renaming insanity
This commit is contained in:
Chris PeBenito
parent
24040829d0
commit
0fd9dc55cf
@ -26,18 +26,18 @@ allow consoletype_t self:unix_dgram_socket create_socket_perms;
|
||||
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow consoletype_t self:unix_dgram_socket sendto;
|
||||
allow consoletype_t self:unix_stream_socket connectto;
|
||||
allow consoletype_t self:shm rw_shm_perms;
|
||||
allow consoletype_t self:sem rw_sem_perms;
|
||||
allow consoletype_t self:msgq rw_msgq_perms;
|
||||
allow consoletype_t self:shm create_shm_perms;
|
||||
allow consoletype_t self:sem create_sem_perms;
|
||||
allow consoletype_t self:msgq create_msgq_perms;
|
||||
allow consoletype_t self:msg { send receive };
|
||||
|
||||
kernel_use_file_descriptors(consoletype_t)
|
||||
kernel_ignore_read_system_state(consoletype_t)
|
||||
kernel_use_fd(consoletype_t)
|
||||
kernel_dontaudit_read_system_state(consoletype_t)
|
||||
|
||||
fs_get_all_fs_attributes(consoletype_t)
|
||||
fs_getattr_all_fs(consoletype_t)
|
||||
|
||||
terminal_use_console(consoletype_t)
|
||||
terminal_use_general_physical_terminal(consoletype_t)
|
||||
term_use_console(consoletype_t)
|
||||
term_use_unallocated_tty(consoletype_t)
|
||||
|
||||
init_use_file_descriptors(consoletype_t)
|
||||
init_script_use_pseudoterminal(consoletype_t)
|
||||
@ -77,12 +77,12 @@ optional_policy(`ypbind.te', `
|
||||
if (allow_ypbind) {
|
||||
can_network(consoletype_t)
|
||||
r_dir_file(consoletype_t,var_yp_t)
|
||||
corenetwork_bind_tcp_on_general_port(consoletype_t)
|
||||
corenetwork_bind_udp_on_general_port(consoletype_t)
|
||||
corenetwork_bind_tcp_on_reserved_port(consoletype_t)
|
||||
corenetwork_bind_udp_on_reserved_port(consoletype_t)
|
||||
corenetwork_ignore_bind_tcp_on_all_reserved_ports(consoletype_t)
|
||||
corenetwork_ignore_bind_udp_on_all_reserved_ports(consoletype_t)
|
||||
corenet_tcp_bind_generic_port(consoletype_t)
|
||||
corenet_udp_bind_generic_port(consoletype_t)
|
||||
corenet_tcp_bind_reserved_port(consoletype_t)
|
||||
corenet_udp_bind_reserved_port(consoletype_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t)
|
||||
dontaudit consoletype_t self:capability net_bind_service;
|
||||
} else {
|
||||
dontaudit consoletype_t var_yp_t:dir search;
|
||||
|
||||
@ -27,7 +27,7 @@ kernel_read_ring_buffer(dmesg_t)
|
||||
kernel_clear_ring_buffer(dmesg_t)
|
||||
kernel_change_ring_buffer_level(dmesg_t)
|
||||
|
||||
terminal_ignore_use_console(dmesg_t)
|
||||
term_dontaudit_use_console(dmesg_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(dmesg_t)
|
||||
|
||||
@ -50,7 +50,7 @@ userdomain_use_admin_terminals(dmesg_t)
|
||||
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(dmesg_t)
|
||||
term_dontaudit_use_unallocated_tty(dmesg_t)
|
||||
terminal_ignore_use_general_pseudoterminal(dmesg_t)
|
||||
files_ignore_read_rootfs_file(dmesg_t)
|
||||
')
|
||||
|
||||
@ -46,18 +46,18 @@ allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(netutils_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(netutils_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(netutils_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(netutils_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(netutils_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(netutils_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(netutils_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(netutils_t)
|
||||
corenetwork_bind_udp_on_all_nodes(netutils_t)
|
||||
corenet_tcp_sendrecv_all_if(netutils_t)
|
||||
corenet_raw_sendrecv_all_if(netutils_t)
|
||||
corenet_udp_sendrecv_all_if(netutils_t)
|
||||
corenet_tcp_sendrecv_all_nodes(netutils_t)
|
||||
corenet_raw_sendrecv_all_nodes(netutils_t)
|
||||
corenet_udp_sendrecv_all_nodes(netutils_t)
|
||||
corenet_tcp_sendrecv_all_ports(netutils_t)
|
||||
corenet_udp_sendrecv_all_ports(netutils_t)
|
||||
corenet_tcp_bind_all_nodes(netutils_t)
|
||||
corenet_udp_bind_all_nodes(netutils_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(netutils_t)
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
init_use_file_descriptors(netutils_t)
|
||||
init_script_use_pseudoterminal(netutils_t)
|
||||
@ -104,18 +104,18 @@ allow ping_t self:tcp_socket create_socket_perms;
|
||||
allow ping_t self:udp_socket create_socket_perms;
|
||||
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(ping_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(ping_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(ping_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(ping_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(ping_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(ping_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(ping_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(ping_t)
|
||||
corenetwork_bind_udp_on_all_nodes(ping_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(ping_t)
|
||||
corenet_tcp_sendrecv_all_if(ping_t)
|
||||
corenet_udp_sendrecv_all_if(ping_t)
|
||||
corenet_raw_sendrecv_all_if(ping_t)
|
||||
corenet_raw_sendrecv_all_nodes(ping_t)
|
||||
corenet_tcp_sendrecv_all_nodes(ping_t)
|
||||
corenet_udp_sendrecv_all_nodes(ping_t)
|
||||
corenet_tcp_sendrecv_all_ports(ping_t)
|
||||
corenet_udp_sendrecv_all_ports(ping_t)
|
||||
corenet_udp_bind_all_nodes(ping_t)
|
||||
corenet_tcp_bind_all_nodes(ping_t)
|
||||
|
||||
fs_ignore_get_persistent_fs_attributes(ping_t)
|
||||
fs_dontaudit_getattr_xattr_fs(ping_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(ping_t)
|
||||
|
||||
@ -130,8 +130,8 @@ sysnetwork_read_network_config(ping_t)
|
||||
logging_send_system_log_message(ping_t)
|
||||
|
||||
if (user_ping) {
|
||||
terminal_use_all_private_physical_terminals(ping_t)
|
||||
terminal_use_all_private_pseudoterminals(ping_t)
|
||||
term_use_all_user_ttys(ping_t)
|
||||
term_use_all_user_ptys(ping_t)
|
||||
}
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -162,18 +162,18 @@ allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read re
|
||||
kernel_read_system_state(traceroute_t)
|
||||
kernel_read_network_state(traceroute_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(traceroute_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(traceroute_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(traceroute_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(traceroute_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(traceroute_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(traceroute_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(traceroute_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(traceroute_t)
|
||||
corenetwork_bind_udp_on_all_nodes(traceroute_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(traceroute_t)
|
||||
corenet_tcp_sendrecv_all_if(traceroute_t)
|
||||
corenet_udp_sendrecv_all_if(traceroute_t)
|
||||
corenet_raw_sendrecv_all_if(traceroute_t)
|
||||
corenet_raw_sendrecv_all_nodes(traceroute_t)
|
||||
corenet_tcp_sendrecv_all_nodes(traceroute_t)
|
||||
corenet_udp_sendrecv_all_nodes(traceroute_t)
|
||||
corenet_tcp_sendrecv_all_ports(traceroute_t)
|
||||
corenet_udp_sendrecv_all_ports(traceroute_t)
|
||||
corenet_udp_bind_all_nodes(traceroute_t)
|
||||
corenet_tcp_bind_all_nodes(traceroute_t)
|
||||
|
||||
fs_ignore_get_persistent_fs_attributes(traceroute_t)
|
||||
fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(traceroute_t)
|
||||
|
||||
@ -193,8 +193,8 @@ devices_get_pseudorandom_data(traceroute_t)
|
||||
files_read_general_application_resources(traceroute_t)
|
||||
|
||||
if (user_ping) {
|
||||
terminal_use_all_private_physical_terminals(traceroute_t)
|
||||
terminal_use_all_private_pseudoterminals(traceroute_t)
|
||||
term_use_all_user_ttys(traceroute_t)
|
||||
term_use_all_user_ptys(traceroute_t)
|
||||
}
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -66,7 +66,7 @@ allow rpm_t self:unix_dgram_socket sendto;
|
||||
allow rpm_t self:unix_stream_socket connectto;
|
||||
allow rpm_t self:udp_socket { connect };
|
||||
allow rpm_t self:udp_socket create_socket_perms;
|
||||
allow rpm_t self:tcp_socket rw_stream_socket_perms;
|
||||
allow rpm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow rpm_t self:shm create_shm_perms;
|
||||
allow rpm_t self:sem create_sem_perms;
|
||||
allow rpm_t self:msgq create_msgq_perms;
|
||||
@ -86,7 +86,7 @@ allow rpm_t rpm_tmpfs_t:file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Access /var/lib/rpm files
|
||||
allow rpm_t rpm_var_lib_t:file create_file_perms;
|
||||
@ -96,35 +96,35 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
kernel_get_selinuxfs_mount_point(rpm_t)
|
||||
kernel_validate_selinux_context(rpm_t)
|
||||
kernel_compute_selinux_access_vector(rpm_t)
|
||||
kernel_compute_selinux_create_context(rpm_t)
|
||||
kernel_compute_selinux_relabel_context(rpm_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(rpm_t)
|
||||
kernel_validate_context(rpm_t)
|
||||
kernel_compute_access_vector(rpm_t)
|
||||
kernel_compute_create_context(rpm_t)
|
||||
kernel_compute_relabel_context(rpm_t)
|
||||
kernel_compute_reachable_user_contexts(rpm_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(rpm_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(rpm_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(rpm_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(rpm_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(rpm_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(rpm_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(rpm_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(rpm_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(rpm_t)
|
||||
corenetwork_bind_udp_on_all_nodes(rpm_t)
|
||||
corenet_tcp_sendrecv_all_if(rpm_t)
|
||||
corenet_raw_sendrecv_all_if(rpm_t)
|
||||
corenet_udp_sendrecv_all_if(rpm_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rpm_t)
|
||||
corenet_raw_sendrecv_all_nodes(rpm_t)
|
||||
corenet_udp_sendrecv_all_nodes(rpm_t)
|
||||
corenet_tcp_sendrecv_all_ports(rpm_t)
|
||||
corenet_udp_sendrecv_all_ports(rpm_t)
|
||||
corenet_tcp_bind_all_nodes(rpm_t)
|
||||
corenet_udp_bind_all_nodes(rpm_t)
|
||||
|
||||
devices_get_pseudorandom_data(rpm_t)
|
||||
#devices_manage_all_device_types(rpm_t)
|
||||
|
||||
#fs_manage_nfs_dir(rpm_t)
|
||||
#fs_manage_nfs_files(rpm_t)
|
||||
fs_get_all_fs_attributes(rpm_t)
|
||||
fs_getattr_all_fs(rpm_t)
|
||||
|
||||
storage_raw_write_fixed_disk(rpm_t)
|
||||
# for installing kernel packages
|
||||
storage_raw_read_fixed_disk(rpm_t)
|
||||
|
||||
terminal_list_pseudoterminals(rpm_t)
|
||||
term_list_ptys(rpm_t)
|
||||
|
||||
authlogin_ignore_read_shadow_passwords(rpm_t)
|
||||
|
||||
@ -242,15 +242,15 @@ allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctl(rpm_script_t)
|
||||
kernel_get_selinuxfs_mount_point(rpm_script_t)
|
||||
kernel_validate_selinux_context(rpm_script_t)
|
||||
kernel_compute_selinux_access_vector(rpm_script_t)
|
||||
kernel_compute_selinux_create_context(rpm_script_t)
|
||||
kernel_compute_selinux_relabel_context(rpm_script_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
|
||||
kernel_validate_context(rpm_script_t)
|
||||
kernel_compute_access_vector(rpm_script_t)
|
||||
kernel_compute_create_context(rpm_script_t)
|
||||
kernel_compute_relabel_context(rpm_script_t)
|
||||
kernel_compute_reachable_user_contexts(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
|
||||
# ideally we would not need this
|
||||
@ -260,17 +260,17 @@ devices_manage_all_block_devices(rpm_script_t)
|
||||
devices_manage_all_character_devices(rpm_script_t)
|
||||
|
||||
fs_manage_nfs_files(rpm_script_t)
|
||||
fs_get_nfs_fs_attributes(rpm_script_t)
|
||||
fs_getattr_nfs(rpm_script_t)
|
||||
# why is this not using mount?
|
||||
fs_get_persistent_fs_attributes(rpm_script_t)
|
||||
fs_mount_persistent_fs(rpm_script_t)
|
||||
fs_unmount_persistent_fs(rpm_script_t)
|
||||
fs_getattr_xattr_fs(rpm_script_t)
|
||||
fs_mount_xattr_fs(rpm_script_t)
|
||||
fs_unmount_xattr_fs(rpm_script_t)
|
||||
|
||||
storage_raw_read_fixed_disk(rpm_script_t)
|
||||
storage_raw_write_fixed_disk(rpm_script_t)
|
||||
|
||||
terminal_get_general_physical_terminal_attributes(rpm_script_t)
|
||||
terminal_list_pseudoterminals(rpm_script_t)
|
||||
term_getattr_unallocated_ttys(rpm_script_t)
|
||||
term_list_ptys(rpm_script_t)
|
||||
|
||||
authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
|
||||
# ideally we would not need this
|
||||
@ -309,7 +309,7 @@ selinux_restorecon_transition(rpm_script_t)
|
||||
userdomain_use_all_users_file_descriptors(rpm_script_t)
|
||||
|
||||
optional_policy(`bootloader.te', `
|
||||
bootloader_transition(rpm_script_t)
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -348,11 +348,11 @@ allow sshd_t rpm_script_t:fd use;
