corecommands_read_general_programs_directory(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_read_general_programs_directory',`
|
define(`corecommands_read_general_programs_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir { getattr search read };
|
|
||||||
|
allow $1 bin_t:dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_read_general_programs_directory_depend',`
|
define(`corecommands_read_general_programs_directory_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
class dir { getattr search read };
|
|
||||||
|
class dir { getattr search read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -50,17 +55,19 @@ class dir { getattr search read };
|
|||||||
# corecommands_execute_general_programs(domain)
|
# corecommands_execute_general_programs(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_general_programs',`
|
define(`corecommands_execute_general_programs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir { getattr search read };
|
|
||||||
allow $1 bin_t:lnk_file { getattr read };
|
allow $1 bin_t:dir { getattr search read };
|
||||||
allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
|
allow $1 bin_t:lnk_file { getattr read };
|
||||||
|
allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_general_programs_depend',`
|
define(`corecommands_execute_general_programs_depend',`
|
||||||
type bin_t;
|
type bin_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr search read };
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -68,13 +75,15 @@ class file { getattr read ioctl lock execute execute_no_trans };
|
|||||||
# corecommands_search_system_programs_directory(domain)
|
# corecommands_search_system_programs_directory(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_search_system_programs_directory',`
|
define(`corecommands_search_system_programs_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sbin_t:dir search;
|
|
||||||
|
allow $1 sbin_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_search_system_programs_directory_depend',`
|
define(`corecommands_search_system_programs_directory_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
class dir search;
|
|
||||||
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -82,13 +91,15 @@ class dir search;
|
|||||||
# corecommands_read_system_programs_directory(domain)
|
# corecommands_read_system_programs_directory(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_read_system_programs_directory',`
|
define(`corecommands_read_system_programs_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sbin_t:dir r_dir_perms;
|
|
||||||
|
allow $1 sbin_t:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_read_system_programs_directory_depend',`
|
define(`corecommands_read_system_programs_directory_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -96,13 +107,15 @@ class dir r_dir_perms;
|
|||||||
# corecommands_ignore_get_system_programs_attributes(domain)
|
# corecommands_ignore_get_system_programs_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_ignore_get_system_programs_attributes',`
|
define(`corecommands_ignore_get_system_programs_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sbin_t:file getattr;
|
|
||||||
|
allow $1 sbin_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_ignore_get_system_programs_attributes_depend',`
|
define(`corecommands_ignore_get_system_programs_attributes_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
class file getattr;
|
|
||||||
|
class file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -110,17 +123,19 @@ class file getattr;
|
|||||||
# corecommands_execute_system_programs(domain)
|
# corecommands_execute_system_programs(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_system_programs',`
|
define(`corecommands_execute_system_programs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 sbin_t:dir { getattr search read };
|
|
||||||
allow $1 sbin_t:lnk_file { getattr read };
|
allow $1 sbin_t:dir { getattr search read };
|
||||||
allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
|
allow $1 sbin_t:lnk_file { getattr read };
|
||||||
|
allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_system_programs_depend',`
|
define(`corecommands_execute_system_programs_depend',`
|
||||||
type sbin_t;
|
type sbin_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr search read };
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -128,17 +143,19 @@ class file { getattr read ioctl lock execute execute_no_trans };
|
|||||||
# corecommands_execute_shell(domain)
|
# corecommands_execute_shell(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_shell',`
|
define(`corecommands_execute_shell',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
|
||||||
allow $1 bin_t:lnk_file { getattr read };
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
allow $1 bin_t:lnk_file { getattr read };
|
||||||
|
allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_shell_depend',`
|
define(`corecommands_execute_shell_depend',`
|
||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file { getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read lock ioctl execute execute_no_trans };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read lock ioctl execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -146,17 +163,19 @@ class file { getattr read lock ioctl execute execute_no_trans };
|
|||||||
# corecommands_execute_ls(domain)
|
# corecommands_execute_ls(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_execute_ls',`
|
define(`corecommands_execute_ls',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir r_dir_perms;
|
|
||||||
allow $1 bin_t:lnk_file { getattr read };
|
allow $1 bin_t:dir r_dir_perms;
|
||||||
allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
allow $1 bin_t:lnk_file { getattr read };
|
||||||
|
allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_execute_shell_depend',`
|
define(`corecommands_execute_shell_depend',`
|
||||||
type bin_t, ls_exec_t;
|
type bin_t, ls_exec_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file { getattr read };
|
class dir r_dir_perms;
|
||||||
class file { getattr read lock ioctl execute execute_no_trans };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read lock ioctl execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -176,26 +195,29 @@ class file { getattr read lock ioctl execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecommands_shell_explicit_transition',`
|
define(`corecommands_shell_explicit_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 bin_t:dir { getattr search read };
|
|
||||||
allow $1 bin_t:lnk_file { getattr read };
|
allow $1 bin_t:dir { getattr search read };
|
||||||
allow $1 shell_exec_t:file { getattr read execute };
|
allow $1 bin_t:lnk_file { getattr read };
|
||||||
allow $1 $2:process transition;
|
allow $1 shell_exec_t:file { getattr read execute };
|
||||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
allow $1 $2:process transition;
|
||||||
allow $1 $2:fd use;
|
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||||
allow $2 $1:fd use;
|
|
||||||
allow $2 $1:fifo_file rw_file_perms;
|
allow $1 $2:fd use;
|
||||||
allow $2 $1:process sigchld;
|
allow $2 $1:fd use;
|
||||||
|
allow $2 $1:fifo_file rw_file_perms;
|
||||||
|
allow $2 $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_shell_explicit_transition_depend',`
|
define(`corecommands_shell_explicit_transition_depend',`
|
||||||
type bin_t, shell_exec_t;
|
type bin_t, shell_exec_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr search read };
|
||||||
class file { getattr read execute };
|
class lnk_file { getattr read };
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -213,13 +235,14 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`corecommands_shell_transition',`
|
define(`corecommands_shell_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
corecommands_shell_explicit_transition($1,$2)
|
|
||||||
type_transition $1 shell_exec_t:process $2;
|
corecommands_shell_explicit_transition($1,$2)
|
||||||
|
type_transition $1 shell_exec_t:process $2;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_shell_transition_depend',`
|
define(`corecommands_shell_transition_depend',`
|
||||||
type shell_exec_t;
|
type shell_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -227,16 +250,17 @@ type shell_exec_t;
|
|||||||
# corecommands_chroot(domain)
|
# corecommands_chroot(domain)
|
||||||
#
|
#
|
||||||
define(`corecommands_chroot',`
|
define(`corecommands_chroot',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
# could go to a generic chroot priv:
|
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
||||||
allow $1 self:capability sys_chroot;
|
allow $1 self:capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`corecommands_chroot_depend',`
|
define(`corecommands_chroot_depend',`
|
||||||
type chroot_exec_t;
|
type chroot_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
class capability sys_chroot;
|
class file { getattr read execute execute_no_trans };
|
||||||
|
class capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -6,24 +6,25 @@
|
|||||||
# domain_make_base_domain(domain)
|
# domain_make_base_domain(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_base_domain',`
|
define(`domain_make_base_domain',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
# mark as a domain
|
# mark as a domain
|
||||||
typeattribute $1 domain;
|
typeattribute $1 domain;
|
||||||
|
|
||||||
# allow the domain to read its /proc/pid entries
|
# allow the domain to read its /proc/pid entries
|
||||||
allow $1 self:dir { getattr search read };
|
allow $1 self:dir { getattr search read };
|
||||||
allow $1 self:{ file lnk_file } { getattr read write ioctl };
|
allow $1 self:{ file lnk_file } { getattr read write ioctl };
|
||||||
|
|
||||||
# allow $1 to create child processes in this domain
|
# allow $1 to create child processes in this domain
|
||||||
allow $1 self:process { fork sigchld };
|
allow $1 self:process { fork sigchld };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_base_domain_depend',`
|
define(`domain_make_base_domain_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read write ioctl };
|
class dir { getattr search read };
|
||||||
class lnk_file { getattr read };
|
class file { getattr read write ioctl };
|
||||||
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -31,26 +32,25 @@ class lnk_file { getattr read };
|
|||||||
# domain_make_domain(domain)
|
# domain_make_domain(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_domain',`
|
define(`domain_make_domain',`
|
||||||
|
# start with basic domain
|
||||||
|
domain_make_base_domain($1)
|
||||||
|
|
||||||
# start with basic domain
|
# Use trusted objects in /dev
|
||||||
domain_make_base_domain($1)
|
devices_use_dev_null($1)
|
||||||
|
devices_use_dev_zero($1)
|
||||||
|
terminal_use_controlling_terminal($1)
|
||||||
|
|
||||||
# Use trusted objects in /dev
|
# read the root directory
|
||||||
devices_use_dev_null($1)
|
files_read_root_dir($1)
|
||||||
devices_use_dev_zero($1)
|
|
||||||
terminal_use_controlling_terminal($1)
|
|
||||||
|
|
||||||
# read the root directory
|
# send init a sigchld
|
||||||
files_read_root_dir($1)
|
init_sigchld($1)
|
||||||
|
|
||||||
# send init a sigchld
|
# this seems highly questionable:
|
||||||
init_sigchld($1)
|
optional_policy(`rpm.te',`
|
||||||
|
rpm_use_file_descriptors($1)
|
||||||
# this seems highly questionable:
|
rpm_read_pipe($1)
|
||||||
optional_policy(`rpm.te',`
|
')
|
||||||
rpm_use_file_descriptors($1)
|
|
||||||
rpm_read_pipe($1)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -58,15 +58,17 @@ rpm_read_pipe($1)
|
|||||||
# domain_make_entrypoint_file(domain,entrypointfile)
|
# domain_make_entrypoint_file(domain,entrypointfile)
|
||||||
#
|
#
|
||||||
define(`domain_make_entrypoint_file',`
|
define(`domain_make_entrypoint_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 $2:file entrypoint;
|
|
||||||
files_make_file($2)
|
files_make_file($2)
|
||||||
typeattribute $2 entry_type;
|
allow $1 $2:file entrypoint;
|
||||||
|
typeattribute $2 entry_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_entrypoint_file_depend',`
|
define(`domain_make_entrypoint_file_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
class file entrypoint;
|
|
||||||
|
class file entrypoint;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,12 +76,13 @@ class file entrypoint;
|
|||||||
# domain_make_file_descriptors_widely_inheritable(domain)
|
# domain_make_file_descriptors_widely_inheritable(domain)
|
||||||
#
|
#
|
||||||
define(`domain_make_file_descriptors_widely_inheritable',`
|
define(`domain_make_file_descriptors_widely_inheritable',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
typeattribute $1 privfd;
|
|
||||||
|
typeattribute $1 privfd;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_make_file_descriptors_widely_inheritable_depend',`
|
define(`domain_make_file_descriptors_widely_inheritable_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -87,13 +90,15 @@ attribute privfd;
|
|||||||
# domain_use_widely_inheritable_file_descriptors(domain)
|
# domain_use_widely_inheritable_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`domain_use_widely_inheritable_file_descriptors',`
|
define(`domain_use_widely_inheritable_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 privfd:fd use;
|
|
||||||
|
allow $1 privfd:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_use_widely_inheritable_file_descriptors_depend',`
|
define(`domain_use_widely_inheritable_file_descriptors_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -101,13 +106,15 @@ class fd use;
|
|||||||
# domain_ignore_use_widely_inheritable_file_descriptors(domain)
|
# domain_ignore_use_widely_inheritable_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
|
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 privfd:fd use;
|
|
||||||
|
dontaudit $1 privfd:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
|
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
|
||||||
attribute privfd;
|
attribute privfd;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -115,13 +122,15 @@ class fd use;
|
|||||||
# domain_set_all_domains_priorities(domain)
|
# domain_set_all_domains_priorities(domain)
|
||||||
#
|
#
|
||||||
define(`domain_set_all_domains_priorities',`
|
define(`domain_set_all_domains_priorities',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process setsched;
|
|
||||||
|
allow $1 domain:process setsched;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_set_all_domains_priorities_depend',`
|
define(`domain_set_all_domains_priorities_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process setsched;
|
|
||||||
|
class process setsched;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -136,13 +145,15 @@ class process setsched;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_signal_all_domains',`
|
define(`domain_signal_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process signal;
|
|
||||||
|
allow $1 domain:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_signal_all_domains_depend',`
|
define(`domain_signal_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process signal;
|
|
||||||
|
class process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -157,13 +168,15 @@ class process signal;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_signull_all_domains',`
|
define(`domain_signull_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process signull;
|
|
||||||
|
allow $1 domain:process signull;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_signull_all_domains_depend',`
|
define(`domain_signull_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process signull;
|
|
||||||
|
class process signull;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -178,13 +191,15 @@ class process signull;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_sigstop_all_domains',`
|
define(`domain_sigstop_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process sigstop;
|
|
||||||
|
allow $1 domain:process sigstop;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_sigstop_all_domains_depend',`
|
define(`domain_sigstop_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process sigstop;
|
|
||||||
|
class process sigstop;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -199,13 +214,15 @@ class process sigstop;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_sigchld_all_domains',`
|
define(`domain_sigchld_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process sigchld;
|
|
||||||
|
allow $1 domain:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_sigchld_all_domains_depend',`
|
define(`domain_sigchld_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process sigchld;
|
|
||||||
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -220,15 +237,17 @@ class process sigchld;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_kill_all_domains',`
|
define(`domain_kill_all_domains',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process sigkill;
|
|
||||||
allow $1 self:capability kill;
|
allow $1 domain:process sigkill;
|
||||||
|
allow $1 self:capability kill;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_kill_all_domains_depend',`
|
define(`domain_kill_all_domains_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process sigkill;
|
|
||||||
class capability kill;
|
class process sigkill;
|
||||||
|
class capability kill;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -243,24 +262,27 @@ class capability kill;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_read_all_domains_process_state',`
|
define(`domain_read_all_domains_process_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:dir { getattr search read };
|
|
||||||
allow $1 domain:lnk_file { getattr read };
|
allow $1 domain:dir { getattr search read };
|
||||||
allow $1 domain:file { getattr read };
|
allow $1 domain:lnk_file { getattr read };
|
||||||
allow $1 domain:process getattr;
|
allow $1 domain:file { getattr read };
|
||||||
# We need to suppress this denial because procps tries to access
|
allow $1 domain:process getattr;
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
# We need to suppress this denial because procps tries to access
|
||||||
# running in a privileged domain.
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||||
dontaudit $1 domain:process ptrace;
