renaming insanity

This commit is contained in:
Chris PeBenito 2005-06-10 01:01:13 +00:00
parent 24040829d0
commit 0fd9dc55cf
49 changed files with 786 additions and 748 deletions

View File

@ -26,18 +26,18 @@ allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
allow consoletype_t self:unix_stream_socket connectto;
allow consoletype_t self:shm rw_shm_perms;
allow consoletype_t self:sem rw_sem_perms;
allow consoletype_t self:msgq rw_msgq_perms;
allow consoletype_t self:shm create_shm_perms;
allow consoletype_t self:sem create_sem_perms;
allow consoletype_t self:msgq create_msgq_perms;
allow consoletype_t self:msg { send receive };
kernel_use_file_descriptors(consoletype_t)
kernel_ignore_read_system_state(consoletype_t)
kernel_use_fd(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
fs_get_all_fs_attributes(consoletype_t)
fs_getattr_all_fs(consoletype_t)
terminal_use_console(consoletype_t)
terminal_use_general_physical_terminal(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t)
init_use_file_descriptors(consoletype_t)
init_script_use_pseudoterminal(consoletype_t)
@ -77,12 +77,12 @@ optional_policy(`ypbind.te', `
if (allow_ypbind) {
can_network(consoletype_t)
r_dir_file(consoletype_t,var_yp_t)
corenetwork_bind_tcp_on_general_port(consoletype_t)
corenetwork_bind_udp_on_general_port(consoletype_t)
corenetwork_bind_tcp_on_reserved_port(consoletype_t)
corenetwork_bind_udp_on_reserved_port(consoletype_t)
corenetwork_ignore_bind_tcp_on_all_reserved_ports(consoletype_t)
corenetwork_ignore_bind_udp_on_all_reserved_ports(consoletype_t)
corenet_tcp_bind_generic_port(consoletype_t)
corenet_udp_bind_generic_port(consoletype_t)
corenet_tcp_bind_reserved_port(consoletype_t)
corenet_udp_bind_reserved_port(consoletype_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(consoletype_t)
corenet_dontaudit_udp_bind_all_reserved_ports(consoletype_t)
dontaudit consoletype_t self:capability net_bind_service;
} else {
dontaudit consoletype_t var_yp_t:dir search;

View File

@ -27,7 +27,7 @@ kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
terminal_ignore_use_console(dmesg_t)
term_dontaudit_use_console(dmesg_t)
domain_use_widely_inheritable_file_descriptors(dmesg_t)
@ -50,7 +50,7 @@ userdomain_use_admin_terminals(dmesg_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dmesg_t)
term_dontaudit_use_unallocated_tty(dmesg_t)
terminal_ignore_use_general_pseudoterminal(dmesg_t)
files_ignore_read_rootfs_file(dmesg_t)
')

View File

@ -46,18 +46,18 @@ allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
corenetwork_sendrecv_tcp_on_all_interfaces(netutils_t)
corenetwork_sendrecv_raw_on_all_interfaces(netutils_t)
corenetwork_sendrecv_udp_on_all_interfaces(netutils_t)
corenetwork_sendrecv_tcp_on_all_nodes(netutils_t)
corenetwork_sendrecv_raw_on_all_nodes(netutils_t)
corenetwork_sendrecv_udp_on_all_nodes(netutils_t)
corenetwork_sendrecv_tcp_on_all_ports(netutils_t)
corenetwork_sendrecv_udp_on_all_ports(netutils_t)
corenetwork_bind_tcp_on_all_nodes(netutils_t)
corenetwork_bind_udp_on_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
corenet_tcp_sendrecv_all_nodes(netutils_t)
corenet_raw_sendrecv_all_nodes(netutils_t)
corenet_udp_sendrecv_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_bind_all_nodes(netutils_t)
corenet_udp_bind_all_nodes(netutils_t)
fs_get_persistent_fs_attributes(netutils_t)
fs_getattr_xattr_fs(netutils_t)
init_use_file_descriptors(netutils_t)
init_script_use_pseudoterminal(netutils_t)
@ -104,18 +104,18 @@ allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
corenetwork_sendrecv_tcp_on_all_interfaces(ping_t)
corenetwork_sendrecv_udp_on_all_interfaces(ping_t)
corenetwork_sendrecv_raw_on_all_interfaces(ping_t)
corenetwork_sendrecv_raw_on_all_nodes(ping_t)
corenetwork_sendrecv_tcp_on_all_nodes(ping_t)
corenetwork_sendrecv_udp_on_all_nodes(ping_t)
corenetwork_sendrecv_tcp_on_all_ports(ping_t)
corenetwork_sendrecv_udp_on_all_ports(ping_t)
corenetwork_bind_udp_on_all_nodes(ping_t)
corenetwork_bind_tcp_on_all_nodes(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_udp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_udp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
corenet_udp_sendrecv_all_ports(ping_t)
corenet_udp_bind_all_nodes(ping_t)
corenet_tcp_bind_all_nodes(ping_t)
fs_ignore_get_persistent_fs_attributes(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
domain_use_widely_inheritable_file_descriptors(ping_t)
@ -130,8 +130,8 @@ sysnetwork_read_network_config(ping_t)
logging_send_system_log_message(ping_t)
if (user_ping) {
terminal_use_all_private_physical_terminals(ping_t)
terminal_use_all_private_pseudoterminals(ping_t)
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
}
ifdef(`TODO',`
@ -162,18 +162,18 @@ allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read re
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corenetwork_sendrecv_tcp_on_all_interfaces(traceroute_t)
corenetwork_sendrecv_udp_on_all_interfaces(traceroute_t)
corenetwork_sendrecv_raw_on_all_interfaces(traceroute_t)
corenetwork_sendrecv_raw_on_all_nodes(traceroute_t)
corenetwork_sendrecv_tcp_on_all_nodes(traceroute_t)
corenetwork_sendrecv_udp_on_all_nodes(traceroute_t)
corenetwork_sendrecv_tcp_on_all_ports(traceroute_t)
corenetwork_sendrecv_udp_on_all_ports(traceroute_t)
corenetwork_bind_udp_on_all_nodes(traceroute_t)
corenetwork_bind_tcp_on_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_nodes(traceroute_t)
corenet_udp_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
fs_ignore_get_persistent_fs_attributes(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_widely_inheritable_file_descriptors(traceroute_t)
@ -193,8 +193,8 @@ devices_get_pseudorandom_data(traceroute_t)
files_read_general_application_resources(traceroute_t)
if (user_ping) {
terminal_use_all_private_physical_terminals(traceroute_t)
terminal_use_all_private_pseudoterminals(traceroute_t)
term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t)
}
ifdef(`TODO',`