|
||||
# really do anything useful.
|
||||
|
||||
kernel_get_selinuxfs_mount_point(rpmbuild_t)
|
||||
kernel_validate_selinux_context(rpmbuild_t)
|
||||
kernel_compute_selinux_access_vector(rpmbuild_t)
|
||||
kernel_compute_selinux_create_context(rpmbuild_t)
|
||||
kernel_compute_selinux_relabel_context(rpmbuild_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(rpmbuild_t)
|
||||
kernel_validate_context(rpmbuild_t)
|
||||
kernel_compute_access_vector(rpmbuild_t)
|
||||
kernel_compute_create_context(rpmbuild_t)
|
||||
kernel_compute_relabel_context(rpmbuild_t)
|
||||
kernel_compute_reachable_user_contexts(rpmbuild_t)
|
||||
|
||||
selinux_read_source_policy(rpmbuild_t)
|
||||
|
||||
|
||||
@ -78,7 +78,8 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
|
||||
define(`usermanage_groupadd_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_auto_trans($1,groupadd_t,groupadd_t)
|
||||
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
|
||||
|
||||
allow $1 groupadd_t:fd use;
|
||||
allow groupadd_t $1:fd use;
|
||||
allow groupadd_t $1:fifo_file rw_file_perms;
|
||||
|
||||
@ -67,8 +67,8 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
|
||||
allow chfn_t self:process { setrlimit setfscreate };
|
||||
allow chfn_t self:fd use;
|
||||
allow chfn_t self:fifo_file rw_file_perms;
|
||||
allow chfn_t self:unix_dgram_socket create_rw_socket_perms;
|
||||
allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms;
|
||||
allow chfn_t self:unix_dgram_socket create_socket_perms;
|
||||
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow chfn_t self:unix_dgram_socket sendto;
|
||||
allow chfn_t self:unix_stream_socket connectto;
|
||||
allow chfn_t self:shm create_shm_perms;
|
||||
@ -78,16 +78,16 @@ allow chfn_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
kernel_get_selinuxfs_mount_point(chfn_t)
|
||||
kernel_validate_selinux_context(chfn_t)
|
||||
kernel_compute_selinux_access_vector(chfn_t)
|
||||
kernel_compute_selinux_create_context(chfn_t)
|
||||
kernel_compute_selinux_relabel_context(chfn_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(chfn_t)
|
||||
kernel_validate_context(chfn_t)
|
||||
kernel_compute_access_vector(chfn_t)
|
||||
kernel_compute_create_context(chfn_t)
|
||||
kernel_compute_relabel_context(chfn_t)
|
||||
kernel_compute_reachable_user_contexts(chfn_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(chfn_t)
|
||||
terminal_use_all_private_pseudoterminals(chfn_t)
|
||||
term_use_all_user_ttys(chfn_t)
|
||||
term_use_all_user_ptys(chfn_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(chfn_t)
|
||||
fs_getattr_xattr_fs(chfn_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(chfn_t)
|
||||
@ -163,7 +163,7 @@ kernel_read_system_state(crack_t)
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(crack_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(crack_t)
|
||||
fs_getattr_xattr_fs(crack_t)
|
||||
|
||||
files_read_general_system_config(crack_t)
|
||||
files_read_runtime_system_config(crack_t)
|
||||
@ -211,16 +211,16 @@ allow groupadd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(groupadd_t)
|
||||
kernel_validate_selinux_context(groupadd_t)
|
||||
kernel_compute_selinux_access_vector(groupadd_t)
|
||||
kernel_compute_selinux_create_context(groupadd_t)
|
||||
kernel_compute_selinux_relabel_context(groupadd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(groupadd_t)
|
||||
kernel_validate_context(groupadd_t)
|
||||
kernel_compute_access_vector(groupadd_t)
|
||||
kernel_compute_create_context(groupadd_t)
|
||||
kernel_compute_relabel_context(groupadd_t)
|
||||
kernel_compute_reachable_user_contexts(groupadd_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(groupadd_t)
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(groupadd_t)
|
||||
terminal_use_all_private_pseudoterminals(groupadd_t)
|
||||
term_use_all_user_ttys(groupadd_t)
|
||||
term_use_all_user_ptys(groupadd_t)
|
||||
|
||||
init_use_file_descriptors(groupadd_t)
|
||||
init_script_read_runtime_data(groupadd_t)
|
||||
@ -282,20 +282,20 @@ allow passwd_t self:unix_dgram_socket sendto;
|
||||
allow passwd_t self:unix_stream_socket connectto;
|
||||
allow passwd_t self:shm create_shm_perms;
|
||||
allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perm;
|
||||
allow passwd_t self:msgq create_msgq_perms;
|
||||
allow passwd_t self:msg { send receive };
|
||||
|
||||
kernel_get_selinuxfs_mount_point(passwd_t)
|
||||
kernel_validate_selinux_context(passwd_t)
|
||||
kernel_compute_selinux_access_vector(passwd_t)
|
||||
kernel_compute_selinux_create_context(passwd_t)
|
||||
kernel_compute_selinux_relabel_context(passwd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(passwd_t)
|
||||
kernel_validate_context(passwd_t)
|
||||
kernel_compute_access_vector(passwd_t)
|
||||
kernel_compute_create_context(passwd_t)
|
||||
kernel_compute_relabel_context(passwd_t)
|
||||
kernel_compute_reachable_user_contexts(passwd_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(passwd_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(passwd_t)
|
||||
fs_getattr_xattr_fs(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
@ -378,26 +378,26 @@ allow sysadm_passwd_t self:msg { send receive };
|
||||
|
||||
# allow vipw to create temporary files under /var/tmp/vi.recover
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms;
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_search_system_state_data_directory(sysadm_passwd_t)
|
||||
|
||||
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
|
||||
kernel_validate_selinux_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_access_vector(sysadm_passwd_t)
|
||||
kernel_compute_selinux_create_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_relabel_context(sysadm_passwd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(sysadm_passwd_t)
|
||||
kernel_validate_context(sysadm_passwd_t)
|
||||
kernel_compute_access_vector(sysadm_passwd_t)
|
||||
kernel_compute_create_context(sysadm_passwd_t)
|
||||
kernel_compute_relabel_context(sysadm_passwd_t)
|
||||
kernel_compute_reachable_user_contexts(sysadm_passwd_t)
|
||||
# for /proc/meminfo
|
||||
kernel_read_system_state(sysadm_passwd_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(sysadm_passwd_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(sysadm_passwd_t)
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(sysadm_passwd_t)
|
||||
terminal_use_all_private_pseudoterminals(sysadm_passwd_t)
|
||||
term_use_all_user_ttys(sysadm_passwd_t)
|
||||
term_use_all_user_ptys(sysadm_passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
@ -475,18 +475,18 @@ allow useradd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(useradd_t)
|
||||
kernel_validate_selinux_context(useradd_t)
|
||||
kernel_compute_selinux_access_vector(useradd_t)
|
||||
kernel_compute_selinux_create_context(useradd_t)
|
||||
kernel_compute_selinux_relabel_context(useradd_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(useradd_t)
|
||||
kernel_validate_context(useradd_t)
|
||||
kernel_compute_access_vector(useradd_t)
|
||||
kernel_compute_create_context(useradd_t)
|
||||
kernel_compute_relabel_context(useradd_t)
|
||||
kernel_compute_reachable_user_contexts(useradd_t)
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctl(useradd_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(useradd_t)
|
||||
fs_getattr_xattr_fs(useradd_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(useradd_t)
|
||||
terminal_use_all_private_pseudoterminals(useradd_t)
|
||||
term_use_all_user_ttys(useradd_t)
|
||||
term_use_all_user_ptys(useradd_t)
|
||||
|
||||
init_use_file_descriptors(useradd_t)
|
||||
init_script_modify_runtime_data(useradd_t)
|
||||
|
||||
@ -65,21 +65,21 @@ define(`gpg_per_userdomain_template',`
|
||||
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
||||
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
|
||||
corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
||||
corenet_raw_sendrecv_all_if($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_if($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_gpg_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_gpg_t)
|
||||
corenet_udp_sendrecv_all_ports($1_gpg_t)
|
||||
corenet_tcp_bind_all_nodes($1_gpg_t)
|
||||
corenet_udp_bind_all_nodes($1_gpg_t)
|
||||
|
||||
devices_get_random_data($1_gpg_t)
|
||||
devices_get_pseudorandom_data($1_gpg_t)
|
||||
|
||||
fs_get_persistent_fs_attributes($1_gpg_t)
|
||||
fs_getattr_xattr_fs($1_gpg_t)
|
||||
|
||||
files_read_general_system_config($1_gpg_t)
|
||||
files_read_general_application_resources($1_gpg_t)
|
||||
@ -175,16 +175,16 @@ define(`gpg_per_userdomain_template',`
|
||||
|
||||
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
|
||||
corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
|
||||
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
|
||||
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
|
||||
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
|
||||
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
|
||||
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
||||
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
||||
|
||||
devices_get_pseudorandom_data($1_gpg_helper_t)
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ define(`bootloader_domtrans_depend',`
|
||||
define(`bootloader_run',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
bootloader_transition($1)
|
||||
bootloader_domtrans($1)
|
||||
|
||||
role $2 types bootloader_t;
|
||||
allow bootloader_t $3:chr_file rw_file_perms;
|
||||
@ -85,7 +85,7 @@ define(`bootloader_search_boot_dir_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_dontaudit_search_boot_dir">
|
||||
## <interface name="bootloader_dontaudit_search_boot">
|
||||
## <description>
|
||||
## Do not audit attempts to search the /boot directory.
|
||||
## </description>
|
||||
@ -94,13 +94,13 @@ define(`bootloader_search_boot_dir_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`bootloader_dontaudit_search_boot_dir',`
|
||||
define(`bootloader_dontaudit_search_boot',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
dontaudit $1 boot_t:dir search;
|
||||
')
|
||||
|
||||
define(`bootloader_dontaudit_search_boot_dir_depend',`
|
||||
define(`bootloader_dontaudit_search_boot_depend',`
|
||||
type boot_t;
|
||||
|
||||
class dir search;
|
||||
@ -195,7 +195,7 @@ define(`bootloader_read_kernel_symbol_table',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
allow $1 system_map_t:file f_file_perms;
|
||||
allow $1 system_map_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`bootloader_read_kernel_symbol_table_depend',`
|
||||
|
||||
@ -88,7 +88,7 @@ allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||
allow bootloader_t modules_object_t:file r_file_perms;
|
||||
allow bootloader_t modules_object_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_get_core_interface_attributes(bootloader_t)
|
||||
kernel_getattr_core(bootloader_t)
|
||||
kernel_read_system_state(bootloader_t)
|
||||
kernel_read_software_raid_state(bootloader_t)
|
||||
kernel_read_kernel_sysctl(bootloader_t)
|
||||
@ -106,9 +106,9 @@ devices_get_pseudorandom_data(bootloader_t)
|
||||
# for reading BIOS data
|
||||
devices_raw_read_memory(bootloader_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(bootloader_t)
|
||||
fs_getattr_xattr_fs(bootloader_t)
|
||||
|
||||
terminal_get_all_private_physical_terminal_attributes(bootloader_t)
|
||||
term_getattr_all_user_ttys(bootloader_t)
|
||||
|
||||
init_get_control_channel_attributes(bootloader_t)
|
||||
init_script_use_pseudoterminal(bootloader_t)
|
||||
|
||||
@ -15,7 +15,7 @@ define(`devices_make_device_node',`
|
||||
fs_associate($1)
|
||||
|
||||
optional_policy(`distro_redhat',`
|
||||
fs_tmpfs_associate($1)
|
||||
fs_associate_tmpfs($1)
|
||||
')
|
||||
')
|
||||
|
||||
@ -103,6 +103,22 @@ define(`devices_add_dev_dir_depend',`
|
||||
class dir { ra_dir_perms create };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# devices_relabel_dev_dirs(domain)
|
||||
#
|
||||
define(`devices_relabel_dev_dirs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
|
||||
')
|
||||
|
||||
define(`devices_relabel_dev_dirs_depend',`
|
||||
type device_t;
|
||||
|
||||
class dir { r_dir_perms relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# devices_ignore_get_generic_pipe_attributes(domain)
|
||||
@ -276,11 +292,11 @@ define(`devices_manage_dev_symbolic_links_depend',`
|
||||
define(`devices_manage_device_nodes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 device_t:dir create_dir_perms;
|
||||
allow $1 device_t:dir { create_dir_perms relabelfrom relabelto };
|
||||
allow $1 device_t:sock_file create_file_perms;
|
||||
allow $1 device_t:lnk_file create_lnk_perms;
|
||||
allow $1 device_t:{ chr_file blk_file } create_file_perms;
|
||||
allow $1 device_node:{ chr_file blk_file } create_file_perms;
|
||||
allow $1 device_t:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
|
||||
allow $1 device_node:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
|
||||
|
||||
# these next rules are to satisfy assertions broken by the above lines.
|
||||
# the permissions hopefully can be cut back a lot
|
||||
@ -298,11 +314,11 @@ define(`devices_manage_device_nodes_depend',`
|
||||
|
||||
type device_t;
|
||||
|
||||
class dir create_dir_perms;
|
||||
class dir { create_dir_perms relabelfrom relabelto };
|
||||
class sock_file create_file_perms;
|
||||
class lnk_file create_lnk_perms;
|
||||
class chr_file create_file_perms;
|
||||
class blk_file create_file_perms;
|
||||
class chr_file { create_file_perms relabelfrom relabelto };
|
||||
class blk_file { create_file_perms relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -369,7 +385,7 @@ define(`devices_create_dev_entry',`
|
||||
type_transition $1 device_t:$3 $2;
|
||||
|
||||
optional_policy(`distro_redhat',`
|
||||
fs_tmpfs_associate($2)
|
||||
fs_associate_tmpfs($2)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ attribute memory_raw_write;
|
||||
type device_t;
|
||||
files_make_file(device_t)
|
||||
files_make_mountpoint(device_t)
|
||||
fs_tmpfs_associate(device_t)
|
||||
fs_associate_tmpfs(device_t)
|
||||
|
||||
# Only directories and symlinks should be labeled device_t.
|
||||
# If there are other files with this type, it is wrong.
|
||||
@ -26,18 +26,18 @@ fs_tmpfs_associate(device_t)
|
||||
#
|
||||
type agp_device_t, device_node;
|
||||
fs_associate(agp_device_t)
|
||||
fs_tmpfs_associate(agp_device_t)
|
||||
fs_associate_tmpfs(agp_device_t)
|
||||
|
||||
#
|
||||
# Type for /dev/apm_bios
|
||||
#
|
||||
type apm_bios_t, device_node;
|
||||
fs_associate(apm_bios_t)
|
||||
fs_tmpfs_associate(apm_bios_t)
|
||||
fs_associate_tmpfs(apm_bios_t)
|
||||
|
||||
type cardmgr_dev_t, device_node;
|
||||
fs_associate(cardmgr_dev_t)
|
||||
fs_tmpfs_associate(cardmgr_dev_t)
|
||||
fs_associate_tmpfs(cardmgr_dev_t)
|
||||
|
||||
#
|
||||
# clock_device_t is the type of
|
||||
@ -45,36 +45,36 @@ fs_tmpfs_associate(cardmgr_dev_t)
|
||||
#
|
||||
type clock_device_t, device_node;
|
||||
fs_associate(clock_device_t)
|
||||
fs_tmpfs_associate(clock_device_t)
|
||||
fs_associate_tmpfs(clock_device_t)
|
||||
|
||||
#
|
||||
# cpu control devices /dev/cpu/0/*
|
||||
#
|
||||
type cpu_device_t, device_node;
|
||||
fs_associate(cpu_device_t)
|
||||
fs_tmpfs_associate(cpu_device_t)
|
||||
fs_associate_tmpfs(cpu_device_t)
|
||||
|
||||
type dri_device_t, device_node;
|
||||
fs_associate(dri_device_t)
|
||||
fs_tmpfs_associate(dri_device_t)
|
||||
fs_associate_tmpfs(dri_device_t)
|
||||
|
||||
type event_device_t, device_node;
|
||||
fs_associate(event_device_t)
|
||||
fs_tmpfs_associate(event_device_t)
|
||||
fs_associate_tmpfs(event_device_t)
|
||||
|
||||
#
|
||||
# Type for framebuffer /dev/fb/*
|
||||
#
|
||||
type framebuf_device_t, device_node;
|
||||
fs_associate(framebuf_device_t)
|
||||
fs_tmpfs_associate(framebuf_device_t)
|
||||
fs_associate_tmpfs(framebuf_device_t)
|
||||
|
||||
#
|
||||
# Type for /dev/mapper/control
|
||||
#
|
||||
type lvm_control_t, device_node;
|
||||
fs_associate(lvm_control_t)
|
||||
fs_tmpfs_associate(lvm_control_t)
|
||||
fs_associate_tmpfs(lvm_control_t)
|
||||
|
||||
#
|
||||
# memory_device_t is the type of /dev/kmem,
|
||||
@ -82,28 +82,28 @@ fs_tmpfs_associate(lvm_control_t)
|
||||
#
|
||||
type memory_device_t, device_node;
|
||||
fs_associate(memory_device_t)
|
||||
fs_tmpfs_associate(memory_device_t)
|
||||
fs_associate_tmpfs(memory_device_t)
|
||||
|
||||
neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write };
|
||||
|
||||
type misc_device_t, device_node;
|
||||
fs_associate(misc_device_t)
|
||||
fs_tmpfs_associate(misc_device_t)
|
||||
fs_associate_tmpfs(misc_device_t)
|
||||
|
||||
#
|
||||
# A more general type for mouse devices.
|
||||
#
|
||||
type mouse_device_t, device_node;
|
||||
fs_associate(mouse_device_t)
|
||||
fs_tmpfs_associate(mouse_device_t)
|
||||
fs_associate_tmpfs(mouse_device_t)
|
||||
|
||||
#
|
||||
# Type for /dev/cpu/mtrr and /proc/mtrr
|
||||
#
|
||||
type mtrr_device_t, device_node;
|
||||
fs_associate(mtrr_device_t)
|
||||
fs_tmpfs_associate(mtrr_device_t)
|
||||
fs_associate_tmpfs(mtrr_device_t)
|
||||
genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
|
||||
|
||||
#
|
||||
@ -111,7 +111,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
|
||||
#
|
||||
type null_device_t, device_node;
|
||||
fs_associate(null_device_t)
|
||||
fs_tmpfs_associate(null_device_t)
|
||||
fs_associate_tmpfs(null_device_t)
|
||||
sid devnull context_template(system_u:object_r:null_device_t,s0)
|
||||
|
||||
#
|
||||
@ -119,48 +119,48 @@ sid devnull context_template(system_u:object_r:null_device_t,s0)
|
||||
#
|
||||
type power_device_t, device_node;
|
||||
fs_associate(power_device_t)
|
||||
fs_tmpfs_associate(power_device_t)
|
||||
fs_associate_tmpfs(power_device_t)
|
||||
|
||||
type printer_device_t, device_node;
|
||||
fs_associate(printer_device_t)
|
||||
fs_tmpfs_associate(printer_device_t)
|
||||
fs_associate_tmpfs(printer_device_t)
|
||||
|
||||
#
|
||||
# random_device_t is the type of /dev/random
|
||||
#
|
||||
type random_device_t, device_node;
|
||||
fs_associate(random_device_t)
|
||||
fs_tmpfs_associate(random_device_t)
|
||||
fs_associate_tmpfs(random_device_t)
|
||||
|
||||
type scanner_device_t, device_node;
|
||||
fs_associate(scanner_device_t)
|
||||
fs_tmpfs_associate(scanner_device_t)
|
||||
fs_associate_tmpfs(scanner_device_t)
|
||||
|
||||
#
|
||||
# Type for sound devices and mixers
|
||||
#
|
||||
type sound_device_t, device_node;
|
||||
fs_associate(sound_device_t)
|
||||
fs_tmpfs_associate(sound_device_t)
|
||||
fs_associate_tmpfs(sound_device_t)
|
||||
|
||||
#
|
||||
# urandom_device_t is the type of /dev/urandom
|
||||
#
|
||||
type urandom_device_t, device_node;
|
||||
fs_associate(urandom_device_t)
|
||||
fs_tmpfs_associate(urandom_device_t)
|
||||
fs_associate_tmpfs(urandom_device_t)
|
||||
|
||||
type v4l_device_t, device_node;
|
||||
fs_associate(v4l_device_t)
|
||||
fs_tmpfs_associate(v4l_device_t)
|
||||
fs_associate_tmpfs(v4l_device_t)
|
||||
|
||||
type xserver_misc_device_t, device_node;
|
||||
fs_associate(xserver_misc_device_t)
|
||||
fs_tmpfs_associate(xserver_misc_device_t)
|
||||
fs_associate_tmpfs(xserver_misc_device_t)