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||||
|
# running in a privileged domain.
|
||||||
|
dontaudit $1 domain:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_read_all_domains_process_state_depend',`
|
define(`domain_read_all_domains_process_state_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class dir { getattr search read };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr search read };
|
||||||
class file { getattr read };
|
class lnk_file { getattr read };
|
||||||
class process { getattr ptrace };
|
class file { getattr read };
|
||||||
|
class process { getattr ptrace };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -276,13 +298,15 @@ class process { getattr ptrace };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_read_all_domains_process_dirs',`
|
define(`domain_ignore_read_all_domains_process_dirs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 domain:dir r_dir_perms;
|
|
||||||
|
dontaudit $1 domain:dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class dir r_dir_perms;
|
|
||||||
|
class dir r_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
@ -298,13 +322,15 @@ class dir r_dir_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_get_all_domains_session_id',`
|
define(`domain_get_all_domains_session_id',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 domain:process getsession;
|
|
||||||
|
allow $1 domain:process getsession;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_get_all_domains_session_id_depend',`
|
define(`domain_get_all_domains_session_id_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class process getsession;
|
|
||||||
|
class process getsession;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -320,13 +346,15 @@ class process getsession;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_udp_socket_attributes',`
|
define(`domain_ignore_get_all_domains_udp_socket_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 domain:udp_socket getattr;
|
|
||||||
|
dontaudit $1 domain:udp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
|
define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class udp_socket getattr;
|
|
||||||
|
class udp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -342,13 +370,15 @@ class udp_socket getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
|
define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 domain:tcp_socket getattr;
|
|
||||||
|
dontaudit $1 domain:tcp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
|
define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class tcp_socket getattr;
|
|
||||||
|
class tcp_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -364,13 +394,15 @@ class tcp_socket getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
|
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 domain:unix_dgram_socket getattr;
|
|
||||||
|
dontaudit $1 domain:unix_dgram_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
|
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class unix_dgram_socket getattr;
|
|
||||||
|
class unix_dgram_socket getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -386,13 +418,15 @@ class unix_dgram_socket getattr;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`domain_ignore_get_all_domains_pipe_attributes',`
|
define(`domain_ignore_get_all_domains_pipe_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 domain:fifo_file getattr;
|
|
||||||
|
dontaudit $1 domain:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
|
define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
class fifo_file getattr;
|
|
||||||
|
class fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -400,13 +434,15 @@ class fifo_file getattr;
|
|||||||
# domain_execute_all_entrypoint_programs(domain)
|
# domain_execute_all_entrypoint_programs(domain)
|
||||||
#
|
#
|
||||||
define(`domain_execute_all_entrypoint_programs',`
|
define(`domain_execute_all_entrypoint_programs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
|
|
||||||
|
allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_execute_all_entrypoint_programs_depend',`
|
define(`domain_execute_all_entrypoint_programs_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
class file { getattr read ioctl lock execute execute_no_trans };
|
|
||||||
|
class file { getattr read ioctl lock execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -414,15 +450,17 @@ class file { getattr read ioctl lock execute execute_no_trans };
|
|||||||
# domain_read_all_entrypoint_programs(domain)
|
# domain_read_all_entrypoint_programs(domain)
|
||||||
#
|
#
|
||||||
define(`domain_read_all_entrypoint_programs',`
|
define(`domain_read_all_entrypoint_programs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 entry_type:lnk_file { getattr read };
|
|
||||||
allow $1 entry_type:file r_file_perms;
|
allow $1 entry_type:lnk_file { getattr read };
|
||||||
|
allow $1 entry_type:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`domain_read_all_entrypoint_programs_depend',`
|
define(`domain_read_all_entrypoint_programs_depend',`
|
||||||
attribute entry_type;
|
attribute entry_type;
|
||||||
class file r_file_perms;
|
|
||||||
class lnk_file { getattr read };
|
class file r_file_perms;
|
||||||
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -4,23 +4,26 @@
|
|||||||
# getty_transition(domain)
|
# getty_transition(domain)
|
||||||
#
|
#
|
||||||
define(`getty_transition',`
|
define(`getty_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 getty_exec_t:file { getattr read execute };
|
|
||||||
allow $1 getty_t:process transition;
|
allow $1 getty_exec_t:file { getattr read execute };
|
||||||
type_transition $1 getty_exec_t:process getty_t;
|
allow $1 getty_t:process transition;
|
||||||
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 getty_exec_t:process getty_t;
|
||||||
allow $1 getty_t:fd use;
|
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
|
||||||
allow getty_t $1:fd use;
|
|
||||||
allow getty_t $1:fifo_file rw_file_perms;
|
allow $1 getty_t:fd use;
|
||||||
allow getty_t $1:process sigchld;
|
allow getty_t $1:fd use;
|
||||||
|
allow getty_t $1:fifo_file rw_file_perms;
|
||||||
|
allow getty_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_transition_depend',`
|
define(`getty_transition_depend',`
|
||||||
type getty_t, getty_exec_t;
|
type getty_t, getty_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
|
|||||||
# getty_read_log_file(domain)
|
# getty_read_log_file(domain)
|
||||||
#
|
#
|
||||||
define(`getty_read_log_file',`
|
define(`getty_read_log_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 getty_log_t:file { getattr read };
|
|
||||||
|
allow $1 getty_log_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_log_file_depend',`
|
define(`getty_read_log_file_depend',`
|
||||||
type getty_log_t;
|
type getty_log_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -42,13 +47,15 @@ class file { getattr read };
|
|||||||
# getty_read_config_file(domain)
|
# getty_read_config_file(domain)
|
||||||
#
|
#
|
||||||
define(`getty_read_config_file',`
|
define(`getty_read_config_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 getty_etc_t:file { getattr read };
|
|
||||||
|
allow $1 getty_etc_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_read_config_file_depend',`
|
define(`getty_read_config_file_depend',`
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -56,11 +63,13 @@ class file { getattr read };
|
|||||||
# getty_modify_config_file(domain)
|
# getty_modify_config_file(domain)
|
||||||
#
|
#
|
||||||
define(`getty_modify_config_file',`
|
define(`getty_modify_config_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 getty_etc_t:file { getattr read write };
|
|
||||||
|
allow $1 getty_etc_t:file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`getty_modify_config_file_depend',`
|
define(`getty_modify_config_file_depend',`
|
||||||
type getty_etc_t;
|
type getty_etc_t;
|
||||||
class file { getattr read write };
|
|
||||||
|
class file { getattr read write };
|
||||||
')
|
')
|
||||||
|
@ -14,23 +14,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_transition',`
|
define(`hostname_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hostname_exec_t:file { getattr read execute };
|
|
||||||
allow $1 hostname_t:process transition;
|
allow $1 hostname_exec_t:file { getattr read execute };
|
||||||
type_transition $1 hostname_exec_t:process hostname_t;
|
allow $1 hostname_t:process transition;
|
||||||
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 hostname_exec_t:process hostname_t;
|
||||||
allow $1 hostname_t:fd use;
|
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
|
||||||
allow hostname_t $1:fd use;
|
|
||||||
allow hostname_t $1:fifo_file rw_file_perms;
|
allow $1 hostname_t:fd use;
|
||||||
allow hostname_t $1:process sigchld;
|
allow hostname_t $1:fd use;
|
||||||
|
allow hostname_t $1:fifo_file rw_file_perms;
|
||||||
|
allow hostname_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_transition_depend',`
|
define(`hostname_transition_depend',`
|
||||||
type hostname_t, hostname_exec_t;
|
type hostname_t, hostname_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_transition_add_role_use_terminal',`
|
define(`hostname_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
hostname_transition($1)
|
|
||||||
role $2 types hostname_t;
|
hostname_transition($1)
|
||||||
allow hostname_t $3:chr_file { getattr read write ioctl };
|
role $2 types hostname_t;
|
||||||
|
allow hostname_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_transition_add_role_use_terminal_depend',`
|
define(`hostname_transition_add_role_use_terminal_depend',`
|
||||||
type hostname_t;
|
type hostname_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# hostname_execute(domain)
|
# hostname_execute(domain)
|
||||||
#
|
#
|
||||||
define(`hostname_execute',`
|
define(`hostname_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hostname_execute_depend',`
|
define(`hostname_execute_depend',`
|
||||||
type hostname_exec_t;
|
type hostname_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -55,36 +55,36 @@ miscfiles_read_localization(hostname_t)
|
|||||||
userdomain_use_all_users_file_descriptors(hostname_t)
|
userdomain_use_all_users_file_descriptors(hostname_t)
|
||||||
|
|
||||||
tunable_policy(`distro_redhat', `
|
tunable_policy(`distro_redhat', `
|
||||||
filesystem_use_tmpfs_character_devices(hostname_t)
|
filesystem_use_tmpfs_character_devices(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(hostname_t)
|
terminal_ignore_use_general_physical_terminal(hostname_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hostname_t)
|
terminal_ignore_use_general_pseudoterminal(hostname_t)
|
||||||
files_ignore_read_rootfs_file(hostname_t)
|
files_ignore_read_rootfs_file(hostname_t)
|
||||||
')dnl end targeted_policy tunable
|
')
|
||||||
|
|
||||||
tunable_policy(`use_dns',`
|
tunable_policy(`use_dns',`
|
||||||
allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
|
corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
|
corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
|
||||||
corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
|
corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
|
||||||
corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
|
corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
|
||||||
corenetwork_bind_udp_on_all_nodes(hostname_t)
|
corenetwork_bind_udp_on_all_nodes(hostname_t)
|
||||||
corenetwork_sendrecv_udp_on_dns_port(hostname_t)
|
corenetwork_sendrecv_udp_on_dns_port(hostname_t)
|
||||||
sysnetwork_read_network_config(hostname_t)
|
sysnetwork_read_network_config(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_ignore_use_file_descriptors(hostname_t)
|
hotplug_ignore_use_file_descriptors(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(hostname_t)
|
selinux_newrole_sigchld(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(hostname_t)
|
udev_read_database(hostname_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -9,23 +9,26 @@
|
|||||||
# hotplug_transition(domain)
|
# hotplug_transition(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_transition',`
|
define(`hotplug_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hotplug_exec_t:file { getattr read execute };
|
|
||||||
allow $1 hotplug_t:process transition;
|
allow $1 hotplug_exec_t:file { getattr read execute };
|
||||||
type_transition $1 hotplug_exec_t:process hotplug_t;
|
allow $1 hotplug_t:process transition;
|
||||||
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 hotplug_exec_t:process hotplug_t;
|
||||||
allow $1 hotplug_t:fd use;
|
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
|
||||||
allow hotplug_t $1:fd use;
|
|
||||||
allow hotplug_t $1:fifo_file rw_file_perms;
|
allow $1 hotplug_t:fd use;
|
||||||
allow hotplug_t $1:process sigchld;
|
allow hotplug_t $1:fd use;
|
||||||
|
allow hotplug_t $1:fifo_file rw_file_perms;
|
||||||
|
allow hotplug_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_transition_depend',`
|
define(`hotplug_transition_depend',`
|
||||||
type hotplug_t, hotplug_exec_t;
|
type hotplug_t, hotplug_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -33,13 +36,15 @@ class fifo_file rw_file_perms;
|
|||||||
# hotplug_execute(domain)
|
# hotplug_execute(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_execute',`
|
define(`hotplug_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_execute_depend',`
|
define(`hotplug_execute_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -47,13 +52,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# hotplug_use_file_descriptors(domain)
|
# hotplug_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_use_file_descriptors',`
|
define(`hotplug_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 hotplug_t:fd use;
|
|
||||||
|
allow $1 hotplug_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_use_file_descriptors_depend',`
|
define(`hotplug_use_file_descriptors_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -61,13 +68,15 @@ class fd use;
|
|||||||
# hotplug_ignore_use_file_descriptors(domain)
|
# hotplug_ignore_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_ignore_use_file_descriptors',`
|
define(`hotplug_ignore_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 hotplug_t:fd use;
|
|
||||||
|
dontaudit $1 hotplug_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_ignore_use_file_descriptors_depend',`
|
define(`hotplug_ignore_use_file_descriptors_depend',`
|
||||||
type hotplug_t;
|
type hotplug_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -75,13 +84,15 @@ class fd use;
|
|||||||
# hotplug_ignore_search_config_directory(domain)
|
# hotplug_ignore_search_config_directory(domain)
|
||||||
#
|
#
|
||||||
define(`hotplug_ignore_search_config_directory',`
|
define(`hotplug_ignore_search_config_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 hotplug_etc_t:dir search;
|
|
||||||
|
dontaudit $1 hotplug_etc_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_ignore_search_config_directory_depend',`
|
define(`hotplug_ignore_search_config_directory_depend',`
|
||||||
type hotplug_etc_t;
|
type hotplug_etc_t;
|
||||||
class dir search;
|
|
||||||
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -96,18 +107,20 @@ class dir search;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hotplug_read_config',`
|
define(`hotplug_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_general_system_config_directory($1)
|
|
||||||
allow $1 hotplug_etc_t:file { read getattr lock ioctl };
|
files_search_general_system_config_directory($1)
|
||||||
allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
|
allow $1 hotplug_etc_t:file { read getattr lock ioctl };
|
||||||
allow $1 hotplug_etc_t:lnk_file { getattr read };
|
allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
|
||||||
|
allow $1 hotplug_etc_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`hotplug_read_config_depend',`
|
define(`hotplug_read_config_depend',`
|
||||||
type hotplug_etc_t;
|
type hotplug_etc_t;
|
||||||
class file { read getattr lock ioctl };
|
|
||||||
class dir { read getattr lock search ioctl };
|
class file { read getattr lock ioctl };
|
||||||
class lnk_file { getattr read };
|
class dir { read getattr lock search ioctl };
|
||||||
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -109,60 +109,60 @@ sysnetwork_read_network_config(hotplug_t)
|
|||||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
|
||||||
|
|
||||||
tunable_policy(`distro_redhat', `
|
tunable_policy(`distro_redhat', `
|
||||||
optional_policy(`netutils.te', `
|
optional_policy(`netutils.te', `
|
||||||
# for arping used for static IP addresses on PCMCIA ethernet
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
netutils_transition(hotplug_t)
|
netutils_transition(hotplug_t)
|
||||||
filesystem_use_tmpfs_character_devices(hotplug_t)
|
filesystem_use_tmpfs_character_devices(hotplug_t)
|
||||||
') dnl endif netutils optional
|
')
|
||||||
files_get_system_lock_file_attributes(hotplug_t)
|
files_get_system_lock_file_attributes(hotplug_t)
|
||||||
')dnl end distro_redhat tunable
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(hotplug_t)
|
terminal_ignore_use_general_physical_terminal(hotplug_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(hotplug_t)
|
terminal_ignore_use_general_pseudoterminal(hotplug_t)
|
||||||
files_ignore_read_rootfs_file(hotplug_t)
|
files_ignore_read_rootfs_file(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_transition(hotplug_t)
|
consoletype_transition(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_execute(hotplug_t)
|
hostname_execute(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`iptables.te',`
|
optional_policy(`iptables.te',`
|
||||||
iptables_transition(hotplug_t)
|
iptables_transition(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mta.te', `
|
optional_policy(`mta.te', `
|
||||||
mta_send_mail(hotplug_t)
|
mta_send_mail(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(hotplug_t)
|
selinux_newrole_sigchld(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_ifconfig_transition(hotplug_t)
|
sysnetwork_ifconfig_transition(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_transition(hotplug_t)
|
udev_transition(hotplug_t)
|
||||||
udev_read_database(hotplug_t)
|
udev_read_database(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`updfstab.te', `
|
optional_policy(`updfstab.te', `
|
||||||
updfstab_transition(hotplug_t)
|
updfstab_transition(hotplug_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow hotplug_t autofs_t:dir { search getattr };
|
allow hotplug_t autofs_t:dir { search getattr };
|
||||||
dontaudit hotplug_t sysadm_home_dir_t:dir search;
|
dontaudit hotplug_t sysadm_home_dir_t:dir search;
|
||||||
optional_policy(`rhgb.te', `
|
optional_policy(`rhgb.te', `
|
||||||
allow hotplug_t rhgb_t:process sigchld;
|
allow hotplug_t rhgb_t:process sigchld;
|
||||||
allow hotplug_t rhgb_t:fd use;
|
allow hotplug_t rhgb_t:fd use;
|
||||||
allow hotplug_t rhgb_t:fifo_file { read write };
|
allow hotplug_t rhgb_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
allow kernel_t hotplug_etc_t:dir search;
|
allow kernel_t hotplug_etc_t:dir search;
|
||||||
@ -180,20 +180,20 @@ dontaudit hotplug_t domain:dir { getattr search };
|
|||||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||||
|
|
||||||
optional_policy(`hald.te', `
|
optional_policy(`hald.te', `
|
||||||
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
||||||
')
|
')
|
||||||
|
|
||||||
# this goes to hald:
|
# this goes to hald:
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
allow hald_t hotplug_etc_t:dir search;
|
allow hald_t hotplug_etc_t:dir search;
|
||||||
allow hald_t hotplug_etc_t:file { getattr read };
|
allow hald_t hotplug_etc_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`fsadm.te', `
|
optional_policy(`fsadm.te', `
|
||||||
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`lpd.te', `
|
optional_policy(`lpd.te', `
|
||||||
allow hotplug_t printer_device_t:chr_file setattr;
|
allow hotplug_t printer_device_t:chr_file setattr;
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -126,23 +126,26 @@ define(`init_make_system_domain_depend',`
|
|||||||
# init_transition(domain)
|
# init_transition(domain)
|
||||||
#
|
#
|
||||||
define(`init_transition',`
|
define(`init_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 init_exec_t:file { getattr read execute };
|
|
||||||
allow $1 init_t:process transition;
|
allow $1 init_exec_t:file { getattr read execute };
|
||||||
type_transition $1 init_exec_t:process init_t;
|
allow $1 init_t:process transition;
|
||||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 init_exec_t:process init_t;
|
||||||
allow $1 init_t:fd use;
|
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
||||||
allow init_t $1:fd use;
|
|
||||||
allow init_t $1:fifo_file rw_file_perms;
|
allow $1 init_t:fd use;
|
||||||
allow init_t $1:process sigchld;
|
allow init_t $1:fd use;
|
||||||
|
allow init_t $1:fifo_file rw_file_perms;
|
||||||
|
allow init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_transition_depend',`
|
define(`init_transition_depend',`
|
||||||
type init_t, init_exec_t;
|
type init_t, init_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -150,13 +153,15 @@ class fifo_file rw_file_perms;
|
|||||||
# init_get_process_group(domain)
|
# init_get_process_group(domain)
|
||||||
#
|
#
|
||||||
define(`init_get_process_group',`
|
define(`init_get_process_group',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 init_t:process getpgid;
|
|
||||||
|
allow $1 init_t:process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_process_group_depend',`
|
define(`init_get_process_group_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
class process getpgid;
|
|
||||||
|
class process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -164,13 +169,15 @@ class process getpgid;
|
|||||||
# init_get_control_channel_attributes(domain)
|
# init_get_control_channel_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`init_get_control_channel_attributes',`
|
define(`init_get_control_channel_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initctl_t:fifo_file getattr;
|
|
||||||
|
allow $1 initctl_t:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_control_channel_attributes_depend',`
|
define(`init_get_control_channel_attributes_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
class fifo_file getattr;
|
|
||||||
|
class fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -178,13 +185,15 @@ class fifo_file getattr;
|
|||||||
# init_ignore_get_control_channel_attributes(domain)
|
# init_ignore_get_control_channel_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_get_control_channel_attributes',`
|
define(`init_ignore_get_control_channel_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 initctl_t:fifo_file getattr;
|
|
||||||
|
dontaudit $1 initctl_t:fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_get_control_channel_attributes_depend',`
|
define(`init_get_control_channel_attributes_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
class fifo_file getattr;
|
|
||||||
|
class fifo_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -192,14 +201,16 @@ class fifo_file getattr;
|
|||||||
# init_use_control_channel(domain)
|
# init_use_control_channel(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_control_channel',`
|
define(`init_use_control_channel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initctl_t:fifo_file { getattr read write };
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
|
allow $1 initctl_t:fifo_file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_control_channel_depend',`
|
define(`init_use_control_channel_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
class fifo_file { getattr read write };
|
|
||||||
|
class fifo_file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -207,13 +218,15 @@ class fifo_file { getattr read write };
|
|||||||
# init_ignore_use_control_channel(domain)
|
# init_ignore_use_control_channel(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_use_control_channel',`
|
define(`init_ignore_use_control_channel',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 initctl_t:fifo_file { read write };
|
|
||||||
|
dontaudit $1 initctl_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_ignore_use_control_channel_depend',`
|
define(`init_ignore_use_control_channel_depend',`
|
||||||
type initctl_t;
|
type initctl_t;
|
||||||
class fifo_file { read write };
|
|
||||||
|
class fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -221,13 +234,15 @@ class fifo_file { read write };
|
|||||||
# init_sigchld(domain)
|
# init_sigchld(domain)
|
||||||
#
|
#
|
||||||
define(`init_sigchld',`
|
define(`init_sigchld',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 init_t:process sigchld;
|
|
||||||
|
allow $1 init_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_sigchld_depend',`
|
define(`init_sigchld_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
class process sigchld;
|
|
||||||
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -235,13 +250,15 @@ class process sigchld;
|
|||||||
# init_use_file_descriptors(domain)
|
# init_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`init_use_file_descriptors',`
|
define(`init_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 init_t:fd use;
|
|
||||||
|
allow $1 init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_use_file_descriptors_depend',`
|
define(`init_use_file_descriptors_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -249,13 +266,15 @@ class fd use;
|
|||||||
# init_ignore_use_file_descriptors(domain)
|
# init_ignore_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`init_ignore_use_file_descriptors',`
|
define(`init_ignore_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 init_t:fd use;
|
|
||||||
|
dontaudit $1 init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_ignore_use_file_descriptors_depend',`
|
define(`init_ignore_use_file_descriptors_depend',`
|
||||||
type init_t;
|
type init_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -263,23 +282,26 @@ class fd use;
|
|||||||
# init_script_transition(domain)
|
# init_script_transition(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_transition',`
|
define(`init_script_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_exec_t:file { getattr read execute };
|
|
||||||
allow $1 initrc_t:process transition;
|
allow $1 initrc_exec_t:file { getattr read execute };
|
||||||
type_transition $1 initrc_exec_t:process init_t;
|
allow $1 initrc_t:process transition;
|
||||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 initrc_exec_t:process init_t;
|
||||||
allow $1 initrc_t:fd use;
|
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
||||||
allow initrc_t $1:fd use;
|
|
||||||
allow initrc_t $1:fifo_file rw_file_perms;
|
allow $1 initrc_t:fd use;
|
||||||
allow initrc_t $1:process sigchld;
|
allow initrc_t $1:fd use;
|
||||||
|
allow initrc_t $1:fifo_file rw_file_perms;
|
||||||
|
allow initrc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_transition_depend',`
|
define(`init_script_transition_depend',`
|
||||||
type initrc_t, initrc_exec_t;
|
type initrc_t, initrc_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -287,13 +309,15 @@ class fifo_file rw_file_perms;
|
|||||||
# init_script_execute(domain)
|
# init_script_execute(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_execute',`
|
define(`init_script_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_execute_depend',`
|
define(`init_script_execute_depend',`
|
||||||
type initrc_exec_t;
|
type initrc_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -308,23 +332,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_script_read_process_state',`
|
define(`init_script_read_process_state',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_t:dir { search getattr read };
|
|
||||||
allow $1 initrc_t:{ file lnk_file } { read getattr };
|
allow $1 initrc_t:dir { search getattr read };
|
||||||
allow $1 initrc_t:process getattr;
|
allow $1 initrc_t:{ file lnk_file } { read getattr };
|
||||||
# We need to suppress this denial because procps tries to access
|
allow $1 initrc_t:process getattr;