View File

@ -66,7 +66,7 @@ allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
allow rpm_t self:udp_socket create_socket_perms;
allow rpm_t self:tcp_socket rw_stream_socket_perms;
allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
@ -86,7 +86,7 @@ allow rpm_t rpm_tmpfs_t:file create_file_perms;
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file create_file_perms;
@ -96,35 +96,35 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
kernel_get_selinuxfs_mount_point(rpm_t)
kernel_validate_selinux_context(rpm_t)
kernel_compute_selinux_access_vector(rpm_t)
kernel_compute_selinux_create_context(rpm_t)
kernel_compute_selinux_relabel_context(rpm_t)
kernel_compute_selinux_reachable_user_contexts(rpm_t)
kernel_validate_context(rpm_t)
kernel_compute_access_vector(rpm_t)
kernel_compute_create_context(rpm_t)
kernel_compute_relabel_context(rpm_t)
kernel_compute_reachable_user_contexts(rpm_t)
corenetwork_sendrecv_tcp_on_all_interfaces(rpm_t)
corenetwork_sendrecv_raw_on_all_interfaces(rpm_t)
corenetwork_sendrecv_udp_on_all_interfaces(rpm_t)
corenetwork_sendrecv_tcp_on_all_nodes(rpm_t)
corenetwork_sendrecv_raw_on_all_nodes(rpm_t)
corenetwork_sendrecv_udp_on_all_nodes(rpm_t)
corenetwork_sendrecv_tcp_on_all_ports(rpm_t)
corenetwork_sendrecv_udp_on_all_ports(rpm_t)
corenetwork_bind_tcp_on_all_nodes(rpm_t)
corenetwork_bind_udp_on_all_nodes(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
corenet_tcp_sendrecv_all_nodes(rpm_t)
corenet_raw_sendrecv_all_nodes(rpm_t)
corenet_udp_sendrecv_all_nodes(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_bind_all_nodes(rpm_t)
corenet_udp_bind_all_nodes(rpm_t)
devices_get_pseudorandom_data(rpm_t)
#devices_manage_all_device_types(rpm_t)
#fs_manage_nfs_dir(rpm_t)
#fs_manage_nfs_files(rpm_t)
fs_get_all_fs_attributes(rpm_t)
fs_getattr_all_fs(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
terminal_list_pseudoterminals(rpm_t)
term_list_ptys(rpm_t)
authlogin_ignore_read_shadow_passwords(rpm_t)
@ -242,15 +242,15 @@ allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t)
kernel_get_selinuxfs_mount_point(rpm_script_t)
kernel_validate_selinux_context(rpm_script_t)
kernel_compute_selinux_access_vector(rpm_script_t)
kernel_compute_selinux_create_context(rpm_script_t)
kernel_compute_selinux_relabel_context(rpm_script_t)
kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
kernel_validate_context(rpm_script_t)
kernel_compute_access_vector(rpm_script_t)
kernel_compute_create_context(rpm_script_t)
kernel_compute_relabel_context(rpm_script_t)
kernel_compute_reachable_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t)
# ideally we would not need this
@ -260,17 +260,17 @@ devices_manage_all_block_devices(rpm_script_t)
devices_manage_all_character_devices(rpm_script_t)
fs_manage_nfs_files(rpm_script_t)
fs_get_nfs_fs_attributes(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
# why is this not using mount?
fs_get_persistent_fs_attributes(rpm_script_t)
fs_mount_persistent_fs(rpm_script_t)
fs_unmount_persistent_fs(rpm_script_t)
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
terminal_get_general_physical_terminal_attributes(rpm_script_t)
terminal_list_pseudoterminals(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
# ideally we would not need this
@ -309,7 +309,7 @@ selinux_restorecon_transition(rpm_script_t)
userdomain_use_all_users_file_descriptors(rpm_script_t)
optional_policy(`bootloader.te', `
bootloader_transition(rpm_script_t)
bootloader_domtrans(rpm_script_t)
')
ifdef(`TODO',`
@ -348,11 +348,11 @@ allow sshd_t rpm_script_t:fd use;
# really do anything useful.
kernel_get_selinuxfs_mount_point(rpmbuild_t)
kernel_validate_selinux_context(rpmbuild_t)
kernel_compute_selinux_access_vector(rpmbuild_t)
kernel_compute_selinux_create_context(rpmbuild_t)
kernel_compute_selinux_relabel_context(rpmbuild_t)
kernel_compute_selinux_reachable_user_contexts(rpmbuild_t)
kernel_validate_context(rpmbuild_t)
kernel_compute_access_vector(rpmbuild_t)
kernel_compute_create_context(rpmbuild_t)
kernel_compute_relabel_context(rpmbuild_t)
kernel_compute_reachable_user_contexts(rpmbuild_t)
selinux_read_source_policy(rpmbuild_t)

View File

@ -78,7 +78,8 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
define(`usermanage_groupadd_transition',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,groupadd_t,groupadd_t)
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
allow $1 groupadd_t:fd use;
allow groupadd_t $1:fd use;
allow groupadd_t $1:fifo_file rw_file_perms;