|
||||
|
||||
#
|
||||
# zero_device_t is the type of /dev/zero.
|
||||
#
|
||||
type zero_device_t, device_node;
|
||||
fs_associate(zero_device_t)
|
||||
fs_tmpfs_associate(zero_device_t)
|
||||
fs_associate_tmpfs(zero_device_t)
|
||||
|
||||
@ -21,6 +21,30 @@ define(`fs_make_fs_depend',`
|
||||
attribute fs_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_make_noxattr_fs">
|
||||
## <description>
|
||||
## Transform specified type into a filesystem
|
||||
## type which does not have extended attribute
|
||||
## support.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_make_noxattr_fs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
fs_make_fs($1)
|
||||
|
||||
typeattribute $1 noxattrfs;
|
||||
')
|
||||
|
||||
define(`fs_make_noxattr_fs_depend',`
|
||||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_associate">
|
||||
## <description>
|
||||
@ -183,13 +207,13 @@ define(`fs_getattr_xattr_fs_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`fs_ignore_getattr_xattr_fs',`
|
||||
define(`fs_dontaudit_getattr_xattr_fs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
dontaudit $1 fs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
define(`fs_ignore_getattr_xattr_fs_depend',`
|
||||
define(`fs_dontaudit_getattr_xattr_fs_depend',`
|
||||
type fs_t;
|
||||
|
||||
class filesystem getattr;
|
||||
@ -1521,7 +1545,7 @@ define(`fs_create_tmpfs_data',`
|
||||
')
|
||||
')
|
||||
|
||||
define(`fs_create_private_tmpfs_data_depend',`
|
||||
define(`fs_create_tmpfs_data_depend',`
|
||||
type tmpfs_t;
|
||||
|
||||
class filesystem associate;
|
||||
@ -1788,7 +1812,7 @@ define(`fs_get_all_fs_quotas_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="fs_set_all_fs_quotas">
|
||||
## <interface name="fs_set_all_quotas">
|
||||
## <description>
|
||||
## Set the quotas of all filesystems.
|
||||
## </description>
|
||||
|
||||
@ -29,7 +29,7 @@ define(`kernel_userland_entry',`
|
||||
allow $1 kernel_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`kernel_make_userland_entrypoint_depend',`
|
||||
define(`kernel_userland_entry_depend',`
|
||||
type kernel_t;
|
||||
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
@ -491,7 +491,7 @@ define(`kernel_compute_reachable_user_contexts',`
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
define(`kernel_compute_selinux_reachable_user_contexts_depend',`
|
||||
define(`kernel_compute_reachable_user_contexts_depend',`
|
||||
type security_t;
|
||||
|
||||
class dir { read search getattr };
|
||||
@ -1096,7 +1096,7 @@ define(`kernel_read_unix_sysctl_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`kernel_modify_unix_sysctl',`
|
||||
define(`kernel_rw_unix_sysctl',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -1105,7 +1105,7 @@ define(`kernel_modify_unix_sysctl',`
|
||||
allow $1 sysctl_net_unix_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_modify_net_sysctl_depend',`
|
||||
define(`kernel_rw_net_sysctl_depend',`
|
||||
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -1393,9 +1393,9 @@ define(`kernel_read_rpc_sysctl_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_rpc_sysctl(domain)
|
||||
# kernel_rw_rpc_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_rpc_sysctl',`
|
||||
define(`kernel_rw_rpc_sysctl',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
@ -1404,7 +1404,7 @@ define(`kernel_modify_rpc_sysctl',`
|
||||
allow $1 sysctl_rpc_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_modify_rpc_sysctl_depend',`
|
||||
define(`kernel_rw_rpc_sysctl_depend',`
|
||||
type proc_t, proc_net_t, sysctl_rpc_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -1423,8 +1423,8 @@ define(`kernel_modify_rpc_sysctl_depend',`
|
||||
#
|
||||
define(`kernel_read_all_sysctl',`
|
||||
kernel_read_device_sysctl($1)
|
||||
kernel_read_virtual_memory_sysctl($1)
|
||||
kernel_read_network_sysctl($1)
|
||||
kernel_read_vm_sysctl($1)
|
||||
kernel_read_net_sysctl($1)
|
||||
kernel_read_unix_sysctl($1)
|
||||
kernel_read_hotplug_sysctl($1)
|
||||
kernel_read_modprobe_sysctl($1)
|
||||
@ -1435,7 +1435,7 @@ define(`kernel_read_all_sysctl',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_modify_all_sysctl">
|
||||
## <interface name="kernel_rw_all_sysctl">
|
||||
## <description>
|
||||
## Read and write all sysctls.
|
||||
## </description>
|
||||
@ -1446,8 +1446,8 @@ define(`kernel_read_all_sysctl',`
|
||||
#
|
||||
define(`kernel_rw_all_sysctl',`
|
||||
kernel_rw_device_sysctl($1)
|
||||
kernel_rw_virtual_memory_sysctl($1)
|
||||
kernel_rw_network_sysctl($1)
|
||||
kernel_rw_vm_sysctl($1)
|
||||
kernel_rw_net_sysctl($1)
|
||||
kernel_rw_unix_sysctl($1)
|
||||
kernel_rw_hotplug_sysctl($1)
|
||||
kernel_rw_modprobe_sysctl($1)
|
||||
@ -1505,7 +1505,7 @@ define(`kernel_read_hardware_state_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="kernel_rw_hardware_state">
|
||||
## <interface name="kernel_rw_hardware_config_option">
|
||||
## <description>
|
||||
## Allow caller to modify hardware state information.
|
||||
## </description>
|
||||
|
||||
@ -67,15 +67,6 @@ files_make_mountpoint(sysfs_t)
|
||||
fs_make_fs(sysfs_t)
|
||||
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
#
|
||||
# usbfs_t is the type for /proc/bus/usb
|
||||
#
|
||||
type usbfs_t alias usbdevfs_t;
|
||||
files_make_mountpoint(usbfs_t)
|
||||
fs_make_fs(usbfs_t)
|
||||
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
|
||||
#
|
||||
# Procfs types
|
||||
#
|
||||
@ -153,6 +144,15 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
|
||||
type sysctl_dev_t;
|
||||
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
|
||||
|
||||
#
|
||||
# usbfs_t is the type for /proc/bus/usb
|
||||
#
|
||||
type usbfs_t alias usbdevfs_t;
|
||||
files_make_mountpoint(usbfs_t)
|
||||
fs_make_noxattr_fs(usbfs_t)
|
||||
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel local policy
|
||||
@ -197,10 +197,10 @@ auditallow kernel_t security_t:security load_policy;
|
||||
corenet_raw_sendrecv_all_if(kernel_t)
|
||||
corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
# Kernel-generated traffic e.g., TCP resets:
|
||||
corenet_raw_sendrecv_all_ifaces(kernel_t)
|
||||
corenet_raw_sendrecv_all_nodes(kernel_t)
|
||||
corenet_tcp_sendrecv_all_if(kernel_t)
|
||||
corenet_tcp_sendrecv_all_nodes(kernel_t)
|
||||
|
||||
terminal_use_console(kernel_t)
|
||||
term_use_console(kernel_t)
|
||||
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
|
||||
@ -41,7 +41,7 @@ define(`term_pty_depend',`
|
||||
define(`term_user_pty',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
termi_pty($1)
|
||||
term_pty($1)
|
||||
typeattribute $1 server_ptynode;
|
||||
')
|
||||
|
||||
@ -50,11 +50,11 @@ define(`term_user_pty_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_pty">
|
||||
## <interface name="term_tty">
|
||||
## <description>
|
||||
## Transform specified type into a tty type.
|
||||
## </description>
|
||||
## <parameter name="pty_type">
|
||||
## <parameter name="tty_type">
|
||||
## An object type that will applied to a tty.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
@ -115,7 +115,7 @@ define(`term_create_pty_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_all_terminals">
|
||||
## <interface name="term_use_all_terms">
|
||||
## <description>
|
||||
## Read and write the console, all
|
||||
## ttys and all ptys.
|
||||
@ -125,7 +125,7 @@ define(`term_create_pty_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_use_all_terminals',`
|
||||
define(`term_use_all_terms',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
@ -133,7 +133,7 @@ define(`term_use_all_terminals',`
|
||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`term_use_all_terminals_depend',`
|
||||
define(`term_use_all_terms_depend',`
|
||||
attribute ttynode, ptynode;
|
||||
|
||||
type console_device_t, devpts_t, tty_device_t;
|
||||
@ -378,17 +378,17 @@ define(`term_dontaudit_use_ptmx_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_getattr_all_ptys">
|
||||
## <interface name="term_getattr_all_user_ptys">
|
||||
## <description>
|
||||
## Get the attributes of all pty
|
||||
## device nodes.
|
||||
## Get the attributes of all user
|
||||
## pty device nodes.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_getattr_all_ptys',`
|
||||
define(`term_getattr_all_user_ptys',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
@ -462,14 +462,14 @@ define(`term_dontaudit_use_all_user_ptys_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_gettattr_unallocated_ttys',`
|
||||
define(`term_getattr_unallocated_ttys',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`term_gettattr_unallocated_ttys_depend',`
|
||||
define(`term_getattr_unallocated_ttys_depend',`
|
||||
type tty_device_t;
|
||||
|
||||
class chr_file getattr;
|
||||
@ -486,14 +486,14 @@ define(`term_gettattr_unallocated_ttys_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_settattr_unallocated_ttys',`
|
||||
define(`term_setattr_unallocated_ttys',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
define(`term_settattr_unallocated_ttys_depend',`
|
||||
define(`term_setattr_unallocated_ttys_depend',`
|
||||
type tty_device_t;
|
||||
|
||||
class chr_file setattr;
|
||||
@ -510,14 +510,14 @@ define(`term_settattr_unallocated_ttys_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_relabel_unallocated_tty',`
|
||||
define(`term_relabel_unallocated_ttys',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
define(`term_relabel_unallocated_tty_depend',`
|
||||
define(`term_relabel_unallocated_ttys_depend',`
|
||||
type tty_device_t;
|
||||
|
||||
class chr_file { relabelfrom relabelto };
|
||||
@ -550,7 +550,7 @@ define(`term_reset_tty_labels_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_write_unallocated_tty">
|
||||
## <interface name="term_write_unallocated_ttys">
|
||||
## <description>
|
||||
## Write to unallocated ttys.
|
||||
## </description>
|
||||
@ -559,14 +559,14 @@ define(`term_reset_tty_labels_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`term_write_general_tty',`
|
||||
define(`term_write_unallocated_ttys',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { getattr write };
|
||||
')
|
||||
|
||||
define(`term_write_general_tty_depend',`
|
||||
define(`term_write_unallocated_ttys_depend',`
|
||||
type tty_device_t;
|
||||
|
||||
class chr_file { getattr write };
|
||||
|
||||
@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',`
|
||||
#
|
||||
|
||||
allow $1_crond_t self:capability dac_override;
|
||||
allow $1_crond_t self:process signal_perms;
|
||||
allow $1_crond_t self:process { signal_perms setsched };
|
||||
allow $1_crond_t self:fifo_file rw_file_perms;
|
||||
allow $1_crond_t self:unix_stream_socket create_socket_perms;
|
||||
allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# The entrypoint interface is not used as this is not
|
||||
# a regular entrypoint. Since crontab files are
|
||||
@ -55,22 +55,22 @@ define(`cron_per_userdomain_template',`
|
||||
kernel_read_kernel_sysctl($1_crond_t)
|
||||
|
||||
# ps does not need to access /boot when run from cron
|
||||
bootloader_ignore_search_bootloader_data_directory($1_crond_t)
|
||||
bootloader_dontaudit_search_boot($1_crond_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
|
||||
corenetwork_bind_tcp_on_all_nodes($1_crond_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_if($1_crond_t)
|
||||
corenet_raw_sendrecv_all_if($1_crond_t)
|
||||
corenet_udp_sendrecv_all_if($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_crond_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_crond_t)
|
||||
corenet_udp_sendrecv_all_ports($1_crond_t)
|
||||
corenet_tcp_bind_all_nodes($1_crond_t)
|
||||
corenet_udp_bind_all_nodes($1_crond_t)
|
||||
|
||||
devices_get_pseudorandom_data($1_crond_t)
|
||||
|
||||
fs_get_all_fs_attributes($1_crond_t)
|
||||
fs_getattr_all_fs($1_crond_t)
|
||||
|
||||
domain_execute_all_entrypoint_programs($1_crond_t)
|
||||
|
||||
@ -153,7 +153,7 @@ define(`cron_per_userdomain_template',`
|
||||
|
||||
allow $1_crontab_t crond_log_t:file ra_file_perms;
|
||||
|
||||
fs_get_persistent_fs_attributes($1_crontab_t)
|
||||
fs_getattr_xattr_fs($1_crontab_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors($1_crontab_t)
|
||||
|
||||
@ -225,11 +225,11 @@ define(`cron_admin_template',`
|
||||
|
||||
# Manipulate other users crontab.
|
||||
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
||||
kernel_validate_selinux_context($1_crontab_t)
|
||||
kernel_compute_selinux_access_vector($1_crontab_t)
|
||||
kernel_compute_selinux_create_context($1_crontab_t)
|
||||
kernel_compute_selinux_relabel_context($1_crontab_t)
|
||||
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
|
||||
kernel_validate_context($1_crontab_t)
|
||||
kernel_compute_access_vector($1_crontab_t)
|
||||
kernel_compute_create_context($1_crontab_t)
|
||||
kernel_compute_relabel_context($1_crontab_t)
|
||||
kernel_compute_reachable_user_contexts($1_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
|
||||
@ -81,17 +81,17 @@ allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
kernel_read_kernel_sysctl(crond_t)
|
||||
kernel_read_hardware_state(crond_t)
|
||||
kernel_get_selinuxfs_mount_point(crond_t)
|
||||
kernel_validate_selinux_context(crond_t)
|
||||
kernel_compute_selinux_access_vector(crond_t)
|
||||
kernel_compute_selinux_create_context(crond_t)
|
||||
kernel_compute_selinux_relabel_context(crond_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(crond_t)
|
||||
kernel_validate_context(crond_t)
|
||||
kernel_compute_access_vector(crond_t)
|
||||
kernel_compute_create_context(crond_t)
|
||||
kernel_compute_relabel_context(crond_t)
|
||||
kernel_compute_reachable_user_contexts(crond_t)
|
||||
|
||||
devices_get_pseudorandom_data(crond_t)
|
||||
|
||||
fs_get_all_fs_attributes(crond_t)
|
||||
fs_getattr_all_fs(crond_t)
|
||||
|
||||
terminal_ignore_use_console(crond_t)
|
||||
term_dontaudit_use_console(crond_t)