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
# We need to suppress this denial because procps tries to access
|
||||||
# running in a privileged domain.
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||||
dontaudit $1 initrc_t:process ptrace;
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||||
|
# running in a privileged domain.
|
||||||
|
dontaudit $1 initrc_t:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_read_process_state_depend',`
|
define(`init_script_read_process_state_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
class dir { search getattr read };
|
|
||||||
class file { read getattr };
|
class dir { search getattr read };
|
||||||
class lnk_file { read getattr };
|
class file { read getattr };
|
||||||
class process { getattr ptrace };
|
class lnk_file { read getattr };
|
||||||
|
class process { getattr ptrace };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -332,13 +359,15 @@ class process { getattr ptrace };
|
|||||||
# init_script_use_file_descriptors(domain)
|
# init_script_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_use_file_descriptors',`
|
define(`init_script_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_t:fd use;
|
|
||||||
|
allow $1 initrc_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_use_file_descriptors_depend',`
|
define(`init_script_use_file_descriptors_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -346,13 +375,15 @@ class fd use;
|
|||||||
# init_script_ignore_use_file_descriptors(domain)
|
# init_script_ignore_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_use_file_descriptors',`
|
define(`init_script_ignore_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 initrc_t:fd use;
|
|
||||||
|
dontaudit $1 initrc_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_use_file_descriptors_depend',`
|
define(`init_script_ignore_use_file_descriptors_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -360,13 +391,15 @@ class fd use;
|
|||||||
# init_script_get_process_group(domain)
|
# init_script_get_process_group(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_get_process_group',`
|
define(`init_script_get_process_group',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_t:process getpgid;
|
|
||||||
|
allow $1 initrc_t:process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_get_process_group_depend',`
|
define(`init_script_get_process_group_depend',`
|
||||||
type initrc_t;
|
type initrc_t;
|
||||||
class process getpgid;
|
|
||||||
|
class process getpgid;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -374,14 +407,16 @@ class process getpgid;
|
|||||||
# init_script_use_pseudoterminal(domain)
|
# init_script_use_pseudoterminal(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_use_pseudoterminal',`
|
define(`init_script_use_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
terminal_list_pseudoterminals($1)
|
|
||||||
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
terminal_list_pseudoterminals($1)
|
||||||
|
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_use_pseudoterminal_depend',`
|
define(`init_script_use_pseudoterminal_depend',`
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -389,13 +424,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# init_script_ignore_use_pseudoterminal(domain)
|
# init_script_ignore_use_pseudoterminal(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_use_pseudoterminal',`
|
define(`init_script_ignore_use_pseudoterminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 initrc_devpts_t:chr_file { read write ioctl };
|
|
||||||
|
allow $1 initrc_devpts_t:chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_use_pseudoterminal_depend',`
|
define(`init_script_ignore_use_pseudoterminal_depend',`
|
||||||
type initrc_devpts_t;
|
type initrc_devpts_t;
|
||||||
class chr_file { read write ioctl };
|
|
||||||
|
class chr_file { read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -410,14 +447,16 @@ class chr_file { read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`init_script_modify_temporary_data',`
|
define(`init_script_modify_temporary_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: read tmp_t
|
|
||||||
allow $1 initrc_tmp_t:file { getattr read write };
|
# FIXME: read tmp_t
|
||||||
|
allow $1 initrc_tmp_t:file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_modify_temporary_data_depend',`
|
define(`init_script_modify_temporary_data_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { getattr read write };
|
|
||||||
|
class file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -425,14 +464,16 @@ class file { getattr read write };
|
|||||||
# init_script_read_runtime_data(domain)
|
# init_script_read_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_read_runtime_data',`
|
define(`init_script_read_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_runtime_data_directory($1)
|
|
||||||
allow $1 initrc_var_run_t:file { getattr read lock };
|
files_read_runtime_data_directory($1)
|
||||||
|
allow $1 initrc_var_run_t:file { getattr read lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_read_runtime_data_depend',`
|
define(`init_script_read_runtime_data_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { getattr read lock };
|
|
||||||
|
class file { getattr read lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -440,13 +481,15 @@ class file { getattr read lock };
|
|||||||
# init_script_ignore_write_runtime_data(domain)
|
# init_script_ignore_write_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_write_runtime_data',`
|
define(`init_script_ignore_write_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 initrc_var_run_t:file { write lock };
|
|
||||||
|
dontaudit $1 initrc_var_run_t:file { write lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_write_runtime_data_depend',`
|
define(`init_script_ignore_write_runtime_data_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { write lock };
|
|
||||||
|
class file { write lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -454,14 +497,16 @@ class file { write lock };
|
|||||||
# init_script_modify_runtime_data(domain)
|
# init_script_modify_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_modify_runtime_data',`
|
define(`init_script_modify_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_runtime_data_directory($1)
|
|
||||||
allow $1 initrc_var_run_t:file { getattr read write append lock };
|
files_read_runtime_data_directory($1)
|
||||||
|
allow $1 initrc_var_run_t:file { getattr read write append lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_modify_runtime_data_depend',`
|
define(`init_script_modify_runtime_data_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { getattr read write append lock };
|
|
||||||
|
class file { getattr read write append lock };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -469,13 +514,15 @@ class file { getattr read write append lock };
|
|||||||
# init_script_ignore_modify_runtime_data(domain)
|
# init_script_ignore_modify_runtime_data(domain)
|
||||||
#
|
#
|
||||||
define(`init_script_ignore_modify_runtime_data',`
|
define(`init_script_ignore_modify_runtime_data',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
|
||||||
|
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`init_script_ignore_modify_runtime_data_depend',`
|
define(`init_script_ignore_modify_runtime_data_depend',`
|
||||||
type initrc_var_run_t;
|
type initrc_var_run_t;
|
||||||
class file { getattr read write append };
|
|
||||||
|
class file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_transition',`
|
define(`iptables_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 iptables_exec_t:file { getattr read execute };
|
|
||||||
allow $1 iptables_t:process transition;
|
allow $1 iptables_exec_t:file { getattr read execute };
|
||||||
type_transition $1 iptables_exec_t:process iptables_t;
|
allow $1 iptables_t:process transition;
|
||||||
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 iptables_exec_t:process iptables_t;
|
||||||
allow $1 iptables_t:fd use;
|
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
|
||||||
allow iptables_t $1:fd use;
|
|
||||||
allow iptables_t $1:fifo_file rw_file_perms;
|
allow $1 iptables_t:fd use;
|
||||||
allow iptables_t $1:process sigchld;
|
allow iptables_t $1:fd use;
|
||||||
|
allow iptables_t $1:fifo_file rw_file_perms;
|
||||||
|
allow iptables_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_transition_depend',`
|
define(`iptables_transition_depend',`
|
||||||
type iptables_t, iptables_exec_t;
|
type iptables_t, iptables_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -51,15 +54,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_transition_add_role_use_terminal',`
|
define(`iptables_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
iptables_transition($1)
|
|
||||||
role $2 types iptables_t;
|
iptables_transition($1)
|
||||||
allow iptables_t $3:chr_file { getattr read write ioctl };
|
role $2 types iptables_t;
|
||||||
|
allow iptables_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_transition_add_role_use_terminal_depend',`
|
define(`iptables_transition_add_role_use_terminal_depend',`
|
||||||
type iptables_t;
|
type iptables_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,13 +79,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`iptables_execute',`
|
define(`iptables_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`iptables_execute_depend',`
|
define(`iptables_execute_depend',`
|
||||||
type iptables_t, iptables_exec_t;
|
type iptables_t, iptables_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -117,10 +117,10 @@ allow iptables_t autofs_t:dir { search getattr };
|
|||||||
can_ypbind(iptables_t)
|
can_ypbind(iptables_t)
|
||||||
|
|
||||||
optional_policy(`gnome-pty-helper.te',`
|
optional_policy(`gnome-pty-helper.te',`
|
||||||
allow iptables_t sysadm_gph_t:fd use;
|
allow iptables_t sysadm_gph_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`firstboot.te', `
|
optional_policy(`firstboot.te', `
|
||||||
allow iptables_t firstboot_t:fifo_file write;
|
allow iptables_t firstboot_t:fifo_file write;
|
||||||
')
|
')
|
||||||
') dnl ifdef TODO
|
') dnl ifdef TODO
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_ldconfig_transition',`
|
define(`libraries_ldconfig_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 ldconfig_exec_t:file { getattr read execute };
|
|
||||||
allow $1 ldconfig_t:process transition;
|
allow $1 ldconfig_exec_t:file { getattr read execute };
|
||||||
type_transition $1 ldconfig_exec_t:process ldconfig_t;
|
allow $1 ldconfig_t:process transition;
|
||||||
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 ldconfig_exec_t:process ldconfig_t;
|
||||||
allow $1 ldconfig_t:fd use;
|
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
|
||||||
allow ldconfig_t $1:fd use;
|
|
||||||
allow ldconfig_t $1:fifo_file rw_file_perms;
|
allow $1 ldconfig_t:fd use;
|
||||||
allow ldconfig_t $1:process sigchld;
|
allow ldconfig_t $1:fd use;
|
||||||
|
allow ldconfig_t $1:fifo_file rw_file_perms;
|
||||||
|
allow ldconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_ldconfig_transition_depend',`
|
define(`libraries_ldconfig_transition_depend',`
|
||||||
type ldconfig_t, ldconfig_exec_t;
|
type ldconfig_t, ldconfig_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_ldconfig_transition_add_role_use_terminal',`
|
define(`libraries_ldconfig_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
libraries_ldconfig_transition($1)
|
|
||||||
role $2 types ldconfig_t;
|
libraries_ldconfig_transition($1)
|
||||||
allow ldconfig_t $3:chr_file { getattr read write ioctl };
|
role $2 types ldconfig_t;
|
||||||
|
allow ldconfig_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
|
define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
|
||||||
type ldconfig_t;
|
type ldconfig_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -74,20 +79,22 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_use_dynamic_loader',`
|
define(`libraries_use_dynamic_loader',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_general_system_config_directory($1)
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
files_read_general_system_config_directory($1)
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:file rx_file_perms;
|
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_cache_t:file r_file_perms;
|
allow $1 ld_so_t:file rx_file_perms;
|
||||||
|
allow $1 ld_so_cache_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_use_dynamic_loader_depend',`
|
define(`libraries_use_dynamic_loader_depend',`
|
||||||
type lib_t, ld_so_t, ld_so_cache_t;
|
type lib_t, ld_so_t, ld_so_cache_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
class dir r_dir_perms;
|
||||||
class file rx_file_perms;
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -103,15 +110,17 @@ class file rx_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_legacy_use_dynamic_loader',`
|
define(`libraries_legacy_use_dynamic_loader',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
libraries_use_dynamic_loader($1)
|
|
||||||
allow $1 ld_so_t:file execmod;
|
libraries_use_dynamic_loader($1)
|
||||||
allow $1 ld_so_cache_t:file execute;
|
allow $1 ld_so_t:file execmod;
|
||||||
|
allow $1 ld_so_cache_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_legacy_use_dynamic_loader_depend',`
|
define(`libraries_legacy_use_dynamic_loader_depend',`
|
||||||
type ld_so_t, ld_so_cache_t;
|
type ld_so_t, ld_so_cache_t;
|
||||||
class file { execute execmod };
|
|
||||||
|
class file { execute execmod };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -131,18 +140,20 @@ class file { execute execmod };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_execute_dynamic_loader',`
|
define(`libraries_execute_dynamic_loader',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||||
|
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_execute_dynamic_loader_depend',`
|
define(`libraries_execute_dynamic_loader_depend',`
|
||||||
type lib_t, ld_so_t;
|
type lib_t, ld_so_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
class dir r_dir_perms;
|
||||||
class file { r_file_perms execute execute_no_trans };
|
class lnk_file r_file_perms;
|
||||||
|
class file { r_file_perms execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -158,14 +169,16 @@ class file { r_file_perms execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_modify_dynamic_loader_cache',`
|
define(`libraries_modify_dynamic_loader_cache',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_read_general_system_config_directory($1)
|
|
||||||
allow $1 ld_so_cache_t:file { getattr read write };
|
files_read_general_system_config_directory($1)
|
||||||
|
allow $1 ld_so_cache_t:file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_modify_dynamic_loader_cache_depend',`
|
define(`libraries_modify_dynamic_loader_cache_depend',`
|
||||||
type ld_so_cache_t;
|
type ld_so_cache_t;
|
||||||
class file { getattr read write };
|
|
||||||
|
class file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -181,16 +194,18 @@ class file { getattr read write };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_read_library_resources',`
|
define(`libraries_read_library_resources',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 lib_t:dir { getattr read search };
|
|
||||||
allow $1 lib_t:{ file lnk_file } { getattr read };
|
allow $1 lib_t:dir { getattr read search };
|
||||||
|
allow $1 lib_t:{ file lnk_file } { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_read_library_resources_depend',`
|
define(`libraries_read_library_resources_depend',`
|
||||||
type lib_t;
|
type lib_t;
|
||||||
class dir { getattr read search };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr read search };
|
||||||
class file { getattr read };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -205,17 +220,19 @@ class file { getattr read };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_execute_library_scripts',`
|
define(`libraries_execute_library_scripts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 lib_t:dir { getattr read search };
|
|
||||||
allow $1 lib_t:lnk_file { getattr read };
|
allow $1 lib_t:dir { getattr read search };
|
||||||
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
allow $1 lib_t:lnk_file { getattr read };
|
||||||
|
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_execute_library_scripts_depend',`
|
define(`libraries_execute_library_scripts_depend',`
|
||||||
type lib_t;
|
type lib_t;
|
||||||
class dir { getattr read search };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr read search };
|
||||||
class file { getattr read execute execute_no_trans };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -230,19 +247,21 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_use_shared_libraries',`
|
define(`libraries_use_shared_libraries',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_general_application_resources_dir($1)
|
|
||||||
allow $1 lib_t:dir r_dir_perms;
|
files_search_general_application_resources_dir($1)
|
||||||
allow $1 lib_t:lnk_file r_file_perms;
|
allow $1 lib_t:dir r_dir_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
allow $1 lib_t:lnk_file r_file_perms;
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
||||||
|
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_use_shared_libraries_depend',`
|
define(`libraries_use_shared_libraries_depend',`
|
||||||
type lib_t, shlib_t, texrel_shlib_t;
|
type lib_t, shlib_t, texrel_shlib_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class lnk_file r_file_perms;
|
class dir r_dir_perms;
|
||||||
class file rx_dir_perms;
|
class lnk_file r_file_perms;
|
||||||
|
class file rx_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -258,14 +277,16 @@ class file rx_dir_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`libraries_legacy_use_shared_libraries',`
|
define(`libraries_legacy_use_shared_libraries',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
libraries_use_shared_libraries($1)
|
|
||||||
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
libraries_use_shared_libraries($1)
|
||||||
|
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`libraries_legacy_use_shared_libraries_depend',`
|
define(`libraries_legacy_use_shared_libraries_depend',`
|
||||||
type shlib_t, texrel_shlib_t;
|
type shlib_t, texrel_shlib_t;
|
||||||
class file execmod;
|
|
||||||
|
class file execmod;
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -80,21 +80,21 @@ ifdef(`TODO',`
|
|||||||
allow ldconfig_t tmp_t:dir search;
|
allow ldconfig_t tmp_t:dir search;
|
||||||
|
|
||||||
ifdef(`apache.te', `
|
ifdef(`apache.te', `
|
||||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow ldconfig_t { var_t var_lib_t }:dir search;
|
allow ldconfig_t { var_t var_lib_t }:dir search;
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
ifdef(`unconfined.te',`
|
ifdef(`unconfined.te',`
|
||||||
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
ifdef(`targeted_policy', `
|
||||||
allow ldconfig_t lib_t:file r_file_perms;
|
allow ldconfig_t lib_t:file r_file_perms;
|
||||||
unconfined_domain(ldconfig_t)
|
unconfined_domain(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -4,12 +4,13 @@
|
|||||||
# locallogin_transition(domain)
|