View File

@ -67,8 +67,8 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_file_perms;
allow chfn_t self:unix_dgram_socket create_rw_socket_perms;
allow chfn_t self:unix_stream_socket rwcreate_stream_socket_perms;
allow chfn_t self:unix_dgram_socket create_socket_perms;
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
allow chfn_t self:unix_dgram_socket sendto;
allow chfn_t self:unix_stream_socket connectto;
allow chfn_t self:shm create_shm_perms;
@ -78,16 +78,16 @@ allow chfn_t self:msg { send receive };
kernel_read_system_state(chfn_t)
kernel_get_selinuxfs_mount_point(chfn_t)
kernel_validate_selinux_context(chfn_t)
kernel_compute_selinux_access_vector(chfn_t)
kernel_compute_selinux_create_context(chfn_t)
kernel_compute_selinux_relabel_context(chfn_t)
kernel_compute_selinux_reachable_user_contexts(chfn_t)
kernel_validate_context(chfn_t)
kernel_compute_access_vector(chfn_t)
kernel_compute_create_context(chfn_t)
kernel_compute_relabel_context(chfn_t)
kernel_compute_reachable_user_contexts(chfn_t)
terminal_use_all_private_physical_terminals(chfn_t)
terminal_use_all_private_pseudoterminals(chfn_t)
term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t)
fs_get_persistent_fs_attributes(chfn_t)
fs_getattr_xattr_fs(chfn_t)
# for SSP
devices_get_pseudorandom_data(chfn_t)
@ -163,7 +163,7 @@ kernel_read_system_state(crack_t)
# for SSP
devices_get_pseudorandom_data(crack_t)
fs_get_persistent_fs_attributes(crack_t)
fs_getattr_xattr_fs(crack_t)
files_read_general_system_config(crack_t)
files_read_runtime_system_config(crack_t)
@ -211,16 +211,16 @@ allow groupadd_t self:msg { send receive };
# Allow access to context for shadow file
kernel_get_selinuxfs_mount_point(groupadd_t)
kernel_validate_selinux_context(groupadd_t)
kernel_compute_selinux_access_vector(groupadd_t)
kernel_compute_selinux_create_context(groupadd_t)
kernel_compute_selinux_relabel_context(groupadd_t)
kernel_compute_selinux_reachable_user_contexts(groupadd_t)
kernel_validate_context(groupadd_t)
kernel_compute_access_vector(groupadd_t)
kernel_compute_create_context(groupadd_t)
kernel_compute_relabel_context(groupadd_t)
kernel_compute_reachable_user_contexts(groupadd_t)
fs_get_persistent_fs_attributes(groupadd_t)
fs_getattr_xattr_fs(groupadd_t)
terminal_use_all_private_physical_terminals(groupadd_t)
terminal_use_all_private_pseudoterminals(groupadd_t)
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
init_use_file_descriptors(groupadd_t)
init_script_read_runtime_data(groupadd_t)
@ -282,20 +282,20 @@ allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perm;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
kernel_get_selinuxfs_mount_point(passwd_t)
kernel_validate_selinux_context(passwd_t)
kernel_compute_selinux_access_vector(passwd_t)
kernel_compute_selinux_create_context(passwd_t)
kernel_compute_selinux_relabel_context(passwd_t)
kernel_compute_selinux_reachable_user_contexts(passwd_t)
kernel_validate_context(passwd_t)
kernel_compute_access_vector(passwd_t)
kernel_compute_create_context(passwd_t)
kernel_compute_relabel_context(passwd_t)
kernel_compute_reachable_user_contexts(passwd_t)
# for SSP
devices_get_pseudorandom_data(passwd_t)
fs_get_persistent_fs_attributes(passwd_t)
fs_getattr_xattr_fs(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@ -378,26 +378,26 @@ allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file creat_file_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_system_state_data_directory(sysadm_passwd_t)
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
kernel_validate_selinux_context(sysadm_passwd_t)
kernel_compute_selinux_access_vector(sysadm_passwd_t)
kernel_compute_selinux_create_context(sysadm_passwd_t)
kernel_compute_selinux_relabel_context(sysadm_passwd_t)
kernel_compute_selinux_reachable_user_contexts(sysadm_passwd_t)
kernel_validate_context(sysadm_passwd_t)
kernel_compute_access_vector(sysadm_passwd_t)
kernel_compute_create_context(sysadm_passwd_t)
kernel_compute_relabel_context(sysadm_passwd_t)
kernel_compute_reachable_user_contexts(sysadm_passwd_t)
# for /proc/meminfo
kernel_read_system_state(sysadm_passwd_t)
# for SSP
devices_get_pseudorandom_data(sysadm_passwd_t)
fs_get_persistent_fs_attributes(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
terminal_use_all_private_physical_terminals(sysadm_passwd_t)
terminal_use_all_private_pseudoterminals(sysadm_passwd_t)
term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@ -475,18 +475,18 @@ allow useradd_t self:msg { send receive };
# Allow access to context for shadow file
kernel_get_selinuxfs_mount_point(useradd_t)
kernel_validate_selinux_context(useradd_t)
kernel_compute_selinux_access_vector(useradd_t)
kernel_compute_selinux_create_context(useradd_t)
kernel_compute_selinux_relabel_context(useradd_t)
kernel_compute_selinux_reachable_user_contexts(useradd_t)
kernel_validate_context(useradd_t)
kernel_compute_access_vector(useradd_t)
kernel_compute_create_context(useradd_t)
kernel_compute_relabel_context(useradd_t)
kernel_compute_reachable_user_contexts(useradd_t)
# for getting the number of groups
kernel_read_kernel_sysctl(useradd_t)
fs_get_persistent_fs_attributes(useradd_t)
fs_getattr_xattr_fs(useradd_t)
terminal_use_all_private_physical_terminals(useradd_t)
terminal_use_all_private_pseudoterminals(useradd_t)
term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
init_use_file_descriptors(useradd_t)
init_script_modify_runtime_data(useradd_t)

View File

@ -65,21 +65,21 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t)
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t)
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t)
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t)
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t)
corenetwork_sendrecv_udp_on_all_ports($1_gpg_t)
corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
corenetwork_bind_udp_on_all_nodes($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
corenet_raw_sendrecv_all_nodes($1_gpg_t)
corenet_udp_sendrecv_all_nodes($1_gpg_t)
corenet_tcp_sendrecv_all_ports($1_gpg_t)
corenet_udp_sendrecv_all_ports($1_gpg_t)
corenet_tcp_bind_all_nodes($1_gpg_t)
corenet_udp_bind_all_nodes($1_gpg_t)
devices_get_random_data($1_gpg_t)
devices_get_pseudorandom_data($1_gpg_t)
fs_get_persistent_fs_attributes($1_gpg_t)
fs_getattr_xattr_fs($1_gpg_t)
files_read_general_system_config($1_gpg_t)
files_read_general_application_resources($1_gpg_t)
@ -175,16 +175,16 @@ define(`gpg_per_userdomain_template',`
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t)
corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t)
corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t)
corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t)
corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t)
corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t)
corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t)
corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
devices_get_pseudorandom_data($1_gpg_helper_t)