|
||||
|
||||
# need auth_chkpwd to check for locked accounts.
|
||||
authlogin_check_password_transition(crond_t)
|
||||
@ -125,7 +125,7 @@ tunable_policy(`fcron_crond', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(crond_t)
|
||||
term_dontaudit_use_unallocated_tty(crond_t)
|
||||
terminal_ignore_use_general_pseudoterminal(crond_t)
|
||||
files_ignore_read_rootfs_file(crond_t)
|
||||
')
|
||||
@ -184,7 +184,7 @@ allow system_crond_t rpm_log_t:file create_file_perms;
|
||||
#
|
||||
|
||||
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
||||
allow system_crond_t self:process signal_perms;
|
||||
allow system_crond_t self:process { signal_perms setsched };
|
||||
allow system_crond_t self:fifo_file rw_file_perms;
|
||||
allow system_crond_t self:passwd rootok;
|
||||
|
||||
@ -215,7 +215,7 @@ allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||
files_create_private_lock_file(system_crond_t,system_crond_lock_t)
|
||||
|
||||
# write temporary files
|
||||
allow system_crond_t system_crond_tmp_t:file createfile_perms;
|
||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
|
||||
|
||||
# write temporary files in crond tmp dir:
|
||||
@ -235,25 +235,25 @@ kernel_read_system_state(system_crond_t)
|
||||
kernel_read_software_raid_state(system_crond_t)
|
||||
|
||||
# ps does not need to access /boot when run from cron
|
||||
bootloader_ignore_search_bootloader_data_directory(system_crond_t)
|
||||
bootloader_dontaudit_search_boot(system_crond_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(system_crond_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(system_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(system_crond_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(system_crond_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(system_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(system_crond_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(system_crond_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(system_crond_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(system_crond_t)
|
||||
corenetwork_bind_udp_on_all_nodes(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_if(system_crond_t)
|
||||
corenet_raw_sendrecv_all_if(system_crond_t)
|
||||
corenet_udp_sendrecv_all_if(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_raw_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_crond_t)
|
||||
corenet_tcp_sendrecv_all_ports(system_crond_t)
|
||||
corenet_udp_sendrecv_all_ports(system_crond_t)
|
||||
corenet_tcp_bind_all_nodes(system_crond_t)
|
||||
corenet_udp_bind_all_nodes(system_crond_t)
|
||||
|
||||
devices_get_all_block_device_attributes(system_crond_t)
|
||||
devices_get_all_character_device_attributes(system_crond_t)
|
||||
devices_get_pseudorandom_data(system_crond_t)
|
||||
|
||||
fs_get_all_fs_attributes(system_crond_t)
|
||||
fs_get_all_file_attributes(system_crond_t)
|
||||
fs_getattr_all_fs(system_crond_t)
|
||||
fs_getattr_all_files(system_crond_t)
|
||||
|
||||
init_use_file_descriptors(system_crond_t)
|
||||
init_script_use_file_descriptors(system_crond_t)
|
||||
@ -296,11 +296,11 @@ if (cron_can_relabel) {
|
||||
selinux_setfiles_transition(system_crond_t)
|
||||
} else {
|
||||
kernel_get_selinuxfs_mount_point(system_crond_t)
|
||||
kernel_validate_selinux_context(system_crond_t)
|
||||
kernel_compute_selinux_access_vector(system_crond_t)
|
||||
kernel_compute_selinux_create_context(system_crond_t)
|
||||
kernel_compute_selinux_relabel_context(system_crond_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
|
||||
kernel_validate_context(system_crond_t)
|
||||
kernel_compute_access_vector(system_crond_t)
|
||||
kernel_compute_create_context(system_crond_t)
|
||||
kernel_compute_relabel_context(system_crond_t)
|
||||
kernel_compute_reachable_user_contexts(system_crond_t)
|
||||
selinux_read_file_contexts(system_crond_t)
|
||||
}
|
||||
|
||||
|
||||
@ -33,8 +33,8 @@ define(`mta_per_userdomain_template',`
|
||||
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
can_exec($1_t, sendmail_exec_t)
|
||||
domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
|
||||
allow $1_t sendmail_exec_t:lnk_file { getattr read };
|
||||
|
||||
allow $1_t $1_mail_t:fd use;
|
||||
allow $1_mail_t $1_t:fd use;
|
||||
@ -43,12 +43,12 @@ define(`mta_per_userdomain_template',`
|
||||
|
||||
kernel_read_kernel_sysctl($1_mail_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
|
||||
corenetwork_bind_tcp_on_all_nodes($1_mail_t)
|
||||
corenet_tcp_sendrecv_all_if($1_mail_t)
|
||||
corenet_raw_sendrecv_all_if($1_mail_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_mail_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_mail_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
||||
corenet_tcp_bind_all_nodes($1_mail_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors($1_mail_t)
|
||||
|
||||
@ -67,10 +67,10 @@ define(`mta_per_userdomain_template',`
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1_mail_t self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_mail_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
|
||||
corenet_udp_sendrecv_all_if($1_mail_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_mail_t)
|
||||
corenet_udp_bind_all_nodes($1_mail_t)
|
||||
corenet_udp_sendrecv_dns_port($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
|
||||
@ -41,7 +41,7 @@ init_make_system_domain(system_mail_t,sendmail_exec_t)
|
||||
#
|
||||
|
||||
allow system_mail_t self:capability { setuid setgid chown };
|
||||
allow system_mail_t self:process { signal_perms setrlinit };
|
||||
allow system_mail_t self:process { signal_perms setrlimit };
|
||||
|
||||
allow system_mail_t self:tcp_socket create_socket_perms;
|
||||
|
||||
@ -53,16 +53,16 @@ kernel_read_kernel_sysctl(system_mail_t)
|
||||
kernel_read_system_state(system_mail_t)
|
||||
kernel_read_network_state(system_mail_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(system_mail_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(system_mail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(system_mail_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(system_mail_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(system_mail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(system_mail_t)
|
||||
corenet_tcp_sendrecv_all_if(system_mail_t)
|
||||
corenet_raw_sendrecv_all_if(system_mail_t)
|
||||
corenet_tcp_sendrecv_all_nodes(system_mail_t)
|
||||
corenet_raw_sendrecv_all_nodes(system_mail_t)
|
||||
corenet_tcp_bind_all_nodes(system_mail_t)
|
||||
corenet_tcp_sendrecv_all_ports(system_mail_t)
|
||||
|
||||
devices_get_pseudorandom_data(system_mail_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(system_mail_t)
|
||||
fs_getattr_xattr_fs(system_mail_t)
|
||||
|
||||
init_script_use_pseudoterminal(system_mail_t)
|
||||
|
||||
@ -84,10 +84,10 @@ sysnetwork_read_network_config(system_mail_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_mail_t self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
|
||||
corenetwork_bind_udp_on_all_nodes(system_mail_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
|
||||
corenet_udp_sendrecv_all_if(system_mail_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_mail_t)
|
||||
corenet_udp_bind_all_nodes(system_mail_t)
|
||||
corenet_udp_sendrecv_dns_port(system_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`procmail.te',`
|
||||
|
||||
@ -44,16 +44,16 @@ files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })
|
||||
kernel_read_system_state(remote_login_t)
|
||||
kernel_read_kernel_sysctl(remote_login_t)
|
||||
kernel_get_selinuxfs_mount_point(remote_login_t)
|
||||
kernel_validate_selinux_context(remote_login_t)
|
||||
kernel_compute_selinux_access_vector(remote_login_t)
|
||||
kernel_compute_selinux_create_context(remote_login_t)
|
||||
kernel_compute_selinux_relabel_context(remote_login_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(remote_login_t)
|
||||
kernel_validate_context(remote_login_t)
|
||||
kernel_compute_access_vector(remote_login_t)
|
||||
kernel_compute_create_context(remote_login_t)
|
||||
kernel_compute_relabel_context(remote_login_t)
|
||||
kernel_compute_reachable_user_contexts(remote_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
devices_get_pseudorandom_data(remote_login_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(remote_login_t)
|
||||
fs_getattr_xattr_fs(remote_login_t)
|
||||
|
||||
init_script_modify_runtime_data(remote_login_t)
|
||||
|
||||
|
||||
@ -42,23 +42,23 @@ files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t)
|
||||
kernel_read_kernel_sysctl(sendmail_t)
|
||||
kernel_read_hardware_state(sendmail_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(sendmail_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(sendmail_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(sendmail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(sendmail_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(sendmail_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(sendmail_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(sendmail_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(sendmail_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(sendmail_t)
|
||||
corenetwork_bind_udp_on_all_nodes(sendmail_t)
|
||||
corenetwork_bind_tcp_on_smtp_port(sendmail_t)
|
||||
corenet_tcp_sendrecv_all_if(sendmail_t)
|
||||
corenet_raw_sendrecv_all_if(sendmail_t)
|
||||
corenet_udp_sendrecv_all_if(sendmail_t)
|
||||
corenet_tcp_sendrecv_all_nodes(sendmail_t)
|
||||
corenet_raw_sendrecv_all_nodes(sendmail_t)
|
||||
corenet_udp_sendrecv_all_nodes(sendmail_t)
|
||||
corenet_tcp_sendrecv_all_ports(sendmail_t)
|
||||
corenet_udp_sendrecv_all_ports(sendmail_t)
|
||||
corenet_tcp_bind_all_nodes(sendmail_t)
|
||||
corenet_udp_bind_all_nodes(sendmail_t)
|
||||
corenet_tcp_bind_smtp_port(sendmail_t)
|
||||
|
||||
devices_get_pseudorandom_data(sendmail_t)
|
||||
|
||||
fs_get_all_fs_attributes(sendmail_t)
|
||||
fs_getattr_all_fs(sendmail_t)
|
||||
|
||||
terminal_ignore_use_console(sendmail_t)
|
||||
term_dontaudit_use_console(sendmail_t)
|
||||
|
||||
init_use_file_descriptors(sendmail_t)
|
||||
init_script_use_pseudoterminal(sendmail_t)
|
||||
@ -89,7 +89,7 @@ mta_manage_mail_spool(sendmail_t)
|
||||
sysnetwork_read_network_config(sendmail_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(sendmail_t)
|
||||
term_dontaudit_use_unallocated_tty(sendmail_t)
|
||||
terminal_ignore_use_general_pseudoterminal(sendmail_t)
|
||||
files_ignore_read_rootfs_file(sendmail_t)
|
||||
')
|
||||
|
||||
@ -40,7 +40,7 @@ define(`authlogin_per_userdomain_template',`
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state($1_chkpwd_t)
|
||||
|
||||
fs_ignore_get_persistent_fs_attributes($1_chkpwd_t)
|
||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
|
||||
|
||||
@ -62,7 +62,7 @@ define(`authlogin_per_userdomain_template',`
|
||||
#can_ldap($1_chkpwd_t)
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($1,chkpwd_exec_t,$1_chkpwd_t)
|
||||
domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t)
|
||||
|
||||
allow $1_chkpwd_t $1_t:fd use;
|
||||
allow $1_t $1_chkpwd_t:fd use;
|
||||
@ -78,12 +78,12 @@ define(`authlogin_per_userdomain_template',`
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1_chkpwd_t self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
|
||||
corenet_udp_sendrecv_all_if($1_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_if($1_chkpwd_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
||||
corenet_udp_bind_all_nodes($1_chkpwd_t)
|
||||
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
|
||||
sysnetwork_read_network_config($1_chkpwd_t)
|
||||
')
|
||||
|
||||
@ -207,12 +207,12 @@ define(`authlogin_check_password_transition',`
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow $1 self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1)
|
||||
corenetwork_bind_udp_on_all_nodes($1)
|
||||
corenetwork_sendrecv_udp_on_dns_port($1)
|
||||
corenet_udp_sendrecv_all_if($1)
|
||||
corenet_raw_sendrecv_all_if($1)
|
||||
corenet_udp_sendrecv_all_nodes($1)
|
||||
corenet_raw_sendrecv_all_nodes($1)
|
||||
corenet_udp_bind_all_nodes($1)
|
||||
corenet_udp_sendrecv_dns_port($1)
|
||||
sysnetwork_read_network_config($1)
|
||||
')
|
||||
')
|
||||
@ -505,7 +505,7 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
|
||||
define(`authlogin_pam_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
can_exec($1,pam_exec_file_t)
|
||||
can_exec($1,pam_exec_t)
|
||||
')
|
||||
|
||||
define(`authlogin_pam_execute_depend',`
|
||||
@ -652,7 +652,7 @@ define(`authlogin_pam_console_manage_runtime_data',`
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_console_t:dir rw_dir_perms;
|
||||
B allow $1 pam_var_console_t:file create_file_perms;
|
||||
allow $1 pam_var_console_t:file create_file_perms;
|
||||
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
|
||||
@ -93,8 +93,8 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(pam_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(pam_t)
|
||||
terminal_use_all_private_pseudoterminals(pam_t)
|
||||
term_use_all_user_ttys(pam_t)
|
||||
term_use_all_user_ptys(pam_t)
|
||||
|
||||
init_script_ignore_modify_runtime_data(pam_t)
|
||||
|
||||
@ -139,17 +139,17 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
||||
kernel_read_kernel_sysctl(pam_console_t)
|
||||
kernel_read_system_state(pam_console_t)
|
||||
kernel_read_hardware_state(pam_console_t)
|
||||
kernel_use_file_descriptors(pam_console_t)
|
||||
kernel_use_fd(pam_console_t)
|
||||
|
||||
# Allow to set attributes on /dev entries
|
||||
storage_get_fixed_disk_attributes(pam_console_t)
|
||||
storage_set_fixed_disk_attributes(pam_console_t)
|
||||
storage_get_removable_device_attributes(pam_console_t)
|
||||
storage_getattr_fixed_disk(pam_console_t)
|
||||
storage_setattr_fixed_disk(pam_console_t)
|
||||
storage_getattr_removable_device(pam_console_t)
|
||||
storage_set_removable_device_attributes(pam_console_t)
|
||||
|
||||
terminal_use_console(pam_console_t)
|
||||
terminal_get_general_physical_terminal_attributes(pam_console_t)
|
||||
terminal_set_general_physical_terminal_attributes(pam_console_t)
|
||||
term_use_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
term_setattr_unallocated_ttys(pam_console_t)
|
||||
|
||||
init_use_file_descriptors(pam_console_t)
|
||||
init_use_file_descriptors(pam_console_t)
|
||||
@ -175,7 +175,7 @@ ifdef(`direct_sysadm_daemon', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(pam_console_t)
|
||||
term_dontaudit_use_unallocated_tty(pam_console_t)
|
||||
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
||||
files_ignore_read_rootfs_file(pam_console_t)
|
||||
')
|
||||
@ -236,9 +236,9 @@ allow system_chkpwd_t shadow_t:file { getattr read };
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state(system_chkpwd_t)
|
||||
|
||||
fs_ignore_get_persistent_fs_attributes(system_chkpwd_t)
|
||||
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
|
||||
|
||||
terminal_use_general_physical_terminal(system_chkpwd_t)
|
||||
term_use_unallocated_tty(system_chkpwd_t)
|
||||
|
||||
files_read_general_system_config(system_chkpwd_t)
|
||||
# for nscd
|
||||
@ -255,12 +255,12 @@ selinux_read_config(system_chkpwd_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
|
||||
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
|
||||
corenet_udp_sendrecv_all_if(system_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
||||
corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
|
||||
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
||||
corenet_udp_bind_all_nodes(system_chkpwd_t)
|
||||
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
|
||||
sysnetwork_read_network_config(system_chkpwd_t)
|
||||
')
|
||||
|
||||
@ -278,15 +278,15 @@ dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
||||
#
|
||||
|
||||
allow utempter_t self:capability setgid;
|
||||
allow utempter_t self:unix_stream_socket rw_stream_socket_perms;
|
||||
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow utempter_t wtmp_t:file rw_file_perms;
|
||||
|
||||
terminal_get_all_private_physical_terminal_attributes(utempter_t)
|
||||
terminal_get_all_private_pseudoterminal_attributes(utempter_t)
|
||||
terminal_ignore_use_all_private_physical_terminals(utempter_t)
|
||||
terminal_ignore_use_all_private_pseudoterminals(utempter_t)
|
||||
terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
|
||||
term_getattr_all_user_ttys(utempter_t)
|
||||
term_getattr_all_user_ptys(utempter_t)
|
||||
term_dontaudit_use_all_user_ttys(utempter_t)
|
||||
term_dontaudit_use_all_user_ptys(utempter_t)
|
||||
term_dontaudit_use_ptmx(utempter_t)
|
||||
|
||||
init_script_modify_runtime_data(utempter_t)
|
||||
|
||||
|
||||
@ -34,12 +34,12 @@ kernel_read_hardware_state(hwclock_t)
|
||||
|
||||
devices_modify_realtime_clock(hwclock_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(hwclock_t)
|
||||
fs_getattr_xattr_fs(hwclock_t)
|
||||
|
||||
terminal_ignore_use_console(hwclock_t)
|
||||
terminal_use_general_physical_terminal(hwclock_t)
|
||||
terminal_use_all_private_physical_terminals(hwclock_t)
|
||||
terminal_use_all_private_pseudoterminals(hwclock_t)
|
||||
term_dontaudit_use_console(hwclock_t)
|
||||
term_use_unallocated_tty(hwclock_t)
|
||||
term_use_all_user_ttys(hwclock_t)
|
||||
term_use_all_user_ptys(hwclock_t)
|
||||
|
||||
init_use_file_descriptors(hwclock_t)
|
||||
init_script_use_pseudoterminal(hwclock_t)
|
||||
@ -58,7 +58,7 @@ logging_send_system_log_message(hwclock_t)
|
||||
miscfiles_read_localization(hwclock_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(hwclock_t)
|
||||
term_dontaudit_use_unallocated_tty(hwclock_t)
|
||||
terminal_ignore_use_general_pseudoterminal(hwclock_t)
|
||||
files_ignore_read_rootfs_file(hwclock_t)
|
||||
')
|
||||
|
||||
@ -200,9 +200,8 @@ define(`corecommands_shell_explicit_transition',`
|
||||
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file r_file_perms;
|
||||
allow $1 shell_exec_t:file rx_file_perms
|
||||
allow $1 $2:process transition;
|
||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||
|
||||
domain_trans($1,shell_exec_t,$2)
|
||||
|
||||
allow $1 $2:fd use;
|
||||
allow $2 $1:fd use;
|
||||
|
||||
@ -38,7 +38,7 @@ define(`domain_make_domain',`
|
||||
# Use trusted objects in /dev
|
||||
devices_use_dev_null($1)
|
||||
devices_use_dev_zero($1)
|
||||
terminal_use_controlling_terminal($1)
|
||||
term_use_controlling_term($1)
|
||||
|
||||
# read the root directory
|
||||
files_read_root_dir($1)
|
||||
|
||||
@ -9,7 +9,7 @@ define(`files_make_file',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
fs_associate($1)
|
||||
fs_noxattr_associate($1)
|
||||
fs_associate_noxattr($1)
|
||||
typeattribute $1 file_type;
|
||||
')
|
||||
|
||||
@ -92,7 +92,7 @@ define(`files_make_tmpfs_file',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
files_make_file($1)
|
||||
fs_tmpfs_associate($1)
|
||||
fs_associate_tmpfs($1)
|
||||
typeattribute $1 tmpfsfile;
|
||||
')
|
||||
|
||||
@ -938,7 +938,7 @@ define(`files_manage_pseudorandom_saved_seed',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lib_t:dir rw_file_perms;
|
||||
allow $1 var_lib_t:dir rw_dir_perms;
|
||||
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
@ -992,7 +992,7 @@ define(`files_manage_system_lock_files_depend',`
|
||||
define(`files_remove_all_lock_files',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 lockfile:dir rw_file_perms;
|
||||
allow $1 lockfile:dir rw_dir_perms;
|
||||
allow $1 lockfile:file { getattr unlink };
|
||||
')
|
||||
|
||||
@ -1271,15 +1271,15 @@ define(`files_manage_system_spools',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_spool_t:dir rw_file_perms;
|
||||
allow $1 var_spool_t:file { getattr create read write append unlink setattr };
|
||||
allow $1 var_spool_t:dir rw_dir_perms;
|
||||
allow $1 var_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
define(`files_manage_system_spools_depend',`
|
||||
type var_t, var_spool_t;
|
||||
|
||||
class dir rw_file_perms;
|
||||
class file { getattr create read write append unlink setattr };
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -13,14 +13,14 @@ attribute tmpfsfile;