# locallogin_transition(domain)
|
||||||
#
|
#
|
||||||
define(`locallogin_transition',`
|
define(`locallogin_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
authlogin_login_program_transition($1,local_login_t)
|
|
||||||
|
authlogin_login_program_transition($1,local_login_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_transition_depend',`
|
define(`locallogin_transition_depend',`
|
||||||
type local_login_t;
|
type local_login_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -17,11 +18,13 @@ type local_login_t;
|
|||||||
# locallogin_use_file_descriptors(domain)
|
# locallogin_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`locallogin_use_file_descriptors',`
|
define(`locallogin_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 local_login_t:fd use;
|
|
||||||
|
allow $1 local_login_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`locallogin_use_file_descriptors_depend',`
|
define(`locallogin_use_file_descriptors_depend',`
|
||||||
type local_login_t;
|
type local_login_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
@ -117,7 +117,7 @@ ifdef(`TODO',`
|
|||||||
|
|
||||||
can_ypbind(local_login_t)
|
can_ypbind(local_login_t)
|
||||||
ifdef(`automount.te', `
|
ifdef(`automount.te', `
|
||||||
allow local_login_t autofs_t:dir { search getattr };
|
allow local_login_t autofs_t:dir { search getattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
allow local_login_t bin_t:dir r_dir_perms;
|
allow local_login_t bin_t:dir r_dir_perms;
|
||||||
@ -125,8 +125,8 @@ allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
|||||||
allow local_login_t sbin_t:dir r_dir_perms;
|
allow local_login_t sbin_t:dir r_dir_perms;
|
||||||
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
||||||
if (read_default_t) {
|
if (read_default_t) {
|
||||||
allow local_login_t default_t:dir r_dir_perms;
|
allow local_login_t default_t:dir r_dir_perms;
|
||||||
allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Read directories and files with the readable_t type.
|
# Read directories and files with the readable_t type.
|
||||||
@ -144,18 +144,18 @@ allow local_login_t mnt_t:dir r_dir_perms;
|
|||||||
|
|
||||||
# FIXME: what is this for?
|
# FIXME: what is this for?
|
||||||
optional_policy(`xdm.te', `
|
optional_policy(`xdm.te', `
|
||||||
allow xdm_t local_login_t:process signull;
|
allow xdm_t local_login_t:process signull;
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`crack.te', `
|
ifdef(`crack.te', `
|
||||||
allow local_login_t crack_db_t:file r_file_perms;
|
allow local_login_t crack_db_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
||||||
|
|
||||||
tunable_policy(`targeted_policy',`
|
tunable_policy(`targeted_policy',`
|
||||||
unconfined_domain(local_login_t)
|
unconfined_domain(local_login_t)
|
||||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# Do not audit denied attempts to access devices.
|
# Do not audit denied attempts to access devices.
|
||||||
@ -173,7 +173,7 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
|||||||
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
||||||
|
|
||||||
optional_policy(`gpm.te',`
|
optional_policy(`gpm.te',`
|
||||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow setting of attributes on sound devices.
|
# Allow setting of attributes on sound devices.
|
||||||
@ -231,21 +231,21 @@ userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
|
|||||||
|
|
||||||
# suse and debian do not use pam with sulogin...
|
# suse and debian do not use pam with sulogin...
|
||||||
ifdef(`monolithic_policy',`
|
ifdef(`monolithic_policy',`
|
||||||
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
||||||
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
||||||
') dnl end monolithic_policy
|
') dnl end monolithic_policy
|
||||||
|
|
||||||
tunable_policy(`sulogin_no_pam', `
|
tunable_policy(`sulogin_no_pam', `
|
||||||
allow sulogin_t self:capability sys_tty_config;
|
allow sulogin_t self:capability sys_tty_config;
|
||||||
init_get_process_group(sulogin_t)
|
init_get_process_group(sulogin_t)
|
||||||
', `
|
', `
|
||||||
allow sulogin_t self:process setexec;
|
allow sulogin_t self:process setexec;
|
||||||
kernel_get_selinuxfs_mount_point(sulogin_t)
|
kernel_get_selinuxfs_mount_point(sulogin_t)
|
||||||
kernel_validate_selinux_context(sulogin_t)
|
kernel_validate_selinux_context(sulogin_t)
|
||||||
kernel_compute_selinux_access_vector(sulogin_t)
|
kernel_compute_selinux_access_vector(sulogin_t)
|
||||||
kernel_compute_selinux_create_context(sulogin_t)
|
kernel_compute_selinux_create_context(sulogin_t)
|
||||||
kernel_compute_selinux_relabel_context(sulogin_t)
|
kernel_compute_selinux_relabel_context(sulogin_t)
|
||||||
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
|
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -254,7 +254,7 @@ allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
|||||||
|
|
||||||
can_ypbind(sulogin_t)
|
can_ypbind(sulogin_t)
|
||||||
ifdef(`automount.te', `
|
ifdef(`automount.te', `
|
||||||
allow sulogin_t autofs_t:dir { search getattr };
|
allow sulogin_t autofs_t:dir { search getattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||||
|
@ -6,13 +6,14 @@
|
|||||||
# logging_make_log_file(domain)
|
# logging_make_log_file(domain)
|
||||||
#
|
#
|
||||||
define(`logging_make_log_file',`
|
define(`logging_make_log_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_make_file($1)
|
|
||||||
typeattribute $1 logfile;
|
files_make_file($1)
|
||||||
|
typeattribute $1 logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_make_log_file_depend',`
|
define(`logging_make_log_file_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -20,18 +21,21 @@ attribute logfile;
|
|||||||
# logging_create_private_log(domain,privatetype,[class(es)])
|
# logging_create_private_log(domain,privatetype,[class(es)])
|
||||||
#
|
#
|
||||||
define(`logging_create_private_log',`
|
define(`logging_create_private_log',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 var_log_t:dir { getattr search read write add_name remove_name };
|
|
||||||
ifelse(`$3',`',`
|
allow $1 var_log_t:dir rw_dir_perms;
|
||||||
type_transition $1 var_log_t:file $2;
|
|
||||||
',`
|
ifelse(`$3',`',`
|
||||||
type_transition $1 var_log_t:$3 $2;
|
type_transition $1 var_log_t:file $2;
|
||||||
') dnl end ifelse
|
',`
|
||||||
|
type_transition $1 var_log_t:$3 $2;
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_create_private_log_depend',`
|
define(`logging_create_private_log_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
class dir { getattr search read write add_name remove_name };
|
|
||||||
|
class dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -39,23 +43,27 @@ class dir { getattr search read write add_name remove_name };
|
|||||||
# logging_send_system_log_message(domain)
|
# logging_send_system_log_message(domain)
|
||||||
#
|
#
|
||||||
define(`logging_send_system_log_message',`
|
define(`logging_send_system_log_message',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 devlog_t:lnk_file read;
|
|
||||||
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
|
allow $1 devlog_t:lnk_file read;
|
||||||
# the type of socket depends on the syslog daemon
|
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
|
||||||
allow $1 syslogd_t:unix_dgram_socket sendto;
|
|
||||||
allow $1 syslogd_t:unix_stream_socket connectto;
|
# the type of socket depends on the syslog daemon
|
||||||
allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
allow $1 syslogd_t:unix_dgram_socket sendto;
|
||||||
allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
allow $1 syslogd_t:unix_stream_socket connectto;
|
||||||
# cjp: this should most likely be removed:
|
allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
terminal_use_console($1)
|
allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
|
|
||||||
|
# cjp: this should most likely be removed:
|
||||||
|
terminal_use_console($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_send_system_log_message_depend',`
|
define(`logging_send_system_log_message_depend',`
|
||||||
type syslogd_t, devlog_t;
|
type syslogd_t, devlog_t;
|
||||||
class sock_file { ioctl read getattr lock write append };
|
|
||||||
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
|
class sock_file { ioctl read getattr lock write append };
|
||||||
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
|
||||||
|
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -72,14 +80,16 @@ class unix_stream_socket { create read getattr write setattr append bind connect
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`logging_search_system_log_directory',`
|
define(`logging_search_system_log_directory',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir search;
|
files_search_system_state_data_directory($1)
|
||||||
|
allow $1 var_log_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_search_system_log_directory_depend',`
|
define(`logging_search_system_log_directory_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
class dir search;
|
|
||||||
|
class dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -87,13 +97,15 @@ class dir search;
|
|||||||
# logging_ignore_get_all_logs_attributes(domain)
|
# logging_ignore_get_all_logs_attributes(domain)
|
||||||
#
|
#
|
||||||
define(`logging_ignore_get_all_logs_attributes',`
|
define(`logging_ignore_get_all_logs_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 logfile:file getattr;
|
|
||||||
|
dontaudit $1 logfile:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_ignore_get_all_logs_attributes_depend',`
|
define(`logging_ignore_get_all_logs_attributes_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
class file getattr;
|
|
||||||
|
class file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -101,17 +113,20 @@ class file getattr;
|
|||||||
# logging_append_all_logs(domain)
|
# logging_append_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_append_all_logs',`
|
define(`logging_append_all_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir { getattr search read };
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 logfile:file { getattr append };
|
allow $1 var_log_t:dir { getattr search read };
|
||||||
|
allow $1 logfile:file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_append_all_logs_depend',`
|
define(`logging_append_all_logs_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
type var_log_t;
|
|
||||||
class dir { getattr search read };
|
type var_log_t;
|
||||||
class file { getattr append };
|
|
||||||
|
class dir { getattr search read };
|
||||||
|
class file { getattr append };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -119,17 +134,20 @@ class file { getattr append };
|
|||||||
# logging_read_all_logs(domain)
|
# logging_read_all_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_read_all_logs',`
|
define(`logging_read_all_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir { getattr search read };
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 logfile:file { getattr read };
|
allow $1 var_log_t:dir { getattr search read };
|
||||||
|
allow $1 logfile:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_read_all_logs_depend',`
|
define(`logging_read_all_logs_depend',`
|
||||||
attribute logfile;
|
attribute logfile;
|
||||||
type var_log_t;
|
|
||||||
class dir { getattr search read };
|
type var_log_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -137,16 +155,18 @@ class file { getattr read };
|
|||||||
# logging_read_system_logs(domain)
|
# logging_read_system_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_read_system_logs',`
|
define(`logging_read_system_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir { getattr search read };
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 var_log_t:file { getattr read };
|
allow $1 var_log_t:dir { getattr search read };
|
||||||
|
allow $1 var_log_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_read_system_logs_depend',`
|
define(`logging_read_system_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -154,16 +174,18 @@ class file { getattr read };
|
|||||||
# logging_write_system_logs(domain)
|
# logging_write_system_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_write_system_logs',`
|
define(`logging_write_system_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir { getattr search read };
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 var_log_t:file { getattr write };
|
allow $1 var_log_t:dir { getattr search read };
|
||||||
|
allow $1 var_log_t:file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_write_system_logs_depend',`
|
define(`logging_write_system_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr write };
|
class dir { getattr search read };
|
||||||
|
class file { getattr write };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -171,16 +193,18 @@ class file { getattr write };
|
|||||||
# logging_modify_system_logs(domain)
|
# logging_modify_system_logs(domain)
|
||||||
#
|
#
|
||||||
define(`logging_modify_system_logs',`
|
define(`logging_modify_system_logs',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_system_state_data_directory($1)
|
|
||||||
allow $1 var_log_t:dir { getattr search read };
|
files_search_system_state_data_directory($1)
|
||||||
allow $1 var_log_t:file { getattr read write append };
|
allow $1 var_log_t:dir { getattr search read };
|
||||||
|
allow $1 var_log_t:file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`logging_modify_system_logs_depend',`
|
define(`logging_modify_system_logs_depend',`
|
||||||
type var_log_t;
|
type var_log_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read write append };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -157,28 +157,28 @@ allow syslogd_t self:capability net_admin;
|
|||||||
allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
|
allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
|
||||||
|
|
||||||
ifdef(`klogd.te', `', `
|
ifdef(`klogd.te', `', `
|
||||||
# Allow access to /proc/kmsg for syslog-ng
|
# Allow access to /proc/kmsg for syslog-ng
|
||||||
kernel_read_messages(syslogd_t)
|
kernel_read_messages(syslogd_t)
|
||||||
kernel_clear_ring_buffer(syslogd_t)
|
kernel_clear_ring_buffer(syslogd_t)
|
||||||
kernel_change_ring_buffer_level(syslogd_t)
|
kernel_change_ring_buffer_level(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`targeted_policy', `
|
tunable_policy(`targeted_policy', `
|
||||||
terminal_ignore_use_general_physical_terminal(syslogd_t)
|
terminal_ignore_use_general_physical_terminal(syslogd_t)
|
||||||
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
||||||
files_ignore_read_rootfs_file(syslogd_t)
|
files_ignore_read_rootfs_file(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_newrole_sigchld(syslogd_t)
|
selinux_newrole_sigchld(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te', `
|
optional_policy(`udev.te', `
|
||||||
udev_read_database(syslogd_t)
|
udev_read_database(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`cron.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_modify_log(syslogd_t)
|
cron_modify_log(syslogd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -186,17 +186,17 @@ allow syslogd_t proc_t:lnk_file read;
|
|||||||
allow syslogd_t autofs_t:dir { search getattr };
|
allow syslogd_t autofs_t:dir { search getattr };
|
||||||
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
dontaudit syslogd_t sysadm_home_dir_t:dir search;
|
||||||
optional_policy(`rhgb.te', `
|
optional_policy(`rhgb.te', `
|
||||||
allow syslogd_t rhgb_t:process sigchld;
|
allow syslogd_t rhgb_t:process sigchld;
|
||||||
allow syslogd_t rhgb_t:fd use;
|
allow syslogd_t rhgb_t:fd use;
|
||||||
allow syslogd_t rhgb_t:fifo_file { read write };
|
allow syslogd_t rhgb_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
tunable_policy(`direct_sysadm_daemon',`
|
tunable_policy(`direct_sysadm_daemon',`
|
||||||
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`distro_suse', `
|
tunable_policy(`distro_suse', `
|
||||||
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
||||||
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
||||||
')
|
')
|
||||||
|
|
||||||
# can_network is for the UDP socket
|
# can_network is for the UDP socket
|
||||||
@ -206,12 +206,12 @@ can_ypbind(syslogd_t)
|
|||||||
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
||||||
|
|
||||||
ifdef(`crond.te', `
|
ifdef(`crond.te', `
|
||||||
# for daemon re-start
|
# for daemon re-start
|
||||||
allow system_crond_t syslogd_t:lnk_file read;
|
allow system_crond_t syslogd_t:lnk_file read;
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`logrotate.te', `
|
ifdef(`logrotate.te', `
|
||||||
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
allow logrotate_t syslogd_exec_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_transition',`
|
define(`lvm_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 lvm_exec_t:file { getattr read execute };
|
|
||||||
allow $1 lvm_t:process transition;
|
allow $1 lvm_exec_t:file { getattr read execute };
|
||||||
type_transition $1 lvm_exec_t:process lvm_t;
|
allow $1 lvm_t:process transition;
|
||||||
dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 lvm_exec_t:process lvm_t;
|
||||||
allow $1 lvm_t:fd use;
|
dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
|
||||||
allow lvm_t $1:fd use;
|
|
||||||
allow lvm_t $1:fifo_file rw_file_perms;
|
allow $1 lvm_t:fd use;
|
||||||
allow lvm_t $1:process sigchld;
|
allow lvm_t $1:fd use;
|
||||||
|
allow lvm_t $1:fifo_file rw_file_perms;
|
||||||
|
allow lvm_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_transition_depend',`
|
define(`lvm_transition_depend',`
|
||||||
type lvm_t, lvm_exec_t;
|
type lvm_t, lvm_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -50,15 +53,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_transition_add_role_use_terminal',`
|
define(`lvm_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
lvm_transition($1)
|
|
||||||
role $2 types lvm_t;
|
lvm_transition($1)
|
||||||
allow lvm_t $3:chr_file { getattr read write ioctl };
|
role $2 types lvm_t;
|
||||||
|
allow lvm_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_transition_add_role_use_terminal_depend',`
|
define(`lvm_transition_add_role_use_terminal_depend',`
|
||||||
type lvm_t;
|
type lvm_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -73,14 +78,16 @@ class chr_file { getattr read write ioctl };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`lvm_read_config',`
|
define(`lvm_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 lvm_etc_t:dir { getattr search read };
|
|
||||||
allow $1 lvm_etc_t:file { getattr read };
|
allow $1 lvm_etc_t:dir { getattr search read };
|
||||||
|
allow $1 lvm_etc_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`lvm_read_config_depend',`
|
define(`lvm_read_config_depend',`
|
||||||
type lvm_t, lvm_exec_t;
|
type lvm_t, lvm_exec_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -169,17 +169,17 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
|
|||||||
dontaudit lvm_t var_run_t:dir getattr;
|
dontaudit lvm_t var_run_t:dir getattr;
|
||||||
|
|
||||||
optional_policy(`gnome-pty-helper.te', `
|
optional_policy(`gnome-pty-helper.te', `
|
||||||
allow lvm_t sysadm_gph_t:fd use;
|