View File

@ -51,7 +51,7 @@ define(`bootloader_domtrans_depend',`
define(`bootloader_run',`
requires_block_template(`$0'_depend)
bootloader_transition($1)
bootloader_domtrans($1)
role $2 types bootloader_t;
allow bootloader_t $3:chr_file rw_file_perms;
@ -85,7 +85,7 @@ define(`bootloader_search_boot_dir_depend',`
')
########################################
## <interface name="bootloader_dontaudit_search_boot_dir">
## <interface name="bootloader_dontaudit_search_boot">
## <description>
## Do not audit attempts to search the /boot directory.
## </description>
@ -94,13 +94,13 @@ define(`bootloader_search_boot_dir_depend',`
## </parameter>
## </interface>
#
define(`bootloader_dontaudit_search_boot_dir',`
define(`bootloader_dontaudit_search_boot',`
requires_block_template(`$0'_depend)
dontaudit $1 boot_t:dir search;
')
define(`bootloader_dontaudit_search_boot_dir_depend',`
define(`bootloader_dontaudit_search_boot_depend',`
type boot_t;
class dir search;
@ -195,7 +195,7 @@ define(`bootloader_read_kernel_symbol_table',`
requires_block_template(`$0'_depend)
allow $1 boot_t:dir r_dir_perms;
allow $1 system_map_t:file f_file_perms;
allow $1 system_map_t:file r_file_perms;
')
define(`bootloader_read_kernel_symbol_table_depend',`

View File

@ -88,7 +88,7 @@ allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms;
allow bootloader_t modules_object_t:lnk_file r_file_perms;
kernel_get_core_interface_attributes(bootloader_t)
kernel_getattr_core(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctl(bootloader_t)
@ -106,9 +106,9 @@ devices_get_pseudorandom_data(bootloader_t)
# for reading BIOS data
devices_raw_read_memory(bootloader_t)
fs_get_persistent_fs_attributes(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
terminal_get_all_private_physical_terminal_attributes(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
init_get_control_channel_attributes(bootloader_t)
init_script_use_pseudoterminal(bootloader_t)

View File

@ -15,7 +15,7 @@ define(`devices_make_device_node',`
fs_associate($1)
optional_policy(`distro_redhat',`
fs_tmpfs_associate($1)
fs_associate_tmpfs($1)
')
')
@ -103,6 +103,22 @@ define(`devices_add_dev_dir_depend',`
class dir { ra_dir_perms create };
')
########################################
#
# devices_relabel_dev_dirs(domain)
#
define(`devices_relabel_dev_dirs',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
')
define(`devices_relabel_dev_dirs_depend',`
type device_t;
class dir { r_dir_perms relabelfrom relabelto };
')
########################################
#
# devices_ignore_get_generic_pipe_attributes(domain)
@ -276,11 +292,11 @@ define(`devices_manage_dev_symbolic_links_depend',`
define(`devices_manage_device_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir create_dir_perms;
allow $1 device_t:dir { create_dir_perms relabelfrom relabelto };
allow $1 device_t:sock_file create_file_perms;
allow $1 device_t:lnk_file create_lnk_perms;
allow $1 device_t:{ chr_file blk_file } create_file_perms;
allow $1 device_node:{ chr_file blk_file } create_file_perms;
allow $1 device_t:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
allow $1 device_node:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
@ -298,11 +314,11 @@ define(`devices_manage_device_nodes_depend',`
type device_t;
class dir create_dir_perms;
class dir { create_dir_perms relabelfrom relabelto };
class sock_file create_file_perms;
class lnk_file create_lnk_perms;
class chr_file create_file_perms;
class blk_file create_file_perms;
class chr_file { create_file_perms relabelfrom relabelto };
class blk_file { create_file_perms relabelfrom relabelto };
')
########################################
@ -369,7 +385,7 @@ define(`devices_create_dev_entry',`
type_transition $1 device_t:$3 $2;
optional_policy(`distro_redhat',`
fs_tmpfs_associate($2)
fs_associate_tmpfs($2)
')
')