|
||||
# other than the generic /.* specification.
|
||||
type default_t, file_type, mountpoint;
|
||||
fs_associate(default_t)
|
||||
fs_noxattr_associate(default_t)
|
||||
fs_associate_noxattr(default_t)
|
||||
|
||||
#
|
||||
# etc_t is the type of the system etc directories.
|
||||
#
|
||||
type etc_t, file_type;
|
||||
fs_associate(etc_t)
|
||||
fs_noxattr_associate(etc_t)
|
||||
fs_associate_noxattr(etc_t)
|
||||
|
||||
#
|
||||
# etc_runtime_t is the type of various
|
||||
@ -29,7 +29,7 @@ fs_noxattr_associate(etc_t)
|
||||
#
|
||||
type etc_runtime_t, file_type;
|
||||
fs_associate(etc_runtime_t)
|
||||
fs_noxattr_associate(etc_runtime_t)
|
||||
fs_associate_noxattr(etc_runtime_t)
|
||||
|
||||
#
|
||||
# file_t is the default type of a file that has not yet been
|
||||
@ -38,8 +38,8 @@ fs_noxattr_associate(etc_runtime_t)
|
||||
#
|
||||
type file_t, file_type, mountpoint;
|
||||
fs_associate(file_t)
|
||||
fs_noxattr_associate(file_t)
|
||||
kernel_make_root_fs_mountpoint(file_t)
|
||||
fs_associate_noxattr(file_t)
|
||||
kernel_rootfs_mountpoint(file_t)
|
||||
sid file context_template(system_u:object_r:file_t,s0)
|
||||
|
||||
#
|
||||
@ -48,41 +48,41 @@ sid file context_template(system_u:object_r:file_t,s0)
|
||||
#
|
||||
type home_root_t, file_type, mountpoint;
|
||||
fs_associate(home_root_t)
|
||||
fs_noxattr_associate(home_root_t)
|
||||
fs_associate_noxattr(home_root_t)
|
||||
|
||||
#
|
||||
# lost_found_t is the type for the lost+found directories.
|
||||
#
|
||||
type lost_found_t, file_type;
|
||||
fs_associate(lost_found_t)
|
||||
fs_noxattr_associate(lost_found_t)
|
||||
fs_associate_noxattr(lost_found_t)
|
||||
|
||||
#
|
||||
# mnt_t is the type for mount points such as /mnt/cdrom
|
||||
#
|
||||
type mnt_t, file_type, mountpoint;
|
||||
fs_associate(mnt_t)
|
||||
fs_noxattr_associate(mnt_t)
|
||||
fs_associate_noxattr(mnt_t)
|
||||
|
||||
type no_access_t, file_type;
|
||||
fs_associate(no_access_t)
|
||||
fs_noxattr_associate(no_access_t)
|
||||
fs_associate_noxattr(no_access_t)
|
||||
|
||||
type poly_t, file_type;
|
||||
fs_associate(poly_t)
|
||||
fs_noxattr_associate(poly_t)
|
||||
fs_associate_noxattr(poly_t)
|
||||
|
||||
type readable_t, file_type;
|
||||
fs_associate(readable_t)
|
||||
fs_noxattr_associate(readable_t)
|
||||
fs_associate_noxattr(readable_t)
|
||||
|
||||
#
|
||||
# root_t is the type for rootfs and the root directory.
|
||||
#
|
||||
type root_t, file_type, mountpoint;
|
||||
fs_associate(root_t)
|
||||
fs_noxattr_associate(root_t)
|
||||
kernel_make_root_fs_mountpoint(root_t)
|
||||
fs_associate_noxattr(root_t)
|
||||
kernel_rootfs_mountpoint(root_t)
|
||||
genfscon rootfs / context_template(system_u:object_r:root_t,s0)
|
||||
|
||||
#
|
||||
@ -90,42 +90,42 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0)
|
||||
#
|
||||
type src_t, file_type;
|
||||
fs_associate(src_t)
|
||||
fs_noxattr_associate(src_t)
|
||||
fs_associate_noxattr(src_t)
|
||||
|
||||
#
|
||||
# tmp_t is the type of the temporary directories
|
||||
#
|
||||
type tmp_t, file_type, tmpfile, mountpoint;
|
||||
fs_associate(tmp_t)
|
||||
fs_noxattr_associate(tmp_t)
|
||||
fs_associate_noxattr(tmp_t)
|
||||
|
||||
#
|
||||
# usr_t is the type for /usr.
|
||||
#
|
||||
type usr_t, file_type, mountpoint;
|
||||
fs_associate(usr_t)
|
||||
fs_noxattr_associate(usr_t)
|
||||
fs_associate_noxattr(usr_t)
|
||||
|
||||
#
|
||||
# var_t is the type of /var
|
||||
#
|
||||
type var_t, file_type, mountpoint;
|
||||
fs_associate(var_t)
|
||||
fs_noxattr_associate(var_t)
|
||||
fs_associate_noxattr(var_t)
|
||||
|
||||
#
|
||||
# var_lib_t is the type of /var/lib
|
||||
#
|
||||
type var_lib_t, file_type;
|
||||
fs_associate(var_lib_t)
|
||||
fs_noxattr_associate(var_lib_t)
|
||||
fs_associate_noxattr(var_lib_t)
|
||||
|
||||
#
|
||||
# var_lock_t is tye type of /var/lock
|
||||
#
|
||||
type var_lock_t, file_type, lockfile;
|
||||
fs_associate(var_lock_t)
|
||||
fs_noxattr_associate(var_lock_t)
|
||||
fs_associate_noxattr(var_lock_t)
|
||||
|
||||
#
|
||||
# var_run_t is the type of /var/run, usually
|
||||
@ -133,11 +133,11 @@ fs_noxattr_associate(var_lock_t)
|
||||
#
|
||||
type var_run_t, file_type, pidfile;
|
||||
fs_associate(var_run_t)
|
||||
fs_noxattr_associate(var_run_t)
|
||||
fs_associate_noxattr(var_run_t)
|
||||
|
||||
#
|
||||
# var_spool_t is the type of /var/spool
|
||||
#
|
||||
type var_spool_t, file_type;
|
||||
fs_associate(var_spool_t)
|
||||
fs_noxattr_associate(var_spool_t)
|
||||
fs_associate_noxattr(var_spool_t)
|
||||
|
||||
@ -45,14 +45,14 @@ allow getty_t getty_log_t:file { getattr append setattr };
|
||||
kernel_read_hardware_state(getty_t)
|
||||
|
||||
# for error condition handling
|
||||
fs_get_persistent_fs_attributes(getty_t)
|
||||
fs_getattr_xattr_fs(getty_t)
|
||||
|
||||
# Chown, chmod, read and write ttys.
|
||||
terminal_use_all_private_physical_terminals(getty_t)
|
||||
terminal_use_general_physical_terminal(getty_t)
|
||||
terminal_set_all_private_physical_terminal_attributes(getty_t)
|
||||
terminal_set_general_physical_terminal_attributes(getty_t)
|
||||
terminal_set_console_attributes(getty_t)
|
||||
term_use_all_user_ttys(getty_t)
|
||||
term_use_unallocated_tty(getty_t)
|
||||
term_setattr_all_user_ttys(getty_t)
|
||||
term_setattr_unallocated_ttys(getty_t)
|
||||
term_setattr_console(getty_t)
|
||||
|
||||
authlogin_modify_login_records(getty_t)
|
||||
|
||||
|
||||
@ -27,15 +27,15 @@ sysnetwork_read_network_config(hostname_t)
|
||||
|
||||
kernel_read_kernel_sysctl(hostname_t)
|
||||
kernel_read_hardware_state(hostname_t)
|
||||
kernel_ignore_use_file_descriptors(hostname_t)
|
||||
kernel_dontaudit_use_fd(hostname_t)
|
||||
|
||||
files_read_general_system_config(hostname_t)
|
||||
files_ignore_search_system_state_data_directory(hostname_t)
|
||||
fs_get_persistent_fs_attributes(hostname_t)
|
||||
fs_getattr_xattr_fs(hostname_t)
|
||||
|
||||
terminal_ignore_use_console(hostname_t)
|
||||
terminal_use_all_private_physical_terminals(hostname_t)
|
||||
terminal_use_all_private_pseudoterminals(hostname_t)
|
||||
term_dontaudit_use_console(hostname_t)
|
||||
term_use_all_user_ttys(hostname_t)
|
||||
term_use_all_user_ptys(hostname_t)
|
||||
|
||||
init_use_file_descriptors(hostname_t)
|
||||
init_script_use_pseudoterminal(hostname_t)
|
||||
@ -59,19 +59,19 @@ ifdef(`distro_redhat', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(hostname_t)
|
||||
term_dontaudit_use_unallocated_tty(hostname_t)
|
||||
terminal_ignore_use_general_pseudoterminal(hostname_t)
|
||||
files_ignore_read_rootfs_file(hostname_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow hostname_t self:udp_socket create_socket_perms;
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
|
||||
corenetwork_bind_udp_on_all_nodes(hostname_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port(hostname_t)
|
||||
corenet_udp_sendrecv_all_if(hostname_t)
|
||||
corenet_raw_sendrecv_all_if(hostname_t)
|
||||
corenet_udp_sendrecv_all_nodes(hostname_t)
|
||||
corenet_raw_sendrecv_all_nodes(hostname_t)
|
||||
corenet_udp_bind_all_nodes(hostname_t)
|
||||
corenet_udp_sendrecv_dns_port(hostname_t)
|
||||
sysnetwork_read_network_config(hostname_t)
|
||||
')
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ policy_module(hotplug, 1.0)
|
||||
|
||||
type hotplug_t;
|
||||
type hotplug_exec_t;
|
||||
kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t)
|
||||
kernel_userland_entry(hotplug_t,hotplug_exec_t)
|
||||
init_make_system_domain(hotplug_t,hotplug_exec_t)
|
||||
|
||||
type hotplug_etc_t; #, usercanread;
|
||||
@ -29,7 +29,7 @@ dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
||||
|
||||
allow hotplug_t self:process { getsession getattr };
|
||||
|
||||
allow hotplug_t self:fifo_file r_file_perms;
|
||||
allow hotplug_t self:fifo_file rw_file_perms;
|
||||
allow hotplug_t self:udp_socket create_socket_perms;
|
||||
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
|
||||
|
||||
@ -46,27 +46,27 @@ files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
|
||||
kernel_read_system_state(hotplug_t)
|
||||
kernel_read_kernel_sysctl(hotplug_t)
|
||||
kernel_read_hardware_state(hotplug_t)
|
||||
kernel_read_network_sysctl(hotplug_t)
|
||||
kernel_read_net_sysctl(hotplug_t)
|
||||
kernel_read_usb_hardware_state(hotplug_t)
|
||||
|
||||
bootloader_read_kernel_modules(hotplug_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(hotplug_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(hotplug_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(hotplug_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(hotplug_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(hotplug_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(hotplug_t)
|
||||
corenet_tcp_sendrecv_all_if(hotplug_t)
|
||||
corenet_raw_sendrecv_all_if(hotplug_t)
|
||||
corenet_tcp_sendrecv_all_nodes(hotplug_t)
|
||||
corenet_raw_sendrecv_all_nodes(hotplug_t)
|
||||
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
||||
corenet_tcp_bind_all_nodes(hotplug_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(hotplug_t)
|
||||
|
||||
fs_get_all_fs_attributes(hotplug_t)
|
||||
fs_getattr_all_fs(hotplug_t)
|
||||
|
||||
storage_set_fixed_disk_attributes(hotplug_t)
|
||||
storage_setattr_fixed_disk(hotplug_t)
|
||||
storage_set_removable_device_attributes(hotplug_t)
|
||||
|
||||
terminal_ignore_use_console(hotplug_t)
|
||||
term_dontaudit_use_console(hotplug_t)
|
||||
|
||||
corecommands_execute_general_programs(hotplug_t)
|
||||
corecommands_execute_shell(hotplug_t)
|
||||
@ -118,7 +118,7 @@ ifdef(`distro_redhat', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(hotplug_t)
|
||||
term_dontaudit_use_unallocated_tty(hotplug_t)
|
||||
terminal_ignore_use_general_pseudoterminal(hotplug_t)
|
||||
files_ignore_read_rootfs_file(hotplug_t)
|
||||
')
|
||||
|
||||
@ -26,7 +26,7 @@ define(`init_make_init_domain',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors($1)
|
||||
kernel_dontaudit_use_fd($1)
|
||||
files_ignore_read_rootfs_file($1)
|
||||
')
|
||||
')
|
||||
@ -65,7 +65,7 @@ define(`init_make_daemon_domain',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors($1)
|
||||
kernel_dontaudit_use_fd($1)
|
||||
files_ignore_read_rootfs_file($1)
|
||||
')
|
||||
')
|
||||
@ -106,7 +106,7 @@ define(`init_make_system_domain',`
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors($1)
|
||||
kernel_dontaudit_use_fd($1)
|
||||
files_ignore_read_rootfs_file($1)
|
||||
')
|
||||
')
|
||||
@ -409,7 +409,7 @@ define(`init_script_get_process_group_depend',`
|
||||
define(`init_script_use_pseudoterminal',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
terminal_list_pseudoterminals($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ role system_r types init_t;
|
||||
# init_exec_t is the type of the init program.
|
||||
#
|
||||
type init_exec_t;
|
||||
kernel_make_userland_entrypoint(init_t,init_exec_t)
|
||||
kernel_userland_entry(init_t,init_exec_t)
|
||||
domain_make_entrypoint_file(init_t,init_exec_t)
|
||||
|
||||
#
|
||||
@ -43,8 +43,8 @@ domain_make_entrypoint_file(initrc_t,initrc_exec_t)
|
||||
|
||||
type initrc_devpts_t;
|
||||
fs_associate(initrc_devpts_t)
|
||||
fs_noxattr_associate(initrc_devpts_t)
|
||||
terminal_make_pseudoterminal(initrc_devpts_t)
|
||||
fs_associate_noxattr(initrc_devpts_t)
|
||||
term_pty(initrc_devpts_t)
|
||||
|
||||
type initrc_var_run_t;
|
||||
files_make_daemon_runtime_file(initrc_var_run_t)
|
||||
@ -79,21 +79,21 @@ allow init_t init_var_run_t:file { create getattr read append write setattr unli
|
||||
files_create_daemon_runtime_data(init_t,init_var_run_t)
|
||||
|
||||
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
|
||||
fs_tmpfs_associate(initctl_t)
|
||||
fs_associate_tmpfs(initctl_t)
|
||||
devices_create_dev_entry(init_t,initctl_t,fifo_file)