allow lvm_t sysadm_gph_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`gpm.te', `
|
optional_policy(`gpm.te', `
|
||||||
dontaudit lvm_t gpmctl_t:sock_file getattr;
|
dontaudit lvm_t gpmctl_t:sock_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rhgb.te', `
|
optional_policy(`rhgb.te', `
|
||||||
allow $1_t rhgb_t:process sigchld;
|
allow $1_t rhgb_t:process sigchld;
|
||||||
allow $1_t rhgb_t:fd use;
|
allow $1_t rhgb_t:fd use;
|
||||||
allow $1_t rhgb_t:fifo_file { read write };
|
allow $1_t rhgb_t:fifo_file { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -4,16 +4,18 @@
|
|||||||
# miscfiles_manage_man_page_cache(domain)
|
# miscfiles_manage_man_page_cache(domain)
|
||||||
#
|
#
|
||||||
define(`miscfiles_manage_man_page_cache',`
|
define(`miscfiles_manage_man_page_cache',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search var_t dir
|
|
||||||
allow $1 catman_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
# FIXME: search var_t dir
|
||||||
allow $1 catman_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 catman_t:dir create_dir_perms;
|
||||||
|
allow $1 catman_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_manage_man_page_cache_depend',`
|
define(`miscfiles_manage_man_page_cache_depend',`
|
||||||
type catman_t;
|
type catman_t;
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir create_dir_perms;
|
||||||
|
class file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -21,18 +23,20 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# miscfiles_read_fonts(domain)
|
# miscfiles_read_fonts(domain)
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_fonts',`
|
define(`miscfiles_read_fonts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search usr_t dir
|
|
||||||
# FIXME: search lib_t dir
|
# FIXME: search usr_t dir
|
||||||
# cjp: fonts can be in either of the above dirs
|
# FIXME: search lib_t dir
|
||||||
allow $1 fonts_t:dir { getattr read search };
|
# cjp: fonts can be in either of the above dirs
|
||||||
allow $1 fonts_t:file { getattr read };
|
allow $1 fonts_t:dir { getattr read search };
|
||||||
|
allow $1 fonts_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_fonts_depend',`
|
define(`miscfiles_read_fonts_depend',`
|
||||||
type fonts_t;
|
type fonts_t;
|
||||||
class dir { getattr read search };
|
|
||||||
class file { getattr read };
|
class dir { getattr read search };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -40,23 +44,24 @@ class file { getattr read };
|
|||||||
# miscfiles_read_localization(domain)
|
# miscfiles_read_localization(domain)
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_localization',`
|
define(`miscfiles_read_localization',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: $1 read etc_t:lnk_file here
|
|
||||||
# FIXME: $1 search usr_t:dir here
|
|
||||||
|
|
||||||
# why?
|
# FIXME: $1 read etc_t:lnk_file here
|
||||||
libraries_read_library_resources($1)
|
# FIXME: $1 search usr_t:dir here
|
||||||
|
allow $1 locale_t:dir { getattr read search };
|
||||||
|
allow $1 locale_t:lnk_file { getattr read };
|
||||||
|
allow $1 locale_t:file { getattr read };
|
||||||
|
|
||||||
allow $1 locale_t:dir { getattr read search };
|
# why?
|
||||||
allow $1 locale_t:lnk_file { getattr read };
|
libraries_read_library_resources($1)
|
||||||
allow $1 locale_t:file { getattr read };
|
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_localization_depend',`
|
define(`miscfiles_read_localization_depend',`
|
||||||
type locale_t;
|
type locale_t;
|
||||||
class dir { getattr read search };
|
|
||||||
class lnk_file { getattr read };
|
class dir { getattr read search };
|
||||||
class file { getattr read };
|
class lnk_file { getattr read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -64,14 +69,16 @@ class file { getattr read };
|
|||||||
# miscfiles_legacy_read_localization(domain)
|
# miscfiles_legacy_read_localization(domain)
|
||||||
#
|
#
|
||||||
define(`miscfiles_legacy_read_localization',`
|
define(`miscfiles_legacy_read_localization',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
miscfiles_read_localization($1)
|
|
||||||
allow $1 locale_t:file execute;
|
miscfiles_read_localization($1)
|
||||||
|
allow $1 locale_t:file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_localization_depend',`
|
define(`miscfiles_read_localization_depend',`
|
||||||
type locale_t;
|
type locale_t;
|
||||||
class file execute;
|
|
||||||
|
class file execute;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -79,16 +86,18 @@ class file execute;
|
|||||||
# miscfiles_read_man_pages(domain)
|
# miscfiles_read_man_pages(domain)
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_man_pages',`
|
define(`miscfiles_read_man_pages',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search usr_t dir
|
|
||||||
allow $1 man_t:dir { getattr read search };
|
# FIXME: search usr_t dir
|
||||||
allow $1 man_t:file { getattr read };
|
allow $1 man_t:dir { getattr read search };
|
||||||
allow $1 man_t:lnk_file { getattr read };
|
allow $1 man_t:file { getattr read };
|
||||||
|
allow $1 man_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`miscfiles_read_man_pages_depend',`
|
define(`miscfiles_read_man_pages_depend',`
|
||||||
type man_t;
|
type man_t;
|
||||||
class dir { getattr read search };
|
|
||||||
class file { getattr read };
|
class dir { getattr read search };
|
||||||
class lnk_file { getattr read };
|
class file { getattr read };
|
||||||
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
@ -13,15 +13,17 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_read_kernel_module_dependencies',`
|
define(`modutils_read_kernel_module_dependencies',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
bootloader_list_kernel_modules($1)
|
|
||||||
allow $1 modules_dep_t:file { getattr read };
|
bootloader_list_kernel_modules($1)
|
||||||
|
allow $1 modules_dep_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_read_kernel_module_dependencies_depend',`
|
define(`modutils_read_kernel_module_dependencies_depend',`
|
||||||
type modules_dep_t;
|
type modules_dep_t;
|
||||||
class file { getattr create read write setattr unlink };
|
|
||||||
class dir { search read write add_name remove_name };
|
class file { getattr create read write setattr unlink };
|
||||||
|
class dir { search read write add_name remove_name };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -37,13 +39,15 @@ class dir { search read write add_name remove_name };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_read_kernel_module_loading_config',`
|
define(`modutils_read_kernel_module_loading_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 modules_conf_t:file { getattr read };
|
|
||||||
|
allow $1 modules_conf_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_read_kernel_module_loading_config_depend',`
|
define(`modutils_read_kernel_module_loading_config_depend',`
|
||||||
type modules_conf_t;
|
type modules_conf_t;
|
||||||
class file { getattr create read write setattr unlink };
|
|
||||||
|
class file { getattr create read write setattr unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -59,23 +63,26 @@ class file { getattr create read write setattr unlink };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_transition',`
|
define(`modutils_insmod_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 insmod_exec_t:file { getattr read execute };
|
|
||||||
allow $1 insmod_t:process transition;
|
allow $1 insmod_exec_t:file { getattr read execute };
|
||||||
type_transition $1 insmod_exec_t:process insmod_t;
|
allow $1 insmod_t:process transition;
|
||||||
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 insmod_exec_t:process insmod_t;
|
||||||
allow $1 insmod_t:fd use;
|
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
|
||||||
allow insmod_t $1:fd use;
|
|
||||||
allow insmod_t $1:fifo_file rw_file_perms;
|
allow $1 insmod_t:fd use;
|
||||||
allow insmod_t $1:process sigchld;
|
allow insmod_t $1:fd use;
|
||||||
|
allow insmod_t $1:fifo_file rw_file_perms;
|
||||||
|
allow insmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_transition_depend',`
|
define(`modutils_insmod_transition_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -99,15 +106,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_transition_add_role_use_terminal',`
|
define(`modutils_insmod_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
modutils_insmod_transition($1)
|
|
||||||
role $2 types insmod_t;
|
modutils_insmod_transition($1)
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
role $2 types insmod_t;
|
||||||
|
allow insmod_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_transition_add_role_use_terminal_depend',`
|
define(`modutils_insmod_transition_add_role_use_terminal_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -115,13 +124,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# modutils_insmod_execute(domain)
|
# modutils_insmod_execute(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_insmod_execute',`
|
define(`modutils_insmod_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_insmod_execute_depend',`
|
define(`modutils_insmod_execute_depend',`
|
||||||
type insmod_t;
|
type insmod_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -136,23 +147,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_transition',`
|
define(`modutils_depmod_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 depmod_exec_t:file { getattr read execute };
|
|
||||||
allow $1 depmod_t:process transition;
|
allow $1 depmod_exec_t:file { getattr read execute };
|
||||||
type_transition $1 depmod_exec_t:process depmod_t;
|
allow $1 depmod_t:process transition;
|
||||||
dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 depmod_exec_t:process depmod_t;
|
||||||
allow $1 depmod_t:fd use;
|
dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
|
||||||
allow depmod_t $1:fd use;
|
|
||||||
allow depmod_t $1:fifo_file rw_file_perms;
|
allow $1 depmod_t:fd use;
|
||||||
allow depmod_t $1:process sigchld;
|
allow depmod_t $1:fd use;
|
||||||
|
allow depmod_t $1:fifo_file rw_file_perms;
|
||||||
|
allow depmod_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_transition_depend',`
|
define(`modutils_depmod_transition_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -173,15 +187,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_transition_add_role_use_terminal',`
|
define(`modutils_depmod_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
modutils_depmod_transition($1)
|
|
||||||
role $2 types insmod_t;
|
modutils_depmod_transition($1)
|
||||||
allow insmod_t $3:chr_file { getattr read write ioctl };
|
role $2 types insmod_t;
|
||||||
|
allow insmod_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_transition_add_role_use_terminal_depend',`
|
define(`modutils_depmod_transition_add_role_use_terminal_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -189,13 +205,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# modutils_depmod_execute(domain)
|
# modutils_depmod_execute(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_depmod_execute',`
|
define(`modutils_depmod_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_depmod_execute_depend',`
|
define(`modutils_depmod_execute_depend',`
|
||||||
type depmod_t;
|
type depmod_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -210,23 +228,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_transition',`
|
define(`modutils_update_modules_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 update_modules_exec_t:file { getattr read execute };
|
|
||||||
allow $1 update_modules_t:process transition;
|
allow $1 update_modules_exec_t:file { getattr read execute };
|
||||||
type_transition $1 update_modules_exec_t:process update_modules_t;
|
allow $1 update_modules_t:process transition;
|
||||||
dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 update_modules_exec_t:process update_modules_t;
|
||||||
allow $1 update_modules_t:fd use;
|
dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
|
||||||
allow update_modules_t $1:fd use;
|
|
||||||
allow update_modules_t $1:fifo_file rw_file_perms;
|
allow $1 update_modules_t:fd use;
|
||||||
allow update_modules_t $1:process sigchld;
|
allow update_modules_t $1:fd use;
|
||||||
|
allow update_modules_t $1:fifo_file rw_file_perms;
|
||||||
|
allow update_modules_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_transition_depend',`
|
define(`modutils_update_modules_transition_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh signal };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh signal };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -247,15 +268,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_transition_add_role_use_terminal',`
|
define(`modutils_update_modules_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
modutils_update_modules_transition($1)
|
|
||||||
role $2 types update_modules_t;
|
modutils_update_modules_transition($1)
|
||||||
allow update_modules_t $3:chr_file { getattr read write ioctl };
|
role $2 types update_modules_t;
|
||||||
|
allow update_modules_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
|
define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -263,13 +286,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# modutils_update_modules_execute(domain)
|
# modutils_update_modules_execute(domain)
|
||||||
#
|
#
|
||||||
define(`modutils_update_modules_execute',`
|
define(`modutils_update_modules_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`modutils_update_modules_execute_depend',`
|
define(`modutils_update_modules_execute_depend',`
|
||||||
type update_modules_t;
|
type update_modules_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -98,7 +98,7 @@ logging_search_system_log_directory(insmod_t)
|
|||||||
miscfiles_read_localization(insmod_t)
|
miscfiles_read_localization(insmod_t)
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_transition(insmod_t)
|
mount_transition(insmod_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -108,7 +108,7 @@ allow insmod_t apm_bios_t:chr_file { read write };
|
|||||||
allow insmod_t sound_device_t:chr_file { read ioctl write };
|
allow insmod_t sound_device_t:chr_file { read ioctl write };
|
||||||
|
|
||||||
ifdef(`xserver.te', `
|
ifdef(`xserver.te', `
|
||||||
allow insmod_t xserver_log_t:file getattr;
|
allow insmod_t xserver_log_t:file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
# why is this needed? insmod cannot mounton any dir
|
# why is this needed? insmod cannot mounton any dir
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_transition',`
|
define(`mount_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 mount_exec_t:file { getattr read execute };
|
|
||||||
allow $1 mount_t:process transition;
|
allow $1 mount_exec_t:file { getattr read execute };
|
||||||
type_transition $1 mount_exec_t:process mount_t;
|
allow $1 mount_t:process transition;
|
||||||
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 mount_exec_t:process mount_t;
|
||||||
allow $1 mount_t:fd use;
|
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
|
||||||
allow mount_t $1:fd use;
|
|
||||||
allow mount_t $1:fifo_file rw_file_perms;
|
allow $1 mount_t:fd use;
|
||||||
allow mount_t $1:process sigchld;
|
allow mount_t $1:fd use;
|
||||||
|
allow mount_t $1:fifo_file rw_file_perms;
|
||||||
|
allow mount_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_transition_depend',`
|
define(`mount_transition_depend',`
|
||||||
type mount_t, mount_exec_t;
|
type mount_t, mount_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -52,15 +55,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_transition_add_role_use_terminal',`
|
define(`mount_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
mount_transition($1)
|
|
||||||
role $2 types mount_t;
|
mount_transition($1)
|
||||||
allow mount_t $3:chr_file { getattr read write ioctl };
|
role $2 types mount_t;
|
||||||
|
allow mount_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_transition_add_role_use_terminal_depend',`
|
define(`mount_transition_add_role_use_terminal_depend',`
|
||||||
type mount_t;
|
type mount_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -68,13 +73,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# mount_use_file_descriptors(domain)
|
# mount_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`mount_use_file_descriptors',`
|
define(`mount_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 mount_t:fd use;
|
|
||||||
|
allow $1 mount_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_use_file_descriptors_depend',`
|
define(`mount_use_file_descriptors_depend',`
|
||||||
type mount_t;
|
type mount_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -82,13 +89,15 @@ class fd use;
|
|||||||
# mount_send_nfs_client_request(domain)
|
# mount_send_nfs_client_request(domain)
|
||||||
#
|
#
|
||||||
define(`mount_send_nfs_client_request',`
|
define(`mount_send_nfs_client_request',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
|
|
||||||
|
allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`mount_send_nfs_client_request_depend',`
|
define(`mount_send_nfs_client_request_depend',`
|
||||||
type mount_t;
|
type mount_t;
|
||||||
class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
||||||
|
class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -69,37 +69,36 @@ miscfiles_read_localization(mount_t)
|
|||||||
userdomain_use_all_users_file_descriptors(mount_t)
|
userdomain_use_all_users_file_descriptors(mount_t)
|
||||||
|
|
||||||
tunable_policy(`distro_redhat',`
|
tunable_policy(`distro_redhat',`
|
||||||
filesystem_use_tmpfs_character_devices(mount_t)
|
filesystem_use_tmpfs_character_devices(mount_t)
|
||||||
allow mount_t tmpfs_t:dir mounton;
|
allow mount_t tmpfs_t:dir mounton;
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
authlogin_pam_console_read_runtime_data(mount_t)
|
authlogin_pam_console_read_runtime_data(mount_t)
|
||||||
# mount config by default sets fscontext=removable_t
|
# mount config by default sets fscontext=removable_t
|
||||||
filesystem_relabelfrom_dos_filesystem(mount_t)
|
filesystem_relabelfrom_dos_filesystem(mount_t)
|
||||||
') dnl end authlogin
|
')
|
||||||
|
')
|
||||||
') dnl end distro_redhat
|
|
||||||
|
|
||||||
optional_policy(`portmap.te', `
|
optional_policy(`portmap.te', `
|
||||||
# for nfs
|
# for nfs
|
||||||
#can_ypbind(mount_t)
|
#can_ypbind(mount_t)
|
||||||
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
|
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
|
||||||
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
|
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
|
||||||
#allow mount_t rpc_pipefs_t:dir search;
|
#allow mount_t rpc_pipefs_t:dir search;
|
||||||
corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
|
corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
|
||||||
corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
|
corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
|
||||||
corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
|
corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
|
||||||
corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
|
corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
|
||||||
corenetwork_sendrecv_raw_on_all_nodes(mount_t)
|