View File

@ -11,7 +11,7 @@ attribute memory_raw_write;
type device_t;
files_make_file(device_t)
files_make_mountpoint(device_t)
fs_tmpfs_associate(device_t)
fs_associate_tmpfs(device_t)
# Only directories and symlinks should be labeled device_t.
# If there are other files with this type, it is wrong.
@ -26,18 +26,18 @@ fs_tmpfs_associate(device_t)
#
type agp_device_t, device_node;
fs_associate(agp_device_t)
fs_tmpfs_associate(agp_device_t)
fs_associate_tmpfs(agp_device_t)
#
# Type for /dev/apm_bios
#
type apm_bios_t, device_node;
fs_associate(apm_bios_t)
fs_tmpfs_associate(apm_bios_t)
fs_associate_tmpfs(apm_bios_t)
type cardmgr_dev_t, device_node;
fs_associate(cardmgr_dev_t)
fs_tmpfs_associate(cardmgr_dev_t)
fs_associate_tmpfs(cardmgr_dev_t)
#
# clock_device_t is the type of
@ -45,36 +45,36 @@ fs_tmpfs_associate(cardmgr_dev_t)
#
type clock_device_t, device_node;
fs_associate(clock_device_t)
fs_tmpfs_associate(clock_device_t)
fs_associate_tmpfs(clock_device_t)
#
# cpu control devices /dev/cpu/0/*
#
type cpu_device_t, device_node;
fs_associate(cpu_device_t)
fs_tmpfs_associate(cpu_device_t)
fs_associate_tmpfs(cpu_device_t)
type dri_device_t, device_node;
fs_associate(dri_device_t)
fs_tmpfs_associate(dri_device_t)
fs_associate_tmpfs(dri_device_t)
type event_device_t, device_node;
fs_associate(event_device_t)
fs_tmpfs_associate(event_device_t)
fs_associate_tmpfs(event_device_t)
#
# Type for framebuffer /dev/fb/*
#
type framebuf_device_t, device_node;
fs_associate(framebuf_device_t)
fs_tmpfs_associate(framebuf_device_t)
fs_associate_tmpfs(framebuf_device_t)
#
# Type for /dev/mapper/control
#
type lvm_control_t, device_node;
fs_associate(lvm_control_t)
fs_tmpfs_associate(lvm_control_t)
fs_associate_tmpfs(lvm_control_t)
#
# memory_device_t is the type of /dev/kmem,
@ -82,28 +82,28 @@ fs_tmpfs_associate(lvm_control_t)
#
type memory_device_t, device_node;
fs_associate(memory_device_t)
fs_tmpfs_associate(memory_device_t)
fs_associate_tmpfs(memory_device_t)
neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read;
neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write };
type misc_device_t, device_node;
fs_associate(misc_device_t)
fs_tmpfs_associate(misc_device_t)
fs_associate_tmpfs(misc_device_t)
#
# A more general type for mouse devices.
#
type mouse_device_t, device_node;
fs_associate(mouse_device_t)
fs_tmpfs_associate(mouse_device_t)
fs_associate_tmpfs(mouse_device_t)
#
# Type for /dev/cpu/mtrr and /proc/mtrr
#
type mtrr_device_t, device_node;
fs_associate(mtrr_device_t)
fs_tmpfs_associate(mtrr_device_t)
fs_associate_tmpfs(mtrr_device_t)
genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
#
@ -111,7 +111,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
#
type null_device_t, device_node;
fs_associate(null_device_t)
fs_tmpfs_associate(null_device_t)
fs_associate_tmpfs(null_device_t)
sid devnull context_template(system_u:object_r:null_device_t,s0)
#
@ -119,48 +119,48 @@ sid devnull context_template(system_u:object_r:null_device_t,s0)
#
type power_device_t, device_node;
fs_associate(power_device_t)
fs_tmpfs_associate(power_device_t)
fs_associate_tmpfs(power_device_t)
type printer_device_t, device_node;
fs_associate(printer_device_t)
fs_tmpfs_associate(printer_device_t)
fs_associate_tmpfs(printer_device_t)
#
# random_device_t is the type of /dev/random
#
type random_device_t, device_node;
fs_associate(random_device_t)
fs_tmpfs_associate(random_device_t)
fs_associate_tmpfs(random_device_t)
type scanner_device_t, device_node;
fs_associate(scanner_device_t)
fs_tmpfs_associate(scanner_device_t)
fs_associate_tmpfs(scanner_device_t)
#
# Type for sound devices and mixers
#
type sound_device_t, device_node;
fs_associate(sound_device_t)
fs_tmpfs_associate(sound_device_t)
fs_associate_tmpfs(sound_device_t)
#
# urandom_device_t is the type of /dev/urandom
#
type urandom_device_t, device_node;
fs_associate(urandom_device_t)
fs_tmpfs_associate(urandom_device_t)
fs_associate_tmpfs(urandom_device_t)
type v4l_device_t, device_node;
fs_associate(v4l_device_t)
fs_tmpfs_associate(v4l_device_t)
fs_associate_tmpfs(v4l_device_t)
type xserver_misc_device_t, device_node;
fs_associate(xserver_misc_device_t)
fs_tmpfs_associate(xserver_misc_device_t)
fs_associate_tmpfs(xserver_misc_device_t)
#
# zero_device_t is the type of /dev/zero.
#
type zero_device_t, device_node;
fs_associate(zero_device_t)
fs_tmpfs_associate(zero_device_t)
fs_associate_tmpfs(zero_device_t)

View File

@ -21,6 +21,30 @@ define(`fs_make_fs_depend',`
attribute fs_type;
')
########################################
## <interface name="fs_make_noxattr_fs">
## <description>
## Transform specified type into a filesystem
## type which does not have extended attribute
## support.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`fs_make_noxattr_fs',`
requires_block_template(`$0'_depend)
fs_make_fs($1)
typeattribute $1 noxattrfs;
')
define(`fs_make_noxattr_fs_depend',`
attribute noxattrfs;
')
########################################
## <interface name="fs_associate">
## <description>
@ -183,13 +207,13 @@ define(`fs_getattr_xattr_fs_depend',`
## </parameter>
## </interface>
#
define(`fs_ignore_getattr_xattr_fs',`
define(`fs_dontaudit_getattr_xattr_fs',`
requires_block_template(`$0'_depend)
dontaudit $1 fs_t:filesystem getattr;
')
define(`fs_ignore_getattr_xattr_fs_depend',`
define(`fs_dontaudit_getattr_xattr_fs_depend',`
type fs_t;
class filesystem getattr;
@ -1521,7 +1545,7 @@ define(`fs_create_tmpfs_data',`
')
')
define(`fs_create_private_tmpfs_data_depend',`
define(`fs_create_tmpfs_data_depend',`
type tmpfs_t;
class filesystem associate;
@ -1788,7 +1812,7 @@ define(`fs_get_all_fs_quotas_depend',`
')
########################################
## <interface name="fs_set_all_fs_quotas">
## <interface name="fs_set_all_quotas">
## <description>
## Set the quotas of all filesystems.
## </description>