|
||||
|
||||
# Modify utmp.
|
||||
allow init_t initrc_var_run_t:file rw_file_perms;
|
||||
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
|
||||
# Run init scripts.
|
||||
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
|
||||
|
||||
kernel_set_selinux_boolean(init_t)
|
||||
kernel_set_boolean(init_t)
|
||||
kernel_read_system_state(init_t)
|
||||
kernel_read_hardware_state(init_t)
|
||||
kernel_share_state(init_t)
|
||||
|
||||
terminal_use_all_terminals(init_t)
|
||||
term_use_all_terms(init_t)
|
||||
|
||||
corecommands_chroot(init_t)
|
||||
corecommands_execute_general_programs(init_t)
|
||||
@ -129,7 +129,7 @@ miscfiles_read_localization(init_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_use_tmpfs_character_devices(init_t)
|
||||
fs_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
|
||||
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
@ -181,26 +181,26 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_hardware_state(initrc_t)
|
||||
kernel_modify_hardware_config_option(initrc_t)
|
||||
kernel_rw_hardware_config_option(initrc_t)
|
||||
kernel_read_all_sysctl(initrc_t)
|
||||
kernel_modify_all_sysctl(initrc_t)
|
||||
kernel_rw_all_sysctl(initrc_t)
|
||||
kernel_get_selinux_enforcement_mode(initrc_t)
|
||||
kernel_list_usb_hardware(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
kernel_ignore_get_message_interface_attributes(initrc_t)
|
||||
kernel_dontaudit_getattr_message_if(initrc_t)
|
||||
|
||||
bootloader_read_kernel_symbol_table(initrc_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(initrc_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(initrc_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(initrc_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(initrc_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(initrc_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(initrc_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(initrc_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(initrc_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(initrc_t)
|
||||
corenetwork_bind_udp_on_all_nodes(initrc_t)
|
||||
corenet_tcp_sendrecv_all_if(initrc_t)
|
||||
corenet_raw_sendrecv_all_if(initrc_t)
|
||||
corenet_udp_sendrecv_all_if(initrc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
||||
corenet_raw_sendrecv_all_nodes(initrc_t)
|
||||
corenet_udp_sendrecv_all_nodes(initrc_t)
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_bind_all_nodes(initrc_t)
|
||||
corenet_udp_bind_all_nodes(initrc_t)
|
||||
|
||||
devices_get_random_data(initrc_t)
|
||||
devices_get_pseudorandom_data(initrc_t)
|
||||
@ -221,14 +221,14 @@ fs_register_binary_executable_type(initrc_t)
|
||||
fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_get_all_fs_attributes(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
||||
storage_get_fixed_disk_attributes(initrc_t)
|
||||
storage_set_fixed_disk_attributes(initrc_t)
|
||||
storage_getattr_fixed_disk(initrc_t)
|
||||
storage_setattr_fixed_disk(initrc_t)
|
||||
storage_set_removable_device_attributes(initrc_t)
|
||||
|
||||
terminal_use_all_terminals(initrc_t)
|
||||
terminal_reset_physical_terminal_labels(initrc_t)
|
||||
term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
authlogin_modify_login_records(initrc_t)
|
||||
authlogin_modify_last_login_log(initrc_t)
|
||||
@ -296,7 +296,7 @@ userdomain_read_all_users_data(initrc_t)
|
||||
userdomain_use_admin_terminals(initrc_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
fs_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
|
||||
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -305,10 +305,10 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
kernel_ignore_use_file_descriptors(initrc_t)
|
||||
kernel_dontaudit_use_fd(initrc_t)
|
||||
files_ignore_read_rootfs_file(initrc_t)
|
||||
|
||||
kernel_set_selinux_enforcement_mode(initrc_t)
|
||||
kernel_set_enforcement_mode(initrc_t)
|
||||
|
||||
# Create and read /boot/kernel.h and /boot/System.map.
|
||||
# Redhat systems typically create this file at boot time.
|
||||
@ -354,7 +354,7 @@ optional_policy(`rhgb.te',`
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
# bash tries to access a block device in the initrd
|
||||
kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
|
||||
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
|
||||
|
||||
# for a bug in rm
|
||||
files_ignore_write_all_daemon_runtime_data(initrc_t)
|
||||
|
||||
@ -42,11 +42,11 @@ kernel_read_network_state(iptables_t)
|
||||
kernel_read_hardware_state(iptables_t)
|
||||
kernel_read_kernel_sysctl(iptables_t)
|
||||
kernel_read_modprobe_sysctl(iptables_t)
|
||||
kernel_use_file_descriptors(iptables_t)
|
||||
kernel_use_fd(iptables_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(iptables_t)
|
||||
fs_getattr_xattr_fs(iptables_t)
|
||||
|
||||
terminal_ignore_use_console(iptables_t)
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(iptables_t)
|
||||
|
||||
@ -73,12 +73,12 @@ userdomain_use_all_users_file_descriptors(iptables_t)
|
||||
tunable_policy(`use_dns',`
|
||||
allow iptables_t self:udp_socket create_socket_perms;
|
||||
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(iptables_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(iptables_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(iptables_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(iptables_t)
|
||||
corenetwork_bind_udp_on_all_nodes(iptables_t)
|
||||
corenetwork_sendrecv_udp_on_dns_port(iptables_t)
|
||||
corenet_udp_sendrecv_all_if(iptables_t)
|
||||
corenet_raw_sendrecv_all_if(iptables_t)
|
||||
corenet_udp_sendrecv_all_nodes(iptables_t)
|
||||
corenet_raw_sendrecv_all_nodes(iptables_t)
|
||||
corenet_udp_bind_all_nodes(iptables_t)
|
||||
corenet_udp_sendrecv_dns_port(iptables_t)
|
||||
|
||||
sysnetwork_read_network_config(iptables_t)
|
||||
')
|
||||
@ -97,7 +97,7 @@ optional_policy(`udev.te', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(iptables_t)
|
||||
term_dontaudit_use_unallocated_tty(iptables_t)
|
||||
terminal_ignore_use_general_pseudoterminal(iptables_t)
|
||||
|
||||
files_ignore_read_rootfs_file(iptables_t)
|
||||
|
||||
@ -14,10 +14,7 @@
|
||||
define(`libraries_ldconfig_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 ldconfig_exec_t:file rx_file_perms;
|
||||
allow $1 ldconfig_t:process transition;
|
||||
type_transition $1 ldconfig_exec_t:process ldconfig_t;
|
||||
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
|
||||
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
|
||||
|
||||
allow $1 ldconfig_t:fd use;
|
||||
allow ldconfig_t $1:fd use;
|
||||
@ -215,7 +212,7 @@ define(`libraries_execute_library_scripts',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
allow $1 lib_t:dir r_dir_perms;
|
||||
allow $1 lib_t:lnk_file r_file_perms
|
||||
allow $1 lib_t:lnk_file r_file_perms;
|
||||
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ allow ldconfig_t { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||
|
||||
kernel_read_system_state(ldconfig_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(ldconfig_t)
|
||||
fs_getattr_xattr_fs(ldconfig_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(ldconfig_t)
|
||||
|
||||
|
||||
@ -54,21 +54,21 @@ files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
kernel_get_selinuxfs_mount_point(local_login_t)
|
||||
kernel_validate_selinux_context(local_login_t)
|
||||
kernel_compute_selinux_access_vector(local_login_t)
|
||||
kernel_compute_selinux_create_context(local_login_t)
|
||||
kernel_compute_selinux_relabel_context(local_login_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(local_login_t)
|
||||
kernel_validate_context(local_login_t)
|
||||
kernel_compute_access_vector(local_login_t)
|
||||
kernel_compute_create_context(local_login_t)
|
||||
kernel_compute_relabel_context(local_login_t)
|
||||
kernel_compute_reachable_user_contexts(local_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
devices_get_pseudorandom_data(local_login_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(local_login_t)
|
||||
terminal_use_general_physical_terminal(local_login_t)
|
||||
terminal_relabel_general_physical_terminal(local_login_t)
|
||||
terminal_relabel_all_private_physical_terminals(local_login_t)
|
||||
terminal_set_all_private_physical_terminal_attributes(local_login_t)
|
||||
terminal_set_general_physical_terminal_attributes(local_login_t)
|
||||
term_use_all_user_ttys(local_login_t)
|
||||
term_use_unallocated_tty(local_login_t)
|
||||
term_relabel_unallocated_ttys(local_login_t)
|
||||
term_relabel_all_user_ttys(local_login_t)
|
||||
term_setattr_all_user_ttys(local_login_t)
|
||||
term_setattr_unallocated_ttys(local_login_t)
|
||||
|
||||
authlogin_check_password_transition(local_login_t)
|
||||
authlogin_ignore_read_shadow_passwords(local_login_t)
|
||||
@ -109,7 +109,7 @@ mta_get_mail_spool_attributes(local_login_t)
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors(local_login_t)
|
||||
kernel_dontaudit_use_fd(local_login_t)
|
||||
files_ignore_read_rootfs_file(local_login_t)
|
||||
')
|
||||
|
||||
@ -205,7 +205,7 @@ allow sulogin_t self:unix_dgram_socket sendto;
|
||||
allow sulogin_t self:unix_stream_socket connectto;
|
||||
allow sulogin_t self:shm create_shm_perms;
|
||||
allow sulogin_t self:sem create_sem_perms;
|
||||
allow sulogin_t self:msgq createmsgq_perms;
|
||||
allow sulogin_t self:msgq create_msgq_perms;
|
||||
allow sulogin_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(sulogin_t)
|
||||
@ -241,11 +241,11 @@ ifdef(`sulogin_no_pam', `
|
||||
', `
|
||||
allow sulogin_t self:process setexec;
|
||||
kernel_get_selinuxfs_mount_point(sulogin_t)
|
||||
kernel_validate_selinux_context(sulogin_t)
|
||||
kernel_compute_selinux_access_vector(sulogin_t)
|
||||
kernel_compute_selinux_create_context(sulogin_t)
|
||||
kernel_compute_selinux_relabel_context(sulogin_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
|
||||
kernel_validate_context(sulogin_t)
|
||||
kernel_compute_access_vector(sulogin_t)
|
||||
kernel_compute_create_context(sulogin_t)
|
||||
kernel_compute_relabel_context(sulogin_t)
|
||||
kernel_compute_reachable_user_contexts(sulogin_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -55,7 +55,7 @@ define(`logging_send_system_log_message',`
|
||||
allow $1 self:unix_stream_socket create_socket_perms;
|
||||
|
||||
# cjp: this should most likely be removed:
|
||||
terminal_use_console($1)
|
||||
term_use_console($1)
|
||||
')
|
||||
|
||||
define(`logging_send_system_log_message_depend',`
|
||||
|
||||
@ -61,9 +61,9 @@ files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
|
||||
kernel_read_kernel_sysctl(auditd_t)
|
||||
kernel_read_hardware_state(auditd_t)
|
||||
|
||||
fs_get_all_fs_attributes(auditd_t)
|
||||
fs_getattr_all_fs(auditd_t)
|
||||
|
||||
terminal_ignore_use_console(auditd_t)
|
||||
term_dontaudit_use_console(auditd_t)
|
||||
|
||||
init_use_file_descriptors(auditd_t)
|
||||
init_script_use_pseudoterminal(auditd_t)
|
||||
@ -80,7 +80,7 @@ libraries_use_shared_libraries(auditd_t)
|
||||
miscfiles_read_localization(auditd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(auditd_t)
|
||||
term_dontaudit_use_unallocated_tty(auditd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(auditd_t)
|
||||
files_ignore_read_rootfs_file(auditd_t)
|
||||
')
|
||||
@ -132,7 +132,7 @@ bootloader_read_kernel_symbol_table(klogd_t)
|
||||
|
||||
devices_raw_read_memory(klogd_t)
|
||||
|
||||
fs_get_all_fs_attributes(klogd_t)
|
||||
fs_getattr_all_fs(klogd_t)
|
||||
|
||||
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
|
||||
files_read_runtime_system_config(klogd_t)
|
||||
@ -191,24 +191,24 @@ kernel_read_kernel_sysctl(syslogd_t)
|
||||
|
||||
devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
|
||||
|
||||
terminal_ignore_use_console(syslogd_t)
|
||||
term_dontaudit_use_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
terminal_write_general_physical_terminal(syslogd_t)
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
|
||||
# for sending messages to logged in users
|
||||
init_script_read_runtime_data(syslogd_t)
|
||||
init_script_ignore_write_runtime_data(syslogd_t)
|
||||
terminal_write_all_private_physical_terminals(syslogd_t)
|
||||
term_write_all_user_ttys(syslogd_t)
|
||||
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(syslogd_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(syslogd_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(syslogd_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(syslogd_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(syslogd_t)
|
||||
corenetwork_bind_udp_on_all_nodes(syslogd_t)
|
||||
corenetwork_bind_udp_on_syslogd_port(syslogd_t)
|
||||
corenet_raw_sendrecv_all_if(syslogd_t)
|
||||
corenet_udp_sendrecv_all_if(syslogd_t)
|
||||
corenet_raw_sendrecv_all_nodes(syslogd_t)
|
||||
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
||||
corenet_udp_sendrecv_all_ports(syslogd_t)
|
||||
corenet_udp_bind_all_nodes(syslogd_t)
|
||||
corenet_udp_bind_syslogd_port(syslogd_t)
|
||||
|
||||
fs_get_all_fs_attributes(syslogd_t)
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
|
||||
init_use_file_descriptors(syslogd_t)
|
||||
init_script_use_pseudoterminal(syslogd_t)
|
||||
@ -244,7 +244,7 @@ ifdef(`klogd.te', `', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(syslogd_t)
|
||||
term_dontaudit_use_unallocated_tty(syslogd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
||||
files_ignore_read_rootfs_file(syslogd_t)
|
||||
')
|
||||
|
||||
@ -55,7 +55,7 @@ allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
|
||||
can_exec(lvm_t, lvm_exec_t)
|
||||
|
||||
# Creating lock files
|
||||
allow lvm_t lvm_lock_t:dir ra_dir_perms;
|
||||
allow lvm_t lvm_lock_t:dir rw_dir_perms;
|
||||
allow lvm_t lvm_lock_t:file create_file_perms;
|
||||
files_create_private_lock_file(lvm_t,lvm_lock_t)
|
||||
|
||||
@ -70,11 +70,11 @@ files_create_private_config(lvm_t,lvm_metadata_t,file)
|
||||
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_get_selinuxfs_mount_point(lvm_t)
|
||||
kernel_validate_selinux_context(lvm_t)
|
||||
kernel_compute_selinux_access_vector(lvm_t)
|
||||
kernel_compute_selinux_create_context(lvm_t)
|
||||
kernel_compute_selinux_relabel_context(lvm_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(lvm_t)
|
||||
kernel_validate_context(lvm_t)
|
||||
kernel_compute_access_vector(lvm_t)
|
||||
kernel_compute_create_context(lvm_t)
|
||||
kernel_compute_relabel_context(lvm_t)
|
||||
kernel_compute_reachable_user_contexts(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
kernel_read_hardware_state(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
@ -82,13 +82,14 @@ kernel_read_hardware_state(sysfs_t)
|
||||
# Read system variables in /proc/sys
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
# it has no reason to need this
|
||||
kernel_ignore_get_core_interface_attributes(lvm_t)
|
||||
kernel_dontaudit_getattr_core(lvm_t)
|
||||
|
||||
devices_add_generic_character_device(lvm_t)
|
||||
devices_get_random_data(lvm_t)
|
||||
devices_get_pseudorandom_data(lvm_t)
|
||||
devices_use_lvm_control_channel(lvm_t)
|
||||
devices_manage_dev_symbolic_links(lvm_t)
|
||||
devices_relabel_dev_dirs(lvm_t)
|
||||
devices_manage_generic_block_device(lvm_t)
|
||||
|
||||
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
|
||||
@ -97,9 +98,9 @@ devices_ignore_get_all_block_device_attributes(lvm_t)
|
||||
devices_ignore_get_generic_character_device_attributes(lvm_t)
|
||||
devices_ignore_get_generic_block_device_attributes(lvm_t)
|
||||
devices_ignore_get_generic_pipe_attributes(lvm_t)
|
||||
terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t)
|
||||
term_dontaudit_getattr_all_user_ttys(lvm_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(lvm_t)
|
||||
fs_getattr_xattr_fs(lvm_t)
|
||||
|
||||
# LVM creates block devices in /dev/mapper or /dev/<vg>
|
||||
# depending on its version
|
||||