corenetwork_sendrecv_raw_on_all_nodes(mount_t)
|
||||||
corenetwork_sendrecv_udp_on_all_nodes(mount_t)
|
corenetwork_sendrecv_udp_on_all_nodes(mount_t)
|
||||||
corenetwork_sendrecv_tcp_on_all_ports(mount_t)
|
corenetwork_sendrecv_tcp_on_all_ports(mount_t)
|
||||||
corenetwork_sendrecv_udp_on_all_ports(mount_t)
|
corenetwork_sendrecv_udp_on_all_ports(mount_t)
|
||||||
corenetwork_bind_tcp_on_all_nodes(mount_t)
|
corenetwork_bind_tcp_on_all_nodes(mount_t)
|
||||||
corenetwork_bind_udp_on_all_nodes(mount_t)
|
corenetwork_bind_udp_on_all_nodes(mount_t)
|
||||||
corenetwork_bind_tcp_on_general_port(mount_t)
|
corenetwork_bind_tcp_on_general_port(mount_t)
|
||||||
corenetwork_bind_udp_on_general_port(mount_t)
|
corenetwork_bind_udp_on_general_port(mount_t)
|
||||||
corenetwork_bind_tcp_on_reserved_port(mount_t)
|
corenetwork_bind_tcp_on_reserved_port(mount_t)
|
||||||
corenetwork_bind_udp_on_reserved_port(mount_t)
|
corenetwork_bind_udp_on_reserved_port(mount_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition',`
|
define(`selinux_checkpolicy_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
|
||||||
allow $1 checkpolicy_t:process transition;
|
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
allow $1 checkpolicy_t:process transition;
|
||||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
||||||
allow $1 checkpolicy_t:fd use;
|
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
||||||
allow checkpolicy_t $1:fd use;
|
|
||||||
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
allow $1 checkpolicy_t:fd use;
|
||||||
allow checkpolicy_t $1:process sigchld;
|
allow checkpolicy_t $1:fd use;
|
||||||
|
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
||||||
|
allow checkpolicy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_depend',`
|
define(`selinux_checkpolicy_transition_depend',`
|
||||||
type checkpolicy_t, checkpolicy_exec_t;
|
type checkpolicy_t, checkpolicy_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_checkpolicy_transition($1)
|
|
||||||
role $2 types checkpolicy_t;
|
selinux_checkpolicy_transition($1)
|
||||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
role $2 types checkpolicy_t;
|
||||||
|
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
||||||
type checkpolicy_t;
|
type checkpolicy_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_checkpolicy_execute(domain)
|
# selinux_checkpolicy_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_execute',`
|
define(`selinux_checkpolicy_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_execute_depend',`
|
define(`selinux_checkpolicy_execute_depend',`
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition',`
|
define(`selinux_load_policy_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read execute };
|
|
||||||
allow $1 load_policy_t:process transition;
|
allow $1 load_policy_exec_t:file { getattr read execute };
|
||||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
allow $1 load_policy_t:process transition;
|
||||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 load_policy_exec_t:process load_policy_t;
|
||||||
allow $1 load_policy_t:fd use;
|
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
||||||
allow load_policy_t $1:fd use;
|
|
||||||
allow load_policy_t $1:fifo_file rw_file_perms;
|
allow $1 load_policy_t:fd use;
|
||||||
allow load_policy_t $1:process sigchld;
|
allow load_policy_t $1:fd use;
|
||||||
|
allow load_policy_t $1:fifo_file rw_file_perms;
|
||||||
|
allow load_policy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_depend',`
|
define(`selinux_load_policy_transition_depend',`
|
||||||
type load_policy_t, load_policy_exec_t;
|
type load_policy_t, load_policy_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_load_policy_transition($1)
|
|
||||||
role $2 types load_policy_t;
|
selinux_load_policy_transition($1)
|
||||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
role $2 types load_policy_t;
|
||||||
|
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_load_policy_execute(domain)
|
# selinux_load_policy_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_execute',`
|
define(`selinux_load_policy_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_execute_depend',`
|
define(`selinux_load_policy_execute_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# selinux_read_load_policy_binary(domain)
|
# selinux_read_load_policy_binary(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_load_policy_binary',`
|
define(`selinux_read_load_policy_binary',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read };
|
|
||||||
|
allow $1 load_policy_exec_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_load_policy_binary_depend',`
|
define(`selinux_read_load_policy_binary_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -181,23 +197,26 @@ class file { getattr read };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_newrole_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_exec_t:file { getattr read execute };
|
|
||||||
allow $1 newrole_t:process transition;
|
allow $1 newrole_exec_t:file { getattr read execute };
|
||||||
type_transition $1 newrole_exec_t:process newrole_t;
|
allow $1 newrole_t:process transition;
|
||||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 newrole_exec_t:process newrole_t;
|
||||||
allow $1 newrole_t:fd use;
|
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
||||||
allow newrole_t $1:fd use;
|
|
||||||
allow newrole_t $1:fifo_file rw_file_perms;
|
allow $1 newrole_t:fd use;
|
||||||
allow newrole_t $1:process sigchld;
|
allow newrole_t $1:fd use;
|
||||||
|
allow newrole_t $1:fifo_file rw_file_perms;
|
||||||
|
allow newrole_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_depend',`
|
define(`selinux_newrole_transition_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal',`
|
define(`selinux_newrole_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_newrole_transition($1)
|
|
||||||
role $2 types newrole_t;
|
selinux_newrole_transition($1)
|
||||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
role $2 types newrole_t;
|
||||||
|
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_newrole_execute(domain)
|
# selinux_newrole_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_execute',`
|
define(`selinux_newrole_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_execute_depend',`
|
define(`selinux_newrole_execute_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_ignore_signal',`
|
define(`selinux_newrole_ignore_signal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 newrole_t:process signal;
|
|
||||||
|
dontaudit $1 newrole_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_ignore_signal_depend',`
|
define(`selinux_newrole_ignore_signal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process signal;
|
|
||||||
|
class process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -272,13 +297,15 @@ class process signal;
|
|||||||
# selinux_newrole_sigchld(domain)
|
# selinux_newrole_sigchld(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_sigchld',`
|
define(`selinux_newrole_sigchld',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_t:process sigchld;
|
|
||||||
|
allow $1 newrole_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_sigchld_depend',`
|
define(`selinux_newrole_sigchld_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process sigchld;
|
|
||||||
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -286,13 +313,15 @@ class process sigchld;
|
|||||||
# selinux_newrole_use_file_descriptors(domain)
|
# selinux_newrole_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_use_file_descriptors',`
|
define(`selinux_newrole_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_t:fd use;
|
|
||||||
|
allow $1 newrole_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_use_file_descriptors_depend',`
|
define(`selinux_newrole_use_file_descriptors_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -307,23 +336,26 @@ class fd use;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition',`
|
define(`selinux_restorecon_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 restorecon_exec_t:file { getattr read execute };
|
|
||||||
allow $1 restorecon_t:process transition;
|
allow $1 restorecon_exec_t:file { getattr read execute };
|
||||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
allow $1 restorecon_t:process transition;
|
||||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 restorecon_exec_t:process restorecon_t;
|
||||||
allow $1 restorecon_t:fd use;
|
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
||||||
allow restorecon_t $1:fd use;
|
|
||||||
allow restorecon_t $1:fifo_file rw_file_perms;
|
allow $1 restorecon_t:fd use;
|
||||||
allow restorecon_t $1:process sigchld;
|
allow restorecon_t $1:fd use;
|
||||||
|
allow restorecon_t $1:fifo_file rw_file_perms;
|
||||||
|
allow restorecon_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_depend',`
|
define(`selinux_restorecon_transition_depend',`
|
||||||
type restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_restorecon_transition($1)
|
|
||||||
role $2 types restorecon_t;
|
selinux_restorecon_transition($1)
|
||||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
role $2 types restorecon_t;
|
||||||
|
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
||||||
type restorecon_t;
|
type restorecon_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
|
|||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_execute_depend',`
|
define(`selinux_restorecon_execute_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition',`
|
define(`selinux_run_init_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 run_init_exec_t:file { getattr read execute };
|
|
||||||
allow $1 run_init_t:process transition;
|
allow $1 run_init_exec_t:file { getattr read execute };
|
||||||
type_transition $1 run_init_exec_t:process run_init_t;
|
allow $1 run_init_t:process transition;
|
||||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 run_init_exec_t:process run_init_t;
|
||||||
allow $1 run_init_t:fd use;
|
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||||
allow run_init_t $1:fd use;
|
|
||||||
allow run_init_t $1:fifo_file rw_file_perms;
|
allow $1 run_init_t:fd use;
|
||||||
allow run_init_t $1:process sigchld;
|
allow run_init_t $1:fd use;
|
||||||
|
allow run_init_t $1:fifo_file rw_file_perms;
|
||||||
|
allow run_init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_depend',`
|
define(`selinux_run_init_transition_depend',`
|
||||||
type run_init_t, run_init_exec_t;
|
type run_init_t, run_init_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal',`
|
define(`selinux_run_init_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_run_init_transition($1)
|
|
||||||
role $2 types run_init_t;
|
selinux_run_init_transition($1)
|
||||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
role $2 types run_init_t;
|
||||||
|
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_run_init_use_file_descriptors(domain)
|
# selinux_run_init_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_use_file_descriptors',`
|
define(`selinux_run_init_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 run_init_t:fd use;
|
|
||||||
|
allow $1 run_init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -459,23 +501,26 @@ class fd use;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition',`
|
define(`selinux_setfiles_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 setfiles_exec_t:file { getattr read execute };
|
|
||||||
allow $1 setfiles_t:process transition;
|
allow $1 setfiles_exec_t:file { getattr read execute };
|
||||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
allow $1 setfiles_t:process transition;
|
||||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 setfiles_exec_t:process setfiles_t;
|
||||||
allow $1 setfiles_t:fd use;
|
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
||||||
allow setfiles_t $1:fd use;
|
|
||||||
allow setfiles_t $1:fifo_file rw_file_perms;
|
allow $1 setfiles_t:fd use;
|
||||||
allow setfiles_t $1:process sigchld;
|
allow setfiles_t $1:fd use;
|
||||||
|
allow setfiles_t $1:fifo_file rw_file_perms;
|
||||||
|
allow setfiles_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_depend',`
|
define(`selinux_setfiles_transition_depend',`
|
||||||
type setfiles_t, setfiles_exec_t;
|
type setfiles_t, setfiles_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_setfiles_transition($1)
|
|
||||||
role $2 types setfiles_t;
|
selinux_setfiles_transition($1)
|
||||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
role $2 types setfiles_t;
|
||||||
|
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
||||||
type setfiles_t;
|
type setfiles_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_setfiles_execute(domain)
|
# selinux_setfiles_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_execute',`
|
define(`selinux_setfiles_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_execute_depend',`
|
define(`selinux_setfiles_execute_depend',`
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# selinux_read_config(domain)
|
# selinux_read_config(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_config',`
|
define(`selinux_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir { getattr search read };
|
|
||||||
allow $1 selinux_config_t:file { getattr read };
|
allow $1 selinux_config_t:dir { getattr search read };
|
||||||
|
allow $1 selinux_config_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_config_depend',`
|
define(`selinux_read_config_depend',`
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -544,16 +595,18 @@ class file { getattr read };
|
|||||||
# selinux_read_default_contexts(domain)
|
# selinux_read_default_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_default_contexts',`
|
define(`selinux_read_default_contexts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir search;
|
|
||||||
allow $1 default_context_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 default_context_t:file { getattr read };
|
allow $1 default_context_t:dir { getattr search read };
|
||||||
|
allow $1 default_context_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_default_contexts_depend',`
|
define(`selinux_read_default_contexts_depend',`
|
||||||
type selinux_config_t, default_context_t;
|
type selinux_config_t, default_context_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -561,16 +614,18 @@ class file { getattr read };
|
|||||||
# selinux_read_file_contexts(domain)
|
# selinux_read_file_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_file_contexts',`
|
define(`selinux_read_file_contexts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir search;
|
|
||||||
allow $1 file_context_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 file_context_t:file { getattr read };
|
allow $1 file_context_t:dir { getattr search read };
|
||||||
|
allow $1 file_context_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_file_contexts_depend',`
|
define(`selinux_read_file_contexts_depend',`
|
||||||
type selinux_config_t, file_context_t;
|
type selinux_config_t, file_context_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -578,15 +633,17 @@ class file { getattr read };
|
|||||||
# selinux_read_binary_policy(domain)
|
# selinux_read_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_binary_policy',`
|
define(`selinux_read_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:dir { getattr search read };
|
|
||||||
allow $1 policy_config_t:file { getattr read };
|
allow $1 policy_config_t:dir { getattr search read };
|
||||||
|
allow $1 policy_config_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_binary_policy_depend',`
|
define(`selinux_read_binary_policy_depend',`
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -594,17 +651,20 @@ class file { getattr read };
|
|||||||
# selinux_write_binary_policy(domain)
|
# selinux_write_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_write_binary_policy',`
|
define(`selinux_write_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
|
||||||
allow $1 policy_config_t:file { getattr create write unlink };
|
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
||||||
typeattribute $1 can_write_binary_policy;
|
allow $1 policy_config_t:file { getattr create write unlink };
|
||||||
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_write_binary_policy_depend',`
|
define(`selinux_write_binary_policy_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
type policy_config_t;
|
|
||||||
class dir { getattr search read write add_name remove_name };
|
type policy_config_t;
|
||||||
class file { getattr create write unlink };
|
|
||||||
|
class dir { getattr search read write add_name remove_name };
|
||||||
|
class file { getattr create write unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -619,15 +679,18 @@ class file { getattr create write unlink };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_relabelto_binary_policy',`
|
define(`selinux_relabelto_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:file relabelto;
|
|
||||||
typeattribute $1 can_relabelto_binary_policy;
|
allow $1 policy_config_t:file relabelto;
|
||||||
|
typeattribute $1 can_relabelto_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_relabelto_binary_policy_depend',`
|
define(`selinux_relabelto_binary_policy_depend',`
|
||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
type policy_config_t;
|
|
||||||
class file relabelto;
|
type policy_config_t;
|
||||||
|
|
||||||
|
class file relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -635,19 +698,21 @@ class file relabelto;
|
|||||||
# selinux_manage_binary_policy(domain)
|
# selinux_manage_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_binary_policy',`
|
define(`selinux_manage_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_config_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 policy_config_t:dir { getattr search read };
|
||||||
typeattribute $1 can_write_binary_policy;
|
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_binary_policy_depend',`
|
define(`selinux_manage_binary_policy_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
type selinux_config_t, policy_config_t;
|
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
type selinux_config_t, policy_config_t;
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# selinux_read_source_policy(domain)
|
# selinux_read_source_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_source_policy',`
|
define(`selinux_read_source_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_src_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:file { getattr read };
|
allow $1 policy_src_t:dir { getattr search read };
|
||||||
|
allow $1 policy_src_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_source_policy_depend',`
|
define(`selinux_read_source_policy_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -673,17 +740,19 @@ class file { getattr read };
|
|||||||
# selinux_manage_source_policy(domain)
|
# selinux_manage_source_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_source_policy',`
|
define(`selinux_manage_source_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_source_policy_depend',`
|
define(`selinux_manage_source_policy_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
|