View File

@ -29,7 +29,7 @@ define(`kernel_userland_entry',`
allow $1 kernel_t:process sigchld;
')
define(`kernel_make_userland_entrypoint_depend',`
define(`kernel_userland_entry_depend',`
type kernel_t;
class process { transition noatsecure siginh rlimitinh sigchld };
@ -491,7 +491,7 @@ define(`kernel_compute_reachable_user_contexts',`
allow $1 security_t:security compute_user;
')
define(`kernel_compute_selinux_reachable_user_contexts_depend',`
define(`kernel_compute_reachable_user_contexts_depend',`
type security_t;
class dir { read search getattr };
@ -1096,7 +1096,7 @@ define(`kernel_read_unix_sysctl_depend',`
## </parameter>
## </interface>
#
define(`kernel_modify_unix_sysctl',`
define(`kernel_rw_unix_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
@ -1105,7 +1105,7 @@ define(`kernel_modify_unix_sysctl',`
allow $1 sysctl_net_unix_t:file rw_file_perms;
')
define(`kernel_modify_net_sysctl_depend',`
define(`kernel_rw_net_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
class dir r_dir_perms;
@ -1393,9 +1393,9 @@ define(`kernel_read_rpc_sysctl_depend',`
########################################
#
# kernel_modify_rpc_sysctl(domain)
# kernel_rw_rpc_sysctl(domain)
#
define(`kernel_modify_rpc_sysctl',`
define(`kernel_rw_rpc_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
@ -1404,7 +1404,7 @@ define(`kernel_modify_rpc_sysctl',`
allow $1 sysctl_rpc_t:file rw_file_perms;
')
define(`kernel_modify_rpc_sysctl_depend',`
define(`kernel_rw_rpc_sysctl_depend',`
type proc_t, proc_net_t, sysctl_rpc_t;
class dir r_dir_perms;
@ -1423,8 +1423,8 @@ define(`kernel_modify_rpc_sysctl_depend',`
#
define(`kernel_read_all_sysctl',`
kernel_read_device_sysctl($1)
kernel_read_virtual_memory_sysctl($1)
kernel_read_network_sysctl($1)
kernel_read_vm_sysctl($1)
kernel_read_net_sysctl($1)
kernel_read_unix_sysctl($1)
kernel_read_hotplug_sysctl($1)
kernel_read_modprobe_sysctl($1)
@ -1435,7 +1435,7 @@ define(`kernel_read_all_sysctl',`
')
########################################
## <interface name="kernel_modify_all_sysctl">
## <interface name="kernel_rw_all_sysctl">
## <description>
## Read and write all sysctls.
## </description>
@ -1446,8 +1446,8 @@ define(`kernel_read_all_sysctl',`
#
define(`kernel_rw_all_sysctl',`
kernel_rw_device_sysctl($1)
kernel_rw_virtual_memory_sysctl($1)
kernel_rw_network_sysctl($1)
kernel_rw_vm_sysctl($1)
kernel_rw_net_sysctl($1)
kernel_rw_unix_sysctl($1)
kernel_rw_hotplug_sysctl($1)
kernel_rw_modprobe_sysctl($1)
@ -1505,7 +1505,7 @@ define(`kernel_read_hardware_state_depend',`
')
########################################
## <interface name="kernel_rw_hardware_state">
## <interface name="kernel_rw_hardware_config_option">
## <description>
## Allow caller to modify hardware state information.
## </description>

View File

@ -67,15 +67,6 @@ files_make_mountpoint(sysfs_t)
fs_make_fs(sysfs_t)
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
#
# usbfs_t is the type for /proc/bus/usb
#
type usbfs_t alias usbdevfs_t;
files_make_mountpoint(usbfs_t)
fs_make_fs(usbfs_t)
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
#
# Procfs types
#
@ -153,6 +144,15 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
type sysctl_dev_t;
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
#
# usbfs_t is the type for /proc/bus/usb
#
type usbfs_t alias usbdevfs_t;
files_make_mountpoint(usbfs_t)
fs_make_noxattr_fs(usbfs_t)
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
########################################
#
# kernel local policy
@ -197,10 +197,10 @@ auditallow kernel_t security_t:security load_policy;
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
# Kernel-generated traffic e.g., TCP resets:
corenet_raw_sendrecv_all_ifaces(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
terminal_use_console(kernel_t)
term_use_console(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem

View File

@ -41,7 +41,7 @@ define(`term_pty_depend',`
define(`term_user_pty',`
requires_block_template(`$0'_depend)
termi_pty($1)
term_pty($1)
typeattribute $1 server_ptynode;
')
@ -50,11 +50,11 @@ define(`term_user_pty_depend',`
')
########################################
## <interface name="term_pty">
## <interface name="term_tty">
## <description>
## Transform specified type into a tty type.
## </description>
## <parameter name="pty_type">
## <parameter name="tty_type">
## An object type that will applied to a tty.
## </parameter>
## </interface>
@ -115,7 +115,7 @@ define(`term_create_pty_depend',`
')
########################################
## <interface name="term_use_all_terminals">
## <interface name="term_use_all_terms">
## <description>
## Read and write the console, all
## ttys and all ptys.
@ -125,7 +125,7 @@ define(`term_create_pty_depend',`
## </parameter>
## </interface>
#
define(`term_use_all_terminals',`
define(`term_use_all_terms',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
@ -133,7 +133,7 @@ define(`term_use_all_terminals',`
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
define(`term_use_all_terminals_depend',`
define(`term_use_all_terms_depend',`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
@ -378,17 +378,17 @@ define(`term_dontaudit_use_ptmx_depend',`
')
########################################
## <interface name="term_getattr_all_ptys">
## <interface name="term_getattr_all_user_ptys">
## <description>
## Get the attributes of all pty
## device nodes.
## Get the attributes of all user
## pty device nodes.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`term_getattr_all_ptys',`
define(`term_getattr_all_user_ptys',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
@ -462,14 +462,14 @@ define(`term_dontaudit_use_all_user_ptys_depend',`
## </parameter>
## </interface>
#
define(`term_gettattr_unallocated_ttys',`
define(`term_getattr_unallocated_ttys',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tty_device_t:chr_file getattr;
')
define(`term_gettattr_unallocated_ttys_depend',`
define(`term_getattr_unallocated_ttys_depend',`
type tty_device_t;
class chr_file getattr;
@ -486,14 +486,14 @@ define(`term_gettattr_unallocated_ttys_depend',`
## </parameter>
## </interface>
#
define(`term_settattr_unallocated_ttys',`
define(`term_setattr_unallocated_ttys',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tty_device_t:chr_file setattr;
')
define(`term_settattr_unallocated_ttys_depend',`
define(`term_setattr_unallocated_ttys_depend',`
type tty_device_t;
class chr_file setattr;
@ -510,14 +510,14 @@ define(`term_settattr_unallocated_ttys_depend',`
## </parameter>
## </interface>
#
define(`term_relabel_unallocated_tty',`
define(`term_relabel_unallocated_ttys',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
')
define(`term_relabel_unallocated_tty_depend',`
define(`term_relabel_unallocated_ttys_depend',`
type tty_device_t;
class chr_file { relabelfrom relabelto };
@ -550,7 +550,7 @@ define(`term_reset_tty_labels_depend',`
')
########################################
## <interface name="term_write_unallocated_tty">
## <interface name="term_write_unallocated_ttys">
## <description>
## Write to unallocated ttys.
## </description>
@ -559,14 +559,14 @@ define(`term_reset_tty_labels_depend',`
## </parameter>
## </interface>
#
define(`term_write_general_tty',`
define(`term_write_unallocated_ttys',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tty_device_t:chr_file { getattr write };
')
define(`term_write_general_tty_depend',`
define(`term_write_unallocated_ttys_depend',`
type tty_device_t;
class chr_file { getattr write };