@ -141,14 +142,14 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(lvm_t)
|
||||
term_dontaudit_use_unallocated_tty(lvm_t)
|
||||
terminal_ignore_use_general_pseudoterminal(lvm_t)
|
||||
|
||||
files_ignore_read_rootfs_file(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_modify_temporary_data(lvm_t)
|
||||
bootloader_rw_tmp_file(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -16,7 +16,7 @@ files_make_file(modules_dep_t)
|
||||
|
||||
type insmod_t;
|
||||
type insmod_exec_t;
|
||||
kernel_make_userland_entrypoint(insmod_t,insmod_exec_t)
|
||||
kernel_userland_entry(insmod_t,insmod_exec_t)
|
||||
init_make_system_domain(insmod_t,insmod_exec_t)
|
||||
role system_r types insmod_t;
|
||||
|
||||
@ -51,11 +51,11 @@ can_exec(insmod_t, insmod_exec_t)
|
||||
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_search_hardware_state_dir(insmod_t)
|
||||
kernel_search_usb_hardware_state_dir(insmod_t)
|
||||
kernel_search_sysfs(insmod_t)
|
||||
kernel_search_usbfs(insmod_t)
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctl(insmod_t)
|
||||
kernel_modify_kernel_sysctl(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
kernel_read_hotplug_sysctl(insmod_t)
|
||||
|
||||
bootloader_read_kernel_modules(insmod_t)
|
||||
@ -66,7 +66,7 @@ devices_write_mtrr(insmod_t)
|
||||
devices_get_pseudorandom_data(insmod_t)
|
||||
devices_direct_agp_access(insmod_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(insmod_t)
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
|
||||
corecommands_execute_general_programs(insmod_t)
|
||||
corecommands_execute_system_programs(insmod_t)
|
||||
@ -131,9 +131,9 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
|
||||
|
||||
kernel_read_system_state(depmod_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(depmod_t)
|
||||
fs_getattr_xattr_fs(depmod_t)
|
||||
|
||||
terminal_use_console(depmod_t)
|
||||
term_use_console(depmod_t)
|
||||
|
||||
bootloader_read_kernel_symbol_table(depmod_t)
|
||||
bootloader_read_kernel_modules(depmod_t)
|
||||
@ -191,9 +191,9 @@ kernel_read_system_state(update_modules_t)
|
||||
|
||||
devices_get_pseudorandom_data(update_modules_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(update_modules_t)
|
||||
fs_getattr_xattr_fs(update_modules_t)
|
||||
|
||||
terminal_use_console(update_modules_t)
|
||||
term_use_console(update_modules_t)
|
||||
|
||||
init_use_file_descriptors(depmod_t)
|
||||
init_script_use_file_descriptors(depmod_t)
|
||||
|
||||
@ -16,12 +16,13 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown
|
||||
|
||||
allow mount_t mount_tmp_t:file create_file_perms;
|
||||
allow mount_t mount_tmp_t:dir create_dir_perms;
|
||||
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_ignore_use_file_descriptors(mount_t)
|
||||
kernel_dontaudit_use_fd(mount_t)
|
||||
|
||||
corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
|
||||
corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||
|
||||
devices_get_all_block_device_attributes(mount_t)
|
||||
devices_list_device_nodes(mount_t)
|
||||
@ -31,13 +32,13 @@ storage_raw_write_fixed_disk(mount_t)
|
||||
storage_raw_read_removable_device(mount_t)
|
||||
storage_raw_write_removable_device(mount_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(mount_t)
|
||||
fs_getattr_xattr_fs(mount_t)
|
||||
fs_mount_all_fs(mount_t)
|
||||
fs_unmount_all_fs(mount_t)
|
||||
fs_remount_all_fs(mount_t)
|
||||
fs_relabelfrom_persistent_fs(mount_t)
|
||||
fs_relabelfrom_xattr_fs(mount_t)
|
||||
|
||||
terminal_use_console(mount_t)
|
||||
term_use_console(mount_t)
|
||||
|
||||
# required for mount.smbfs
|
||||
corecommands_execute_system_programs(mount_t)
|
||||
@ -46,7 +47,6 @@ corecommands_execute_general_programs(mount_t)
|
||||
domain_use_widely_inheritable_file_descriptors(mount_t)
|
||||
|
||||
files_search_all_directories(mount_t)
|
||||
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
|
||||
files_read_general_system_config(mount_t)
|
||||
files_manage_runtime_system_config(mount_t)
|
||||
files_mount_on_all_mountpoints(mount_t)
|
||||
@ -85,20 +85,20 @@ optional_policy(`portmap.te', `
|
||||
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
|
||||
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
|
||||
#allow mount_t rpc_pipefs_t:dir search;
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(mount_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(mount_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(mount_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(mount_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(mount_t)
|
||||
corenetwork_bind_udp_on_all_nodes(mount_t)
|
||||
corenetwork_bind_tcp_on_general_port(mount_t)
|
||||
corenetwork_bind_udp_on_general_port(mount_t)
|
||||
corenetwork_bind_tcp_on_reserved_port(mount_t)
|
||||
corenetwork_bind_udp_on_reserved_port(mount_t)
|
||||
corenet_tcp_sendrecv_all_if(mount_t)
|
||||
corenet_raw_sendrecv_all_if(mount_t)
|
||||
corenet_udp_sendrecv_all_if(mount_t)
|
||||
corenet_tcp_sendrecv_all_nodes(mount_t)
|
||||
corenet_raw_sendrecv_all_nodes(mount_t)
|
||||
corenet_udp_sendrecv_all_nodes(mount_t)
|
||||
corenet_tcp_sendrecv_all_ports(mount_t)
|
||||
corenet_udp_sendrecv_all_ports(mount_t)
|
||||
corenet_tcp_bind_all_nodes(mount_t)
|
||||
corenet_udp_bind_all_nodes(mount_t)
|
||||
corenet_tcp_bind_generic_port(mount_t)
|
||||
corenet_udp_bind_generic_port(mount_t)
|
||||
corenet_tcp_bind_reserved_port(mount_t)
|
||||
corenet_udp_bind_reserved_port(mount_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms;
|
||||
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
|
||||
allow checkpolicy_t selinux_config_t:dir search;
|
||||
|
||||
fs_get_persistent_fs_attributes(checkpolicy_t)
|
||||
fs_getattr_xattr_fs(checkpolicy_t)
|
||||
|
||||
terminal_use_console(checkpolicy_t)
|
||||
term_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms;
|
||||
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_get_selinuxfs_mount_point(load_policy_t)
|
||||
kernel_load_selinux_policy(load_policy_t)
|
||||
kernel_set_selinux_boolean(load_policy_t)
|
||||
kernel_load_policy(load_policy_t)
|
||||
kernel_set_boolean(load_policy_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(load_policy_t)
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
terminal_use_console(load_policy_t)
|
||||
terminal_list_pseudoterminals(load_policy_t)
|
||||
term_use_console(load_policy_t)
|
||||
term_list_ptys(load_policy_t)
|
||||
|
||||
init_script_use_file_descriptors(load_policy_t)
|
||||
init_script_use_pseudoterminal(load_policy_t)
|
||||
@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_selinux_context(newrole_t)
|
||||
kernel_compute_selinux_access_vector(newrole_t)
|
||||
kernel_compute_selinux_create_context(newrole_t)
|
||||
kernel_compute_selinux_relabel_context(newrole_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(newrole_t)
|
||||
kernel_validate_context(newrole_t)
|
||||
kernel_compute_access_vector(newrole_t)
|
||||
kernel_compute_create_context(newrole_t)
|
||||
kernel_compute_relabel_context(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
|
||||
devices_get_pseudorandom_data(newrole_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(newrole_t)
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(newrole_t)
|
||||
terminal_use_all_private_pseudoterminals(newrole_t)
|
||||
term_use_all_user_ttys(newrole_t)
|
||||
term_use_all_user_ptys(newrole_t)
|
||||
|
||||
authlogin_check_password_transition(newrole_t)
|
||||
|
||||
@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_use_file_descriptors(restorecon_t)
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_selinux_context(restorecon_t)
|
||||
kernel_compute_selinux_access_vector(restorecon_t)
|
||||
kernel_compute_selinux_create_context(restorecon_t)
|
||||
kernel_compute_selinux_relabel_context(restorecon_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
|
||||
kernel_validate_context(restorecon_t)
|
||||
kernel_compute_access_vector(restorecon_t)
|
||||
kernel_compute_create_context(restorecon_t)
|
||||
kernel_compute_relabel_context(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(restorecon_t)
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
terminal_use_general_physical_terminal(restorecon_t)
|
||||
term_use_unallocated_tty(restorecon_t)
|
||||
|
||||
init_use_file_descriptors(restorecon_t)
|
||||
init_script_use_pseudoterminal(restorecon_t)
|
||||
@ -311,7 +311,7 @@ optional_policy(`hotplug.te',`
|
||||
')
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(restorecon_t)
|
||||
kernel_relabel_unlabeled(restorecon_t)
|
||||
devices_manage_all_devices_labels(restorecon_t)
|
||||
files_relabel_all_files(restorecon_t)
|
||||
files_read_all_directories(restorecon_t)
|
||||
@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write };
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
kernel_validate_context(run_init_t)
|
||||
kernel_compute_access_vector(run_init_t)
|
||||
kernel_compute_create_context(run_init_t)
|
||||
kernel_compute_relabel_context(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
allow run_init_t self:process setexec;
|
||||
@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',`
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
|
||||
fs_get_persistent_fs_attributes(run_init_t)
|
||||
fs_getattr_xattr_fs(run_init_t)
|
||||
|
||||
devices_ignore_list_device_nodes(run_init_t)
|
||||
|
||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||
term_dontaudit_list_ptys(run_init_t)
|
||||
|
||||
authlogin_check_password_transition(run_init_t)
|
||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||
@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_selinux_context(setfiles_t)
|
||||
kernel_compute_selinux_access_vector(setfiles_t)
|
||||
kernel_compute_selinux_create_context(setfiles_t)
|
||||
kernel_compute_selinux_relabel_context(setfiles_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
|
||||
kernel_validate_context(setfiles_t)
|
||||
kernel_compute_access_vector(setfiles_t)
|
||||
kernel_compute_create_context(setfiles_t)
|
||||
kernel_compute_relabel_context(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(setfiles_t)
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(setfiles_t)
|
||||
terminal_use_all_private_pseudoterminals(setfiles_t)
|
||||
terminal_use_general_physical_terminal(setfiles_t)
|
||||
term_use_all_user_ttys(setfiles_t)
|
||||
term_use_all_user_ptys(setfiles_t)
|
||||
term_use_unallocated_tty(setfiles_t)
|
||||
|
||||
init_use_file_descriptors(setfiles_t)
|
||||
init_script_use_file_descriptors(setfiles_t)
|
||||
@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t)
|
||||
userdomain_read_all_users_data(setfiles_t)
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(setfiles_t)
|
||||
kernel_relabel_unlabeled(setfiles_t)
|
||||
devices_manage_all_devices_labels(setfiles_t)
|
||||
files_read_all_directories(setfiles_t)
|
||||
files_relabel_all_files(setfiles_t)
|
||||
|
||||
@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms;
|
||||
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
|
||||
allow checkpolicy_t selinux_config_t:dir search;
|
||||
|
||||
fs_get_persistent_fs_attributes(checkpolicy_t)
|
||||
fs_getattr_xattr_fs(checkpolicy_t)
|
||||
|
||||
terminal_use_console(checkpolicy_t)
|
||||
term_use_console(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms;
|
||||
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_get_selinuxfs_mount_point(load_policy_t)
|
||||
kernel_load_selinux_policy(load_policy_t)
|
||||
kernel_set_selinux_boolean(load_policy_t)
|
||||
kernel_load_policy(load_policy_t)
|
||||
kernel_set_boolean(load_policy_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(load_policy_t)
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
terminal_use_console(load_policy_t)
|
||||
terminal_list_pseudoterminals(load_policy_t)
|
||||
term_use_console(load_policy_t)
|
||||
term_list_ptys(load_policy_t)
|
||||
|
||||
init_script_use_file_descriptors(load_policy_t)
|
||||
init_script_use_pseudoterminal(load_policy_t)
|
||||
@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_selinux_context(newrole_t)
|
||||
kernel_compute_selinux_access_vector(newrole_t)
|
||||
kernel_compute_selinux_create_context(newrole_t)
|
||||
kernel_compute_selinux_relabel_context(newrole_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(newrole_t)
|
||||
kernel_validate_context(newrole_t)
|
||||
kernel_compute_access_vector(newrole_t)
|
||||
kernel_compute_create_context(newrole_t)
|
||||
kernel_compute_relabel_context(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
|
||||
devices_get_pseudorandom_data(newrole_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(newrole_t)
|
||||
fs_getattr_xattr_fs(newrole_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(newrole_t)
|
||||
terminal_use_all_private_pseudoterminals(newrole_t)
|
||||
term_use_all_user_ttys(newrole_t)
|
||||
term_use_all_user_ptys(newrole_t)
|
||||
|
||||
authlogin_check_password_transition(newrole_t)
|
||||
|
||||
@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_use_file_descriptors(restorecon_t)
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_selinux_context(restorecon_t)
|
||||
kernel_compute_selinux_access_vector(restorecon_t)
|
||||
kernel_compute_selinux_create_context(restorecon_t)
|
||||
kernel_compute_selinux_relabel_context(restorecon_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
|
||||
kernel_validate_context(restorecon_t)
|
||||
kernel_compute_access_vector(restorecon_t)
|
||||
kernel_compute_create_context(restorecon_t)
|
||||
kernel_compute_relabel_context(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(restorecon_t)
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
terminal_use_general_physical_terminal(restorecon_t)
|
||||
term_use_unallocated_tty(restorecon_t)
|
||||
|
||||
init_use_file_descriptors(restorecon_t)
|
||||
init_script_use_pseudoterminal(restorecon_t)
|
||||
@ -311,7 +311,7 @@ optional_policy(`hotplug.te',`
|
||||
')
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(restorecon_t)
|
||||
kernel_relabel_unlabeled(restorecon_t)
|
||||
devices_manage_all_devices_labels(restorecon_t)
|
||||
files_relabel_all_files(restorecon_t)
|
||||
files_read_all_directories(restorecon_t)
|
||||
@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write };
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_access_vector(run_init_t)
|
||||
kernel_compute_selinux_create_context(run_init_t)
|
||||
kernel_compute_selinux_relabel_context(run_init_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(run_init_t)
|
||||
kernel_validate_context(run_init_t)
|
||||
kernel_compute_access_vector(run_init_t)
|
||||
kernel_compute_create_context(run_init_t)
|
||||
kernel_compute_relabel_context(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
allow run_init_t self:process setexec;
|
||||
@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',`
|
||||
# the failed access to the current directory
|
||||
dontaudit run_init_t self:capability { dac_override dac_read_search };
|
||||
|
||||
fs_get_persistent_fs_attributes(run_init_t)
|
||||
fs_getattr_xattr_fs(run_init_t)
|
||||
|
||||
devices_ignore_list_device_nodes(run_init_t)
|
||||
|
||||
terminal_ignore_list_pseudoterminals(run_init_t)
|
||||
term_dontaudit_list_ptys(run_init_t)
|
||||
|
||||
authlogin_check_password_transition(run_init_t)
|
||||
authlogin_ignore_read_shadow_passwords(run_init_t)
|
||||
@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_selinux_context(setfiles_t)
|
||||
kernel_compute_selinux_access_vector(setfiles_t)
|
||||
kernel_compute_selinux_create_context(setfiles_t)
|
||||
kernel_compute_selinux_relabel_context(setfiles_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
|
||||
kernel_validate_context(setfiles_t)
|
||||
kernel_compute_access_vector(setfiles_t)
|
||||
kernel_compute_create_context(setfiles_t)
|
||||
kernel_compute_relabel_context(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(setfiles_t)