|||||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
userdomain_use_all_users_file_descriptors(restorecon_t)
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_use_file_descriptors(restorecon_t)
|
hotplug_use_file_descriptors(restorecon_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
|
|||||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy',`',`
|
tunable_policy(`targeted_policy',`',`
|
||||||
allow run_init_t self:process setexec;
|
allow run_init_t self:process setexec;
|
||||||
allow run_init_t self:capability setuid;
|
allow run_init_t self:capability setuid;
|
||||||
|
|
||||||
allow run_init_t self:fifo_file { getattr read write };
|
allow run_init_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
# often the administrator runs such programs from a directory that is owned
|
||||||
# by a different user or has restrictive SE permissions, do not want to audit
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
# the failed access to the current directory
|
# the failed access to the current directory
|
||||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
devices_ignore_list_device_nodes(run_init_t)
|
||||||
|
|
||||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(run_init_t)
|
authlogin_check_password_transition(run_init_t)
|
||||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(run_init_t)
|
corecommands_execute_general_programs(run_init_t)
|
||||||
corecommands_execute_shell(run_init_t)
|
corecommands_execute_shell(run_init_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
files_read_general_system_config(run_init_t)
|
||||||
files_ignore_search_all_directories(run_init_t)
|
files_ignore_search_all_directories(run_init_t)
|
||||||
|
|
||||||
init_script_transition(run_init_t)
|
init_script_transition(run_init_t)
|
||||||
# for utmp
|
# for utmp
|
||||||
init_script_modify_runtime_data(run_init_t)
|
init_script_modify_runtime_data(run_init_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(run_init_t)
|
libraries_use_dynamic_loader(run_init_t)
|
||||||
libraries_use_shared_libraries(run_init_t)
|
libraries_use_shared_libraries(run_init_t)
|
||||||
|
|
||||||
selinux_read_config(run_init_t)
|
selinux_read_config(run_init_t)
|
||||||
selinux_read_default_contexts(run_init_t)
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
logging_send_system_log_message(run_init_t)
|
logging_send_system_log_message(run_init_t)
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
tunable_policy(`distro_gentoo', `
|
tunable_policy(`distro_gentoo', `
|
||||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
|
@ -13,23 +13,26 @@
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition',`
|
define(`selinux_checkpolicy_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
|
||||||
allow $1 checkpolicy_t:process transition;
|
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
allow $1 checkpolicy_t:process transition;
|
||||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
||||||
allow $1 checkpolicy_t:fd use;
|
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
||||||
allow checkpolicy_t $1:fd use;
|
|
||||||
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
allow $1 checkpolicy_t:fd use;
|
||||||
allow checkpolicy_t $1:process sigchld;
|
allow checkpolicy_t $1:fd use;
|
||||||
|
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
||||||
|
allow checkpolicy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_depend',`
|
define(`selinux_checkpolicy_transition_depend',`
|
||||||
type checkpolicy_t, checkpolicy_exec_t;
|
type checkpolicy_t, checkpolicy_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -53,15 +56,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_checkpolicy_transition($1)
|
|
||||||
role $2 types checkpolicy_t;
|
selinux_checkpolicy_transition($1)
|
||||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
role $2 types checkpolicy_t;
|
||||||
|
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
|
||||||
type checkpolicy_t;
|
type checkpolicy_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -69,13 +74,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_checkpolicy_execute(domain)
|
# selinux_checkpolicy_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_checkpolicy_execute',`
|
define(`selinux_checkpolicy_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_checkpolicy_execute_depend',`
|
define(`selinux_checkpolicy_execute_depend',`
|
||||||
type checkpolicy_exec_t;
|
type checkpolicy_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -90,23 +97,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition',`
|
define(`selinux_load_policy_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read execute };
|
|
||||||
allow $1 load_policy_t:process transition;
|
allow $1 load_policy_exec_t:file { getattr read execute };
|
||||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
allow $1 load_policy_t:process transition;
|
||||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 load_policy_exec_t:process load_policy_t;
|
||||||
allow $1 load_policy_t:fd use;
|
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
||||||
allow load_policy_t $1:fd use;
|
|
||||||
allow load_policy_t $1:fifo_file rw_file_perms;
|
allow $1 load_policy_t:fd use;
|
||||||
allow load_policy_t $1:process sigchld;
|
allow load_policy_t $1:fd use;
|
||||||
|
allow load_policy_t $1:fifo_file rw_file_perms;
|
||||||
|
allow load_policy_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_depend',`
|
define(`selinux_load_policy_transition_depend',`
|
||||||
type load_policy_t, load_policy_exec_t;
|
type load_policy_t, load_policy_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -130,15 +140,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
define(`selinux_load_policy_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_load_policy_transition($1)
|
|
||||||
role $2 types load_policy_t;
|
selinux_load_policy_transition($1)
|
||||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
role $2 types load_policy_t;
|
||||||
|
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
|
||||||
type load_policy_t;
|
type load_policy_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -146,13 +158,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_load_policy_execute(domain)
|
# selinux_load_policy_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_load_policy_execute',`
|
define(`selinux_load_policy_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_load_policy_execute_depend',`
|
define(`selinux_load_policy_execute_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -160,13 +174,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# selinux_read_load_policy_binary(domain)
|
# selinux_read_load_policy_binary(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_load_policy_binary',`
|
define(`selinux_read_load_policy_binary',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 load_policy_exec_t:file { getattr read };
|
|
||||||
|
allow $1 load_policy_exec_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_load_policy_binary_depend',`
|
define(`selinux_read_load_policy_binary_depend',`
|
||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -181,23 +197,26 @@ class file { getattr read };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition',`
|
define(`selinux_newrole_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_exec_t:file { getattr read execute };
|
|
||||||
allow $1 newrole_t:process transition;
|
allow $1 newrole_exec_t:file { getattr read execute };
|
||||||
type_transition $1 newrole_exec_t:process newrole_t;
|
allow $1 newrole_t:process transition;
|
||||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 newrole_exec_t:process newrole_t;
|
||||||
allow $1 newrole_t:fd use;
|
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
||||||
allow newrole_t $1:fd use;
|
|
||||||
allow newrole_t $1:fifo_file rw_file_perms;
|
allow $1 newrole_t:fd use;
|
||||||
allow newrole_t $1:process sigchld;
|
allow newrole_t $1:fd use;
|
||||||
|
allow newrole_t $1:fifo_file rw_file_perms;
|
||||||
|
allow newrole_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_depend',`
|
define(`selinux_newrole_transition_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -220,15 +239,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal',`
|
define(`selinux_newrole_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_newrole_transition($1)
|
|
||||||
role $2 types newrole_t;
|
selinux_newrole_transition($1)
|
||||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
role $2 types newrole_t;
|
||||||
|
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
define(`selinux_newrole_transition_add_role_use_terminal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -236,13 +257,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_newrole_execute(domain)
|
# selinux_newrole_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_execute',`
|
define(`selinux_newrole_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_execute_depend',`
|
define(`selinux_newrole_execute_depend',`
|
||||||
type newrole_t, newrole_exec_t;
|
type newrole_t, newrole_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -258,13 +281,15 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_ignore_signal',`
|
define(`selinux_newrole_ignore_signal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
dontaudit $1 newrole_t:process signal;
|
|
||||||
|
dontaudit $1 newrole_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_ignore_signal_depend',`
|
define(`selinux_newrole_ignore_signal_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process signal;
|
|
||||||
|
class process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -272,13 +297,15 @@ class process signal;
|
|||||||
# selinux_newrole_sigchld(domain)
|
# selinux_newrole_sigchld(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_sigchld',`
|
define(`selinux_newrole_sigchld',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_t:process sigchld;
|
|
||||||
|
allow $1 newrole_t:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_sigchld_depend',`
|
define(`selinux_newrole_sigchld_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class process sigchld;
|
|
||||||
|
class process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -286,13 +313,15 @@ class process sigchld;
|
|||||||
# selinux_newrole_use_file_descriptors(domain)
|
# selinux_newrole_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_newrole_use_file_descriptors',`
|
define(`selinux_newrole_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 newrole_t:fd use;
|
|
||||||
|
allow $1 newrole_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_newrole_use_file_descriptors_depend',`
|
define(`selinux_newrole_use_file_descriptors_depend',`
|
||||||
type newrole_t;
|
type newrole_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -307,23 +336,26 @@ class fd use;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition',`
|
define(`selinux_restorecon_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 restorecon_exec_t:file { getattr read execute };
|
|
||||||
allow $1 restorecon_t:process transition;
|
allow $1 restorecon_exec_t:file { getattr read execute };
|
||||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
allow $1 restorecon_t:process transition;
|
||||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 restorecon_exec_t:process restorecon_t;
|
||||||
allow $1 restorecon_t:fd use;
|
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
||||||
allow restorecon_t $1:fd use;
|
|
||||||
allow restorecon_t $1:fifo_file rw_file_perms;
|
allow $1 restorecon_t:fd use;
|
||||||
allow restorecon_t $1:process sigchld;
|
allow restorecon_t $1:fd use;
|
||||||
|
allow restorecon_t $1:fifo_file rw_file_perms;
|
||||||
|
allow restorecon_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_depend',`
|
define(`selinux_restorecon_transition_depend',`
|
||||||
type restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -346,15 +378,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
define(`selinux_restorecon_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_restorecon_transition($1)
|
|
||||||
role $2 types restorecon_t;
|
selinux_restorecon_transition($1)
|
||||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
role $2 types restorecon_t;
|
||||||
|
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
|
||||||
type restorecon_t;
|
type restorecon_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -367,8 +401,9 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
|
|||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_restorecon_execute_depend',`
|
define(`selinux_restorecon_execute_depend',`
|
||||||
type restorecon_t, restorecon_exec_t;
|
type restorecon_t, restorecon_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -383,23 +418,26 @@ class file { getattr read execute execute_no_trans };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition',`
|
define(`selinux_run_init_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 run_init_exec_t:file { getattr read execute };
|
|
||||||
allow $1 run_init_t:process transition;
|
allow $1 run_init_exec_t:file { getattr read execute };
|
||||||
type_transition $1 run_init_exec_t:process run_init_t;
|
allow $1 run_init_t:process transition;
|
||||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 run_init_exec_t:process run_init_t;
|
||||||
allow $1 run_init_t:fd use;
|
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||||
allow run_init_t $1:fd use;
|
|
||||||
allow run_init_t $1:fifo_file rw_file_perms;
|
allow $1 run_init_t:fd use;
|
||||||
allow run_init_t $1:process sigchld;
|
allow run_init_t $1:fd use;
|
||||||
|
allow run_init_t $1:fifo_file rw_file_perms;
|
||||||
|
allow run_init_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_depend',`
|
define(`selinux_run_init_transition_depend',`
|
||||||
type run_init_t, run_init_exec_t;
|
type run_init_t, run_init_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -422,15 +460,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal',`
|
define(`selinux_run_init_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_run_init_transition($1)
|
|
||||||
role $2 types run_init_t;
|
selinux_run_init_transition($1)
|
||||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
role $2 types run_init_t;
|
||||||
|
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
define(`selinux_run_init_transition_add_role_use_terminal_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -438,13 +478,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_run_init_use_file_descriptors(domain)
|
# selinux_run_init_use_file_descriptors(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_run_init_use_file_descriptors',`
|
define(`selinux_run_init_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 run_init_t:fd use;
|
|
||||||
|
allow $1 run_init_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_run_init_use_file_descriptors_depend',`
|
define(`selinux_run_init_use_file_descriptors_depend',`
|
||||||
type run_init_t;
|
type run_init_t;
|
||||||
class fd use;
|
|
||||||
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -459,23 +501,26 @@ class fd use;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition',`
|
define(`selinux_setfiles_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 setfiles_exec_t:file { getattr read execute };
|
|
||||||
allow $1 setfiles_t:process transition;
|
allow $1 setfiles_exec_t:file { getattr read execute };
|
||||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
allow $1 setfiles_t:process transition;
|
||||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 setfiles_exec_t:process setfiles_t;
|
||||||
allow $1 setfiles_t:fd use;
|
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
||||||
allow setfiles_t $1:fd use;
|
|
||||||
allow setfiles_t $1:fifo_file rw_file_perms;
|
allow $1 setfiles_t:fd use;
|
||||||
allow setfiles_t $1:process sigchld;
|
allow setfiles_t $1:fd use;
|
||||||
|
allow setfiles_t $1:fifo_file rw_file_perms;
|
||||||
|
allow setfiles_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_depend',`
|
define(`selinux_setfiles_transition_depend',`
|
||||||
type setfiles_t, setfiles_exec_t;
|
type setfiles_t, setfiles_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -498,15 +543,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
define(`selinux_setfiles_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
selinux_setfiles_transition($1)
|
|
||||||
role $2 types setfiles_t;
|
selinux_setfiles_transition($1)
|
||||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
role $2 types setfiles_t;
|
||||||
|
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
|
||||||
type setfiles_t;
|
type setfiles_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -514,13 +561,15 @@ class chr_file { getattr read write ioctl };
|
|||||||
# selinux_setfiles_execute(domain)
|
# selinux_setfiles_execute(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_setfiles_execute',`
|
define(`selinux_setfiles_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
|
||||||
|
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_setfiles_execute_depend',`
|
define(`selinux_setfiles_execute_depend',`
|
||||||
type setfiles_exec_t;
|
type setfiles_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
|
||||||
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -528,15 +577,17 @@ class file { getattr read execute execute_no_trans };
|
|||||||
# selinux_read_config(domain)
|
# selinux_read_config(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_config',`
|
define(`selinux_read_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir { getattr search read };
|
|
||||||
allow $1 selinux_config_t:file { getattr read };
|
allow $1 selinux_config_t:dir { getattr search read };
|
||||||
|
allow $1 selinux_config_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_config_depend',`
|
define(`selinux_read_config_depend',`
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -544,16 +595,18 @@ class file { getattr read };
|
|||||||
# selinux_read_default_contexts(domain)
|
# selinux_read_default_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_default_contexts',`
|
define(`selinux_read_default_contexts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir search;
|
|
||||||
allow $1 default_context_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 default_context_t:file { getattr read };
|
allow $1 default_context_t:dir { getattr search read };
|
||||||
|
allow $1 default_context_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_default_contexts_depend',`
|
define(`selinux_read_default_contexts_depend',`
|
||||||
type selinux_config_t, default_context_t;
|
type selinux_config_t, default_context_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -561,16 +614,18 @@ class file { getattr read };
|
|||||||
# selinux_read_file_contexts(domain)
|
# selinux_read_file_contexts(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_file_contexts',`
|
define(`selinux_read_file_contexts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 selinux_config_t:dir search;
|
|
||||||
allow $1 file_context_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 file_context_t:file { getattr read };
|
allow $1 file_context_t:dir { getattr search read };
|
||||||
|