View File

@ -26,10 +26,10 @@ define(`cron_per_userdomain_template',`
#
allow $1_crond_t self:capability dac_override;
allow $1_crond_t self:process signal_perms;
allow $1_crond_t self:process { signal_perms setsched };
allow $1_crond_t self:fifo_file rw_file_perms;
allow $1_crond_t self:unix_stream_socket create_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_stream_socket_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
@ -55,22 +55,22 @@ define(`cron_per_userdomain_template',`
kernel_read_kernel_sysctl($1_crond_t)
# ps does not need to access /boot when run from cron
bootloader_ignore_search_bootloader_data_directory($1_crond_t)
bootloader_dontaudit_search_boot($1_crond_t)
corenetwork_sendrecv_tcp_on_all_interfaces($1_crond_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_crond_t)
corenetwork_sendrecv_udp_on_all_interfaces($1_crond_t)
corenetwork_sendrecv_tcp_on_all_nodes($1_crond_t)
corenetwork_sendrecv_raw_on_all_nodes($1_crond_t)
corenetwork_sendrecv_udp_on_all_nodes($1_crond_t)
corenetwork_sendrecv_tcp_on_all_ports($1_crond_t)
corenetwork_sendrecv_udp_on_all_ports($1_crond_t)
corenetwork_bind_tcp_on_all_nodes($1_crond_t)
corenetwork_bind_udp_on_all_nodes($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_raw_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
corenet_tcp_sendrecv_all_nodes($1_crond_t)
corenet_raw_sendrecv_all_nodes($1_crond_t)
corenet_udp_sendrecv_all_nodes($1_crond_t)
corenet_tcp_sendrecv_all_ports($1_crond_t)
corenet_udp_sendrecv_all_ports($1_crond_t)
corenet_tcp_bind_all_nodes($1_crond_t)
corenet_udp_bind_all_nodes($1_crond_t)
devices_get_pseudorandom_data($1_crond_t)
fs_get_all_fs_attributes($1_crond_t)
fs_getattr_all_fs($1_crond_t)
domain_execute_all_entrypoint_programs($1_crond_t)
@ -153,7 +153,7 @@ define(`cron_per_userdomain_template',`
allow $1_crontab_t crond_log_t:file ra_file_perms;
fs_get_persistent_fs_attributes($1_crontab_t)
fs_getattr_xattr_fs($1_crontab_t)
domain_use_widely_inheritable_file_descriptors($1_crontab_t)
@ -225,11 +225,11 @@ define(`cron_admin_template',`
# Manipulate other users crontab.
kernel_get_selinuxfs_mount_point($1_crontab_t)
kernel_validate_selinux_context($1_crontab_t)
kernel_compute_selinux_access_vector($1_crontab_t)
kernel_compute_selinux_create_context($1_crontab_t)
kernel_compute_selinux_relabel_context($1_crontab_t)
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
kernel_validate_context($1_crontab_t)
kernel_compute_access_vector($1_crontab_t)
kernel_compute_create_context($1_crontab_t)
kernel_compute_relabel_context($1_crontab_t)
kernel_compute_reachable_user_contexts($1_crontab_t)
tunable_policy(`fcron_crond', `
# fcron wants an instant update of a crontab change for the administrator

View File

@ -81,17 +81,17 @@ allow crond_t system_cron_spool_t:file r_file_perms;
kernel_read_kernel_sysctl(crond_t)
kernel_read_hardware_state(crond_t)
kernel_get_selinuxfs_mount_point(crond_t)
kernel_validate_selinux_context(crond_t)
kernel_compute_selinux_access_vector(crond_t)
kernel_compute_selinux_create_context(crond_t)
kernel_compute_selinux_relabel_context(crond_t)
kernel_compute_selinux_reachable_user_contexts(crond_t)
kernel_validate_context(crond_t)
kernel_compute_access_vector(crond_t)
kernel_compute_create_context(crond_t)
kernel_compute_relabel_context(crond_t)
kernel_compute_reachable_user_contexts(crond_t)
devices_get_pseudorandom_data(crond_t)
fs_get_all_fs_attributes(crond_t)
fs_getattr_all_fs(crond_t)
terminal_ignore_use_console(crond_t)
term_dontaudit_use_console(crond_t)
# need auth_chkpwd to check for locked accounts.
authlogin_check_password_transition(crond_t)
@ -125,7 +125,7 @@ tunable_policy(`fcron_crond', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(crond_t)
term_dontaudit_use_unallocated_tty(crond_t)
terminal_ignore_use_general_pseudoterminal(crond_t)
files_ignore_read_rootfs_file(crond_t)
')
@ -184,7 +184,7 @@ allow system_crond_t rpm_log_t:file create_file_perms;
#
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process signal_perms;
allow system_crond_t self:process { signal_perms setsched };
allow system_crond_t self:fifo_file rw_file_perms;
allow system_crond_t self:passwd rootok;
@ -215,7 +215,7 @@ allow system_crond_t system_crond_lock_t:file create_file_perms;
files_create_private_lock_file(system_crond_t,system_crond_lock_t)
# write temporary files
allow system_crond_t system_crond_tmp_t:file createfile_perms;
allow system_crond_t system_crond_tmp_t:file create_file_perms;
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
# write temporary files in crond tmp dir:
@ -235,25 +235,25 @@ kernel_read_system_state(system_crond_t)
kernel_read_software_raid_state(system_crond_t)
# ps does not need to access /boot when run from cron
bootloader_ignore_search_bootloader_data_directory(system_crond_t)
bootloader_dontaudit_search_boot(system_crond_t)
corenetwork_sendrecv_tcp_on_all_interfaces(system_crond_t)
corenetwork_sendrecv_raw_on_all_interfaces(system_crond_t)
corenetwork_sendrecv_udp_on_all_interfaces(system_crond_t)
corenetwork_sendrecv_tcp_on_all_nodes(system_crond_t)
corenetwork_sendrecv_raw_on_all_nodes(system_crond_t)
corenetwork_sendrecv_udp_on_all_nodes(system_crond_t)
corenetwork_sendrecv_tcp_on_all_ports(system_crond_t)
corenetwork_sendrecv_udp_on_all_ports(system_crond_t)
corenetwork_bind_tcp_on_all_nodes(system_crond_t)
corenetwork_bind_udp_on_all_nodes(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_raw_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
corenet_tcp_sendrecv_all_nodes(system_crond_t)
corenet_raw_sendrecv_all_nodes(system_crond_t)
corenet_udp_sendrecv_all_nodes(system_crond_t)
corenet_tcp_sendrecv_all_ports(system_crond_t)
corenet_udp_sendrecv_all_ports(system_crond_t)
corenet_tcp_bind_all_nodes(system_crond_t)
corenet_udp_bind_all_nodes(system_crond_t)
devices_get_all_block_device_attributes(system_crond_t)
devices_get_all_character_device_attributes(system_crond_t)
devices_get_pseudorandom_data(system_crond_t)
fs_get_all_fs_attributes(system_crond_t)
fs_get_all_file_attributes(system_crond_t)
fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t)
init_use_file_descriptors(system_crond_t)
init_script_use_file_descriptors(system_crond_t)
@ -296,11 +296,11 @@ if (cron_can_relabel) {
selinux_setfiles_transition(system_crond_t)
} else {
kernel_get_selinuxfs_mount_point(system_crond_t)
kernel_validate_selinux_context(system_crond_t)
kernel_compute_selinux_access_vector(system_crond_t)
kernel_compute_selinux_create_context(system_crond_t)
kernel_compute_selinux_relabel_context(system_crond_t)
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
kernel_validate_context(system_crond_t)
kernel_compute_access_vector(system_crond_t)
kernel_compute_create_context(system_crond_t)
kernel_compute_relabel_context(system_crond_t)
kernel_compute_reachable_user_contexts(system_crond_t)
selinux_read_file_contexts(system_crond_t)
}