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(setfiles_t)
|
||||
terminal_use_all_private_pseudoterminals(setfiles_t)
|
||||
terminal_use_general_physical_terminal(setfiles_t)
|
||||
term_use_all_user_ttys(setfiles_t)
|
||||
term_use_all_user_ptys(setfiles_t)
|
||||
term_use_unallocated_tty(setfiles_t)
|
||||
|
||||
init_use_file_descriptors(setfiles_t)
|
||||
init_script_use_file_descriptors(setfiles_t)
|
||||
@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t)
|
||||
userdomain_read_all_users_data(setfiles_t)
|
||||
|
||||
# relabeling rules
|
||||
kernel_relabel_unlabeled_object(setfiles_t)
|
||||
kernel_relabel_unlabeled(setfiles_t)
|
||||
devices_manage_all_devices_labels(setfiles_t)
|
||||
files_read_all_directories(setfiles_t)
|
||||
files_relabel_all_files(setfiles_t)
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
define(`sysnetwork_dhcpc_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_auto_trans($1, dhcp_exec_t, dhcp_t)
|
||||
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
|
||||
|
||||
allow $1 dhcpc_t:fd use;
|
||||
allow dhcpc_t $1:fd use;
|
||||
|
||||
@ -77,7 +77,7 @@ files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
|
||||
can_exec(dhcpc_t, dhcpc_exec_t)
|
||||
|
||||
# transition to ifconfig
|
||||
domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
|
||||
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
|
||||
allow dhcpc_t ifconfig_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
|
||||
@ -87,29 +87,29 @@ kernel_read_system_state(dhcpc_t)
|
||||
kernel_read_network_state(dhcpc_t)
|
||||
kernel_read_kernel_sysctl(dhcpc_t)
|
||||
kernel_read_hardware_state(dhcpc_t)
|
||||
kernel_use_file_descriptors(dhcpc_t)
|
||||
kernel_use_fd(dhcpc_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces(dhcpc_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces(dhcpc_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces(dhcpc_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes(dhcpc_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes(dhcpc_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes(dhcpc_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports(dhcpc_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports(dhcpc_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(dhcpc_t)
|
||||
corenetwork_bind_udp_on_all_nodes(dhcpc_t)
|
||||
corenetwork_bind_udp_on_dhcpc_port(dhcpc_t)
|
||||
corenet_tcp_sendrecv_all_if(dhcpc_t)
|
||||
corenet_raw_sendrecv_all_if(dhcpc_t)
|
||||
corenet_udp_sendrecv_all_if(dhcpc_t)
|
||||
corenet_tcp_sendrecv_all_nodes(dhcpc_t)
|
||||
corenet_raw_sendrecv_all_nodes(dhcpc_t)
|
||||
corenet_udp_sendrecv_all_nodes(dhcpc_t)
|
||||
corenet_tcp_sendrecv_all_ports(dhcpc_t)
|
||||
corenet_udp_sendrecv_all_ports(dhcpc_t)
|
||||
corenet_tcp_bind_all_nodes(dhcpc_t)
|
||||
corenet_udp_bind_all_nodes(dhcpc_t)
|
||||
corenet_udp_bind_dhcpc_port(dhcpc_t)
|
||||
|
||||
# for SSP
|
||||
devices_get_pseudorandom_data(dhcpc_t)
|
||||
|
||||
fs_get_all_fs_attributes(dhcpc_t)
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
|
||||
terminal_ignore_use_console(dhcpc_t)
|
||||
terminal_ignore_use_all_private_physical_terminals(dhcpc_t)
|
||||
terminal_ignore_use_all_private_pseudoterminals(dhcpc_t)
|
||||
terminal_ignore_use_general_physical_terminal(dhcpc_t)
|
||||
term_dontaudit_use_console(dhcpc_t)
|
||||
term_dontaudit_use_all_user_ttys(dhcpc_t)
|
||||
term_dontaudit_use_all_user_ptys(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
||||
|
||||
corecommands_execute_general_programs(dhcpc_t)
|
||||
corecommands_execute_system_programs(dhcpc_t)
|
||||
@ -138,7 +138,7 @@ ifdef(`distro_redhat', `
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(dhcpc_t)
|
||||
term_dontaudit_use_unallocated_tty(dhcpc_t)
|
||||
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
|
||||
|
||||
files_ignore_read_rootfs_file(dhcpc_t)
|
||||
@ -259,16 +259,16 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
files_read_general_system_config(ifconfig_t);
|
||||
|
||||
kernel_use_file_descriptors(ifconfig_t)
|
||||
kernel_use_fd(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
kernel_ignore_search_sysctl_dir(ifconfig_t)
|
||||
kernel_ignore_search_network_sysctl_dir(ifconfig_t)
|
||||
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
|
||||
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
|
||||
|
||||
fs_get_persistent_fs_attributes(ifconfig_t)
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
|
||||
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
|
||||
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(ifconfig_t)
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ policy_module(udev,1.0)
|
||||
type udev_t; # nscd_client_domain
|
||||
type udev_exec_t;
|
||||
type udev_helper_exec_t;
|
||||
kernel_make_userland_entrypoint(udev_t,udev_exec_t)
|
||||
kernel_userland_entry(udev_t,udev_exec_t)
|
||||
kernel_make_object_identity_change_constraint_exception(udev_t)
|
||||
domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
|
||||
domain_make_file_descriptors_widely_inheritable(udev_t)
|
||||
@ -60,27 +60,27 @@ allow udev_t udev_etc_t:file r_file_perms;
|
||||
allow udev_t udev_tbl_t:file create_file_perms;
|
||||
devices_create_dev_entry(udev_t,udev_tbl_t,file)
|
||||
|
||||
allow udev_t udev_var_run_t : dir rw_file_perms;
|
||||
allow udev_t udev_var_run_t : file create_file_perms;
|
||||
allow udev_t udev_var_run_t:dir rw_dir_perms;
|
||||
allow udev_t udev_var_run_t:file create_file_perms;
|
||||
|
||||
kernel_read_system_state(udev_t)
|
||||
kernel_get_core_interface_attributes(udev_t)
|
||||
kernel_use_file_descriptors(udev_t)
|
||||
kernel_getattr_core(udev_t)
|
||||
kernel_use_fd(udev_t)
|
||||
kernel_read_device_sysctl(udev_t)
|
||||
kernel_read_hotplug_sysctl(udev_t)
|
||||
kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
kernel_read_hardware_state(udev_t)
|
||||
kernel_get_selinuxfs_mount_point(udev_t)
|
||||
kernel_validate_selinux_context(udev_t)
|
||||
kernel_compute_selinux_access_vector(udev_t)
|
||||
kernel_compute_selinux_create_context(udev_t)
|
||||
kernel_compute_selinux_relabel_context(udev_t)
|
||||
kernel_compute_selinux_reachable_user_contexts(udev_t)
|
||||
kernel_validate_context(udev_t)
|
||||
kernel_compute_access_vector(udev_t)
|
||||
kernel_compute_create_context(udev_t)
|
||||
kernel_compute_relabel_context(udev_t)
|
||||
kernel_compute_reachable_user_contexts(udev_t)
|
||||
|
||||
devices_manage_device_nodes(udev_t)
|
||||
|
||||
fs_get_all_fs_attributes(udev_t)
|
||||
fs_getattr_all_fs(udev_t)
|
||||
|
||||
corecommands_execute_general_programs(udev_t)
|
||||
corecommands_execute_system_programs(udev_t)
|
||||
|
||||
@ -19,7 +19,7 @@ define(`base_user_domain',`
|
||||
|
||||
# user pseudoterminal
|
||||
type $1_devpts_t;
|
||||
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
|
||||
term_user_pty($1_t,$1_devpts_t)
|
||||
|
||||
# type for contents of home directory
|
||||
type $1_home_t, $1_file_type, home_type;
|
||||
@ -36,7 +36,7 @@ define(`base_user_domain',`
|
||||
files_make_tmpfs_file($1_tmpfs_t)
|
||||
|
||||
type $1_tty_device_t;
|
||||
terminal_make_physical_terminal($1_t,$1_tty_device_t)
|
||||
term_tty($1_t,$1_tty_device_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -50,7 +50,7 @@ define(`base_user_domain',`
|
||||
allow $1_t self:fd use;
|
||||
allow $1_t self:fifo_file rw_file_perms;
|
||||
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_t self:unix_stream_socket rw_stream_socket_perms;
|
||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_t self:unix_dgram_socket sendto;
|
||||
allow $1_t self:unix_stream_socket connectto;
|
||||
allow $1_t self:shm create_shm_perms;
|
||||
@ -88,7 +88,7 @@ define(`base_user_domain',`
|
||||
allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_tmpfs_t:sock_file create_file_perms;
|
||||
allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
|
||||
fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
|
||||
|
||||
@ -108,20 +108,20 @@ define(`base_user_domain',`
|
||||
# Find CDROM devices:
|
||||
kernel_read_device_sysctl($1_t)
|
||||
# GNOME checks for usb and other devices:
|
||||
kernel_modify_usb_hardware_config_option($1_t)
|
||||
kernel_rw_usb_hardware_config_option($1_t)
|
||||
|
||||
corenetwork_sendrecv_tcp_on_all_interfaces($1_t)
|
||||
corenetwork_sendrecv_raw_on_all_interfaces($1_t)
|
||||
corenetwork_sendrecv_udp_on_all_interfaces($1_t)
|
||||
corenetwork_sendrecv_tcp_on_all_nodes($1_t)
|
||||
corenetwork_sendrecv_raw_on_all_nodes($1_t)
|
||||
corenetwork_sendrecv_udp_on_all_nodes($1_t)
|
||||
corenetwork_sendrecv_tcp_on_all_ports($1_t)
|
||||
corenetwork_sendrecv_udp_on_all_ports($1_t)
|
||||
corenetwork_bind_tcp_on_all_nodes($1_t)
|
||||
corenetwork_bind_udp_on_all_nodes($1_t)
|
||||
corenet_tcp_sendrecv_all_if($1_t)
|
||||
corenet_raw_sendrecv_all_if($1_t)
|
||||
corenet_udp_sendrecv_all_if($1_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_t)
|
||||
corenet_udp_sendrecv_all_ports($1_t)
|
||||
corenet_tcp_bind_all_nodes($1_t)
|
||||
corenet_udp_bind_all_nodes($1_t)
|
||||
# allow port_t name binding for UDP because it is not very usable otherwise
|
||||
corenetwork_bind_udp_on_general_port($1_t)
|
||||
corenet_udp_bind_generic_port($1_t)
|
||||
|
||||
devices_get_input_event($1_t)
|
||||
devices_read_misc($1_t)
|
||||
@ -137,10 +137,10 @@ define(`base_user_domain',`
|
||||
devices_ignore_use_direct_rendering_interface($1_t)
|
||||
|
||||
fs_get_all_fs_quotas($1_t)
|
||||
fs_get_all_fs_attributes($1_t)
|
||||
fs_getattr_all_fs($1_t)
|
||||
|
||||
# for eject
|
||||
storage_get_fixed_disk_attributes($1_t)
|
||||
storage_getattr_fixed_disk($1_t)
|
||||
|
||||
authlogin_read_login_records($1_t)
|
||||
authlogin_ignore_write_login_records($1_t)
|
||||
@ -180,21 +180,21 @@ define(`base_user_domain',`
|
||||
}
|
||||
|
||||
if (use_nfs_home_dirs) {
|
||||
fs_manage_nfs_directories($1_t)
|
||||
fs_manage_nfs_dirs($1_t)
|
||||
fs_manage_nfs_files($1_t)
|
||||
fs_manage_nfs_symbolic_links($1_t)
|
||||
fs_manage_nfs_symlinks($1_t)
|
||||
fs_manage_nfs_named_sockets($1_t)
|
||||
fs_manage_nfs_named_pipes($1_t)
|
||||
fs_execute_nfs_files($1_t)
|
||||
}
|
||||
|
||||
if (use_samba_home_dirs) {
|
||||
fs_manage_windows_network_directories($1_t)
|
||||
fs_manage_windows_network_files($1_t)
|
||||
fs_manage_windows_network_symbolic_links($1_t)
|
||||
fs_manage_windows_network_named_sockets($1_t)
|
||||
fs_manage_windows_network_named_pipes($1_t)
|
||||
fs_execute_windows_network_files($1_t)
|
||||
fs_manage_cifs_dirs($1_t)
|
||||
fs_manage_cifs_files($1_t)
|
||||
fs_manage_cifs_symlinks($1_t)
|
||||
fs_manage_cifs_named_sockets($1_t)
|
||||
fs_manage_cifs_named_pipes($1_t)
|
||||
fs_execute_cifs_files($1_t)
|
||||
}
|
||||
|
||||
if (user_direct_mouse) {
|
||||
@ -202,7 +202,7 @@ define(`base_user_domain',`
|
||||
}
|
||||
|
||||
if (user_ttyfile_stat) {
|
||||
terminal_get_all_private_physical_terminal_attributes($1_t)
|
||||
term_getattr_all_user_ttys($1_t)
|
||||
}
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
@ -427,7 +427,7 @@ define(`user_domain_template', `
|
||||
#
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
|
||||
# Rules used to associate a homedir as a mountpoint
|
||||
allow $1_home_t self:filesystem associate;
|
||||
@ -457,7 +457,7 @@ define(`user_domain_template', `
|
||||
bootloader_read_kernel_symbol_table($1_t)
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||
|
||||
files_read_general_system_config($1_t)
|
||||
files_list_home_directories($1_t)
|
||||
@ -481,14 +481,14 @@ define(`user_domain_template', `
|
||||
if (user_dmesg) {
|
||||
kernel_read_ring_buffer($1_t)
|
||||
} else {
|
||||
kernel_ignore_read_ring_buffer($1_t)
|
||||
kernel_dontaudit_read_ring_buffer($1_t)
|
||||
}
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection from
|
||||
# the same domain and outside users) disabling this forces FTP passive mode
|
||||
# and may change other protocols
|
||||
if (user_tcp_server) {
|
||||
corenetwork_bind_tcp_on_general_port($1_t)
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
}
|
||||
|
||||
# for running depmod as part of the kernel packaging process
|
||||
@ -643,7 +643,7 @@ define(`admin_domain_template',`
|
||||
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
||||
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
|
||||
allow $1_t $1_tmp_t:dir create_dir_perms;
|
||||
allow $1_t $1_tmp_t:file create_file_perms;
|
||||
@ -655,47 +655,47 @@ define(`admin_domain_template',`
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_get_core_interface_attributes($1_t)
|
||||
kernel_get_message_interface_attributes($1_t)
|
||||
kernel_getattr_core($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
kernel_change_ring_buffer_level($1_t)
|
||||
kernel_clear_ring_buffer($1_t)
|
||||
kernel_read_ring_buffer($1_t)
|
||||
kernel_get_sysvipc_info($1_t)
|
||||
kernel_modify_all_sysctl($1_t)
|
||||
kernel_set_selinux_enforcement_mode($1_t)
|
||||
kernel_set_selinux_boolean($1_t)
|
||||
kernel_set_selinux_security_parameters($1_t)
|
||||
kernel_rw_all_sysctl($1_t)
|
||||
kernel_set_enforcement_mode($1_t)
|
||||
kernel_set_boolean($1_t)
|
||||
kernel_set_security_parameters($1_t)
|
||||
# Get security policy decisions:
|
||||
kernel_get_selinuxfs_mount_point($1_t)
|
||||
kernel_validate_selinux_context($1_t)
|
||||
kernel_compute_selinux_access_vector($1_t)
|
||||
kernel_compute_selinux_create_context($1_t)
|
||||
kernel_compute_selinux_relabel_context($1_t)
|
||||
kernel_compute_selinux_reachable_user_contexts($1_t)
|
||||
kernel_validate_context($1_t)
|
||||
kernel_compute_access_vector($1_t)
|
||||
kernel_compute_create_context($1_t)
|
||||
kernel_compute_relabel_context($1_t)
|
||||
kernel_compute_reachable_user_contexts($1_t)
|
||||
# signal unlabeled processes:
|
||||
kernel_kill_unlabeled_process($1_t)
|
||||
kernel_signal_unlabeled_process($1_t)
|
||||
kernel_sigstop_unlabeled_process($1_t)
|
||||
kernel_signull_unlabeled_process($1_t)
|
||||
kernel_sigchld_unlabeled_process($1_t)
|
||||
kernel_kill_unlabeled($1_t)
|
||||
kernel_signal_unlabeled($1_t)
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
|
||||
corenetwork_bind_tcp_on_general_port($1_t)
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
|
||||
devices_get_generic_block_device_attributes($1_t)
|
||||
devices_get_generic_character_device_attributes($1_t)
|
||||
devices_get_all_block_device_attributes($1_t)
|
||||
devices_get_all_character_device_attributes($1_t)
|
||||
|
||||
fs_get_all_fs_attributes($1_t)
|
||||
fs_set_all_fs_quotas($1_t)
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_set_all_quotas($1_t)
|
||||
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
|
||||
terminal_use_console($1_t)
|
||||
terminal_use_general_physical_terminal($1_t)
|
||||
terminal_use_all_private_pseudoterminals($1_t)
|
||||
terminal_use_all_private_physical_terminals($1_t)
|
||||
term_use_console($1_t)
|
||||
term_use_unallocated_tty($1_t)
|
||||
term_use_all_user_ptys($1_t)
|
||||
term_use_all_user_ttys($1_t)
|
||||
|
||||
# Manage almost all files
|
||||
authlogin_manage_all_files_except_shadow($1_t)
|
||||
@ -862,7 +862,7 @@ define(`userdomain_use_admin_terminals',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
terminal_list_pseudoterminals($1)
|
||||
term_list_ptys($1)
|
||||
allow $1 admin_terminal:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -932,7 +932,7 @@ define(`userdomain_read_all_users_data',`
|
||||
|
||||
files_list_home_directories($1)
|
||||
allow $1 home_type:dir r_dir_perms;
|
||||
allow $1 home_type:file r_file_perm;
|
||||
allow $1 home_type:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`userdomain_read_all_users_data_depend',`
|
||||
|
||||
@ -122,7 +122,7 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
allow sysadm_t userdomain:fd use;
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`clock.te',`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user