allow $1 file_context_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_file_contexts_depend',`
|
define(`selinux_read_file_contexts_depend',`
|
||||||
type selinux_config_t, file_context_t;
|
type selinux_config_t, file_context_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -578,15 +633,17 @@ class file { getattr read };
|
|||||||
# selinux_read_binary_policy(domain)
|
# selinux_read_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_binary_policy',`
|
define(`selinux_read_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:dir { getattr search read };
|
|
||||||
allow $1 policy_config_t:file { getattr read };
|
allow $1 policy_config_t:dir { getattr search read };
|
||||||
|
allow $1 policy_config_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_binary_policy_depend',`
|
define(`selinux_read_binary_policy_depend',`
|
||||||
type policy_config_t;
|
type policy_config_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -594,17 +651,20 @@ class file { getattr read };
|
|||||||
# selinux_write_binary_policy(domain)
|
# selinux_write_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_write_binary_policy',`
|
define(`selinux_write_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
|
||||||
allow $1 policy_config_t:file { getattr create write unlink };
|
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
||||||
typeattribute $1 can_write_binary_policy;
|
allow $1 policy_config_t:file { getattr create write unlink };
|
||||||
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_write_binary_policy_depend',`
|
define(`selinux_write_binary_policy_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
type policy_config_t;
|
|
||||||
class dir { getattr search read write add_name remove_name };
|
type policy_config_t;
|
||||||
class file { getattr create write unlink };
|
|
||||||
|
class dir { getattr search read write add_name remove_name };
|
||||||
|
class file { getattr create write unlink };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -619,15 +679,18 @@ class file { getattr create write unlink };
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`selinux_relabelto_binary_policy',`
|
define(`selinux_relabelto_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 policy_config_t:file relabelto;
|
|
||||||
typeattribute $1 can_relabelto_binary_policy;
|
allow $1 policy_config_t:file relabelto;
|
||||||
|
typeattribute $1 can_relabelto_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_relabelto_binary_policy_depend',`
|
define(`selinux_relabelto_binary_policy_depend',`
|
||||||
attribute can_relabelto_binary_policy;
|
attribute can_relabelto_binary_policy;
|
||||||
type policy_config_t;
|
|
||||||
class file relabelto;
|
type policy_config_t;
|
||||||
|
|
||||||
|
class file relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -635,19 +698,21 @@ class file relabelto;
|
|||||||
# selinux_manage_binary_policy(domain)
|
# selinux_manage_binary_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_binary_policy',`
|
define(`selinux_manage_binary_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_config_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 policy_config_t:dir { getattr search read };
|
||||||
typeattribute $1 can_write_binary_policy;
|
allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
typeattribute $1 can_write_binary_policy;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_binary_policy_depend',`
|
define(`selinux_manage_binary_policy_depend',`
|
||||||
attribute can_write_binary_policy;
|
attribute can_write_binary_policy;
|
||||||
type selinux_config_t, policy_config_t;
|
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
type selinux_config_t, policy_config_t;
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -655,17 +720,19 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
|||||||
# selinux_read_source_policy(domain)
|
# selinux_read_source_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_read_source_policy',`
|
define(`selinux_read_source_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_src_t:dir { getattr search read };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:file { getattr read };
|
allow $1 policy_src_t:dir { getattr search read };
|
||||||
|
allow $1 policy_src_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_read_source_policy_depend',`
|
define(`selinux_read_source_policy_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
class dir { getattr search read };
|
|
||||||
class file { getattr read };
|
class dir { getattr search read };
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -673,17 +740,19 @@ class file { getattr read };
|
|||||||
# selinux_manage_source_policy(domain)
|
# selinux_manage_source_policy(domain)
|
||||||
#
|
#
|
||||||
define(`selinux_manage_source_policy',`
|
define(`selinux_manage_source_policy',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
# FIXME: search etc_t:dir
|
|
||||||
allow $1 selinux_config_t:dir search;
|
# FIXME: search etc_t:dir
|
||||||
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`selinux_manage_source_policy_depend',`
|
define(`selinux_manage_source_policy_depend',`
|
||||||
type selinux_config_t, policy_src_t;
|
type selinux_config_t, policy_src_t;
|
||||||
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
||||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -307,7 +307,7 @@ logging_send_system_log_message(restorecon_t)
|
|||||||
userdomain_use_all_users_file_descriptors(restorecon_t)
|
userdomain_use_all_users_file_descriptors(restorecon_t)
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_use_file_descriptors(restorecon_t)
|
hotplug_use_file_descriptors(restorecon_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
# relabeling rules
|
# relabeling rules
|
||||||
@ -350,54 +350,54 @@ kernel_compute_selinux_relabel_context(run_init_t)
|
|||||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||||
|
|
||||||
tunable_policy(`targeted_policy',`',`
|
tunable_policy(`targeted_policy',`',`
|
||||||
allow run_init_t self:process setexec;
|
allow run_init_t self:process setexec;
|
||||||
allow run_init_t self:capability setuid;
|
allow run_init_t self:capability setuid;
|
||||||
|
|
||||||
allow run_init_t self:fifo_file { getattr read write };
|
allow run_init_t self:fifo_file { getattr read write };
|
||||||
|
|
||||||
# often the administrator runs such programs from a directory that is owned
|
# often the administrator runs such programs from a directory that is owned
|
||||||
# by a different user or has restrictive SE permissions, do not want to audit
|
# by a different user or has restrictive SE permissions, do not want to audit
|
||||||
# the failed access to the current directory
|
# the failed access to the current directory
|
||||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
filesystem_get_persistent_filesystem_attributes(run_init_t)
|
||||||
|
|
||||||
devices_ignore_list_device_nodes(run_init_t)
|
devices_ignore_list_device_nodes(run_init_t)
|
||||||
|
|
||||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||||
|
|
||||||
authlogin_check_password_transition(run_init_t)
|
authlogin_check_password_transition(run_init_t)
|
||||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||||
|
|
||||||
corecommands_execute_general_programs(run_init_t)
|
corecommands_execute_general_programs(run_init_t)
|
||||||
corecommands_execute_shell(run_init_t)
|
corecommands_execute_shell(run_init_t)
|
||||||
|
|
||||||
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
domain_use_widely_inheritable_file_descriptors(run_init_t)
|
||||||
|
|
||||||
files_read_general_system_config(run_init_t)
|
files_read_general_system_config(run_init_t)
|
||||||
files_ignore_search_all_directories(run_init_t)
|
files_ignore_search_all_directories(run_init_t)
|
||||||
|
|
||||||
init_script_transition(run_init_t)
|
init_script_transition(run_init_t)
|
||||||
# for utmp
|
# for utmp
|
||||||
init_script_modify_runtime_data(run_init_t)
|
init_script_modify_runtime_data(run_init_t)
|
||||||
|
|
||||||
libraries_use_dynamic_loader(run_init_t)
|
libraries_use_dynamic_loader(run_init_t)
|
||||||
libraries_use_shared_libraries(run_init_t)
|
libraries_use_shared_libraries(run_init_t)
|
||||||
|
|
||||||
selinux_read_config(run_init_t)
|
selinux_read_config(run_init_t)
|
||||||
selinux_read_default_contexts(run_init_t)
|
selinux_read_default_contexts(run_init_t)
|
||||||
|
|
||||||
miscfiles_read_localization(run_init_t)
|
miscfiles_read_localization(run_init_t)
|
||||||
|
|
||||||
logging_send_system_log_message(run_init_t)
|
logging_send_system_log_message(run_init_t)
|
||||||
') dnl end ifdef targeted policy
|
') dnl end ifdef targeted policy
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
tunable_policy(`distro_gentoo', `
|
tunable_policy(`distro_gentoo', `
|
||||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||||
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
domain_make_entrypoint_file(run_init_t,initrc_exec_t)
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
|
@ -6,23 +6,26 @@
|
|||||||
# sysnetwork_dhcpc_transition(domain)
|
# sysnetwork_dhcpc_transition(domain)
|
||||||
#
|
#
|
||||||
define(`sysnetwork_dhcpc_transition',`
|
define(`sysnetwork_dhcpc_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 dhcpc_exec_t:file { getattr read execute };
|
|
||||||
allow $1 dhcpc_t:process transition;
|
allow $1 dhcpc_exec_t:file { getattr read execute };
|
||||||
type_transition $1 dhcpc_exec_t:process dhcpc_t;
|
allow $1 dhcpc_t:process transition;
|
||||||
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 dhcpc_exec_t:process dhcpc_t;
|
||||||
allow $1 dhcpc_t:fd use;
|
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
|
||||||
allow dhcpc_t $1:fd use;
|
|
||||||
allow dhcpc_t $1:fifo_file rw_file_perms;
|
allow $1 dhcpc_t:fd use;
|
||||||
allow dhcpc_t $1:process sigchld;
|
allow dhcpc_t $1:fd use;
|
||||||
|
allow dhcpc_t $1:fifo_file rw_file_perms;
|
||||||
|
allow dhcpc_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_dhcpc_transition_depend',`
|
define(`sysnetwork_dhcpc_transition_depend',`
|
||||||
type dhcpc_t, dhcpc_exec_t;
|
type dhcpc_t, dhcpc_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -37,23 +40,26 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_ifconfig_transition',`
|
define(`sysnetwork_ifconfig_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 ifconfig_exec_t:file { getattr read execute };
|
|
||||||
allow $1 ifconfig_t:process transition;
|
allow $1 ifconfig_exec_t:file { getattr read execute };
|
||||||
type_transition $1 ifconfig_exec_t:process ifconfig_t;
|
allow $1 ifconfig_t:process transition;
|
||||||
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 ifconfig_exec_t:process ifconfig_t;
|
||||||
allow $1 ifconfig_t:fd use;
|
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||||
allow ifconfig_t $1:fd use;
|
|
||||||
allow ifconfig_t $1:fifo_file rw_file_perms;
|
allow $1 ifconfig_t:fd use;
|
||||||
allow ifconfig_t $1:process sigchld;
|
allow ifconfig_t $1:fd use;
|
||||||
|
allow ifconfig_t $1:fifo_file rw_file_perms;
|
||||||
|
allow ifconfig_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_ifconfig_transition_depend',`
|
define(`sysnetwork_ifconfig_transition_depend',`
|
||||||
type ifconfig_t, ifconfig_exec_t;
|
type ifconfig_t, ifconfig_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -76,15 +82,17 @@ class fifo_file rw_file_perms;
|
|||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
|
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
sysnetwork_ifconfig_transition($1)
|
|
||||||
role $2 types ifconfig_t;
|
sysnetwork_ifconfig_transition($1)
|
||||||
allow ifconfig_t $3:chr_file { getattr read write ioctl };
|
role $2 types ifconfig_t;
|
||||||
|
allow ifconfig_t $3:chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
|
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
|
||||||
type ifconfig_t;
|
type ifconfig_t;
|
||||||
class chr_file { getattr read write ioctl };
|
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -92,14 +100,16 @@ class chr_file { getattr read write ioctl };
|
|||||||
# sysnetwork_read_network_config(domain)
|
# sysnetwork_read_network_config(domain)
|
||||||
#
|
#
|
||||||
define(`sysnetwork_read_network_config',`
|
define(`sysnetwork_read_network_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
files_search_general_system_config_directory($1)
|
|
||||||
allow $1 net_conf_t:file { getattr read };
|
files_search_general_system_config_directory($1)
|
||||||
|
allow $1 net_conf_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`sysnetwork_read_network_config_depend',`
|
define(`sysnetwork_read_network_config_depend',`
|
||||||
type net_conf_t;
|
type net_conf_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
## </module>
|
## </module>
|
||||||
|
@ -4,23 +4,26 @@
|
|||||||
# udev_transition(domain)
|
# udev_transition(domain)
|
||||||
#
|
#
|
||||||
define(`udev_transition',`
|
define(`udev_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 udev_exec_t:file { getattr read execute };
|
|
||||||
allow $1 udev_t:process transition;
|
allow $1 udev_exec_t:file { getattr read execute };
|
||||||
type_transition $1 udev_exec_t:process udev_t;
|
allow $1 udev_t:process transition;
|
||||||
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
|
type_transition $1 udev_exec_t:process udev_t;
|
||||||
allow $1 udev_t:fd use;
|
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
|
||||||
allow udev_t $1:fd use;
|
|
||||||
allow udev_t $1:fifo_file rw_file_perms;
|
allow $1 udev_t:fd use;
|
||||||
allow udev_t $1:process sigchld;
|
allow udev_t $1:fd use;
|
||||||
|
allow udev_t $1:fifo_file rw_file_perms;
|
||||||
|
allow udev_t $1:process sigchld;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_transition_depend',`
|
define(`udev_transition_depend',`
|
||||||
type udev_t, udev_exec_t;
|
type udev_t, udev_exec_t;
|
||||||
class file { getattr read execute };
|
|
||||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
class file { getattr read execute };
|
||||||
class fd use;
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||||
class fifo_file rw_file_perms;
|
class fd use;
|
||||||
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -28,13 +31,15 @@ class fifo_file rw_file_perms;
|
|||||||
# udev_read_database(domain)
|
# udev_read_database(domain)
|
||||||
#
|
#
|
||||||
define(`udev_read_database',`
|
define(`udev_read_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 udev_tdb_t:file { getattr read };
|
|
||||||
|
allow $1 udev_tdb_t:file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_read_database_depend',`
|
define(`udev_read_database_depend',`
|
||||||
type udev_tdb_t;
|
type udev_tdb_t;
|
||||||
class file { getattr read };
|
|
||||||
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -42,11 +47,13 @@ class file { getattr read };
|
|||||||
# udev_modify_database(domain)
|
# udev_modify_database(domain)
|
||||||
#
|
#
|
||||||
define(`udev_modify_database',`
|
define(`udev_modify_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
allow $1 udev_tdb_t:file { getattr read write append };
|
|
||||||
|
allow $1 udev_tdb_t:file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`udev_modify_database_depend',`
|
define(`udev_modify_database_depend',`
|
||||||
type udev_tdb_t;
|
type udev_tdb_t;
|
||||||
class file { getattr read write append };
|
|
||||||
|
class file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
@ -114,28 +114,28 @@ selinux_restorecon_transition(udev_t)
|
|||||||
sysnetwork_ifconfig_transition(udev_t)
|
sysnetwork_ifconfig_transition(udev_t)
|
||||||
|
|
||||||
tunable_policy(`distro_redhat',`
|
tunable_policy(`distro_redhat',`
|
||||||
filesystem_manage_tmpfs_block_devices(udev_t)
|
filesystem_manage_tmpfs_block_devices(udev_t)
|
||||||
filesystem_manage_tmpfs_character_devices(udev_t)
|
filesystem_manage_tmpfs_character_devices(udev_t)
|
||||||
|
|
||||||
# for arping used for static IP addresses on PCMCIA ethernet
|
# for arping used for static IP addresses on PCMCIA ethernet
|
||||||
netutils_transition(udev_t)
|
netutils_transition(udev_t)
|
||||||
') dnl end ifdef distro_redhat
|
') dnl end ifdef distro_redhat
|
||||||
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
authlogin_pam_console_read_runtime_data(udev_t)
|
authlogin_pam_console_read_runtime_data(udev_t)
|
||||||
authlogin_pam_console_transition(udev_t)
|
authlogin_pam_console_transition(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`consoletype.te',`
|
optional_policy(`consoletype.te',`
|
||||||
consoletype_execute(udev_t)
|
consoletype_execute(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hotplug.te',`
|
optional_policy(`hotplug.te',`
|
||||||
hotplug_read_config(udev_t)
|
hotplug_read_config(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_dhcpc_transition(udev_t)
|
sysnetwork_dhcpc_transition(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -85,11 +85,11 @@ user_domain_template(user)
|
|||||||
|
|
||||||
# user role change rules:
|
# user role change rules:
|
||||||
define(`role_change',`
|
define(`role_change',`
|
||||||
allow $1_r $2_r;
|
allow $1_r $2_r;
|
||||||
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||||
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
||||||
# avoid annoying messages on terminal hangup
|
# avoid annoying messages on terminal hangup
|
||||||
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||||
')
|
')
|
||||||
|
|
||||||
# sysadm_r can change to user roles
|
# sysadm_r can change to user roles
|
||||||
@ -100,7 +100,7 @@ role_change(sysadm, staff)
|
|||||||
role_change(staff, sysadm)
|
role_change(staff, sysadm)
|
||||||
|
|
||||||
tunable_policy(`user_canbe_sysadm',`
|
tunable_policy(`user_canbe_sysadm',`
|
||||||
role_change(user,sysadm)
|
role_change(user,sysadm)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -119,58 +119,58 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
|||||||
allow sysadm_t userdomain:fd use;
|
allow sysadm_t userdomain:fd use;
|
||||||
|
|
||||||
optional_policy(`bootloader.te',`
|
optional_policy(`bootloader.te',`
|
||||||
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`clock.te',`
|
optional_policy(`clock.te',`
|
||||||
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`hostname.te',`
|
optional_policy(`hostname.te',`
|
||||||
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`iptables.te',`
|
optional_policy(`iptables.te',`
|
||||||
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`libraries.te',`
|
optional_policy(`libraries.te',`
|
||||||
libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`lvm.te',`
|
optional_policy(`lvm.te',`
|
||||||
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`modutils.te',`
|
optional_policy(`modutils.te',`
|
||||||
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`mount.te',`
|
optional_policy(`mount.te',`
|
||||||
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
optional_policy(`targeted_policy',`',`
|
optional_policy(`targeted_policy',`',`
|
||||||
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`sysnetwork.te',`
|
optional_policy(`sysnetwork.te',`
|
||||||
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`usermanage.te',`
|
optional_policy(`usermanage.te',`
|
||||||
usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user