View File

@ -33,8 +33,8 @@ define(`mta_per_userdomain_template',`
allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
# Transition from the user domain to the derived domain.
can_exec($1_t, sendmail_exec_t)
domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
allow $1_t sendmail_exec_t:lnk_file { getattr read };
allow $1_t $1_mail_t:fd use;
allow $1_mail_t $1_t:fd use;
@ -43,12 +43,12 @@ define(`mta_per_userdomain_template',`
kernel_read_kernel_sysctl($1_mail_t)
corenetwork_sendrecv_tcp_on_all_interfaces($1_mail_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_mail_t)
corenetwork_sendrecv_tcp_on_all_nodes($1_mail_t)
corenetwork_sendrecv_raw_on_all_nodes($1_mail_t)
corenetwork_sendrecv_tcp_on_all_ports($1_mail_t)
corenetwork_bind_tcp_on_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_raw_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_raw_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t)
domain_use_widely_inheritable_file_descriptors($1_mail_t)
@ -67,10 +67,10 @@ define(`mta_per_userdomain_template',`
tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces($1_mail_t)
corenetwork_sendrecv_udp_on_all_nodes($1_mail_t)
corenetwork_bind_udp_on_all_nodes($1_mail_t)
corenetwork_sendrecv_udp_on_dns_port($1_mail_t)
corenet_udp_sendrecv_all_if($1_mail_t)
corenet_udp_sendrecv_all_nodes($1_mail_t)
corenet_udp_bind_all_nodes($1_mail_t)
corenet_udp_sendrecv_dns_port($1_mail_t)
')
optional_policy(`procmail.te',`

View File

@ -41,7 +41,7 @@ init_make_system_domain(system_mail_t,sendmail_exec_t)
#
allow system_mail_t self:capability { setuid setgid chown };
allow system_mail_t self:process { signal_perms setrlinit };
allow system_mail_t self:process { signal_perms setrlimit };
allow system_mail_t self:tcp_socket create_socket_perms;
@ -53,16 +53,16 @@ kernel_read_kernel_sysctl(system_mail_t)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
corenetwork_sendrecv_tcp_on_all_interfaces(system_mail_t)
corenetwork_sendrecv_raw_on_all_interfaces(system_mail_t)
corenetwork_sendrecv_tcp_on_all_nodes(system_mail_t)
corenetwork_sendrecv_raw_on_all_nodes(system_mail_t)
corenetwork_bind_tcp_on_all_nodes(system_mail_t)
corenetwork_sendrecv_tcp_on_all_ports(system_mail_t)
corenet_tcp_sendrecv_all_if(system_mail_t)
corenet_raw_sendrecv_all_if(system_mail_t)
corenet_tcp_sendrecv_all_nodes(system_mail_t)
corenet_raw_sendrecv_all_nodes(system_mail_t)
corenet_tcp_bind_all_nodes(system_mail_t)
corenet_tcp_sendrecv_all_ports(system_mail_t)
devices_get_pseudorandom_data(system_mail_t)
fs_get_persistent_fs_attributes(system_mail_t)
fs_getattr_xattr_fs(system_mail_t)
init_script_use_pseudoterminal(system_mail_t)
@ -84,10 +84,10 @@ sysnetwork_read_network_config(system_mail_t)
tunable_policy(`use_dns',`
allow system_mail_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces(system_mail_t)
corenetwork_sendrecv_udp_on_all_nodes(system_mail_t)
corenetwork_bind_udp_on_all_nodes(system_mail_t)
corenetwork_sendrecv_udp_on_dns_port(system_mail_t)
corenet_udp_sendrecv_all_if(system_mail_t)
corenet_udp_sendrecv_all_nodes(system_mail_t)
corenet_udp_bind_all_nodes(system_mail_t)
corenet_udp_sendrecv_dns_port(system_mail_t)
')
optional_policy(`procmail.te',`

View File

@ -44,16 +44,16 @@ files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctl(remote_login_t)
kernel_get_selinuxfs_mount_point(remote_login_t)
kernel_validate_selinux_context(remote_login_t)
kernel_compute_selinux_access_vector(remote_login_t)
kernel_compute_selinux_create_context(remote_login_t)
kernel_compute_selinux_relabel_context(remote_login_t)
kernel_compute_selinux_reachable_user_contexts(remote_login_t)
kernel_validate_context(remote_login_t)
kernel_compute_access_vector(remote_login_t)
kernel_compute_create_context(remote_login_t)
kernel_compute_relabel_context(remote_login_t)
kernel_compute_reachable_user_contexts(remote_login_t)
# for SSP/ProPolice
devices_get_pseudorandom_data(remote_login_t)
fs_get_persistent_fs_attributes(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
init_script_modify_runtime_data(remote_login_t)

View File

@ -42,23 +42,23 @@ files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t)
kernel_read_hardware_state(sendmail_t)
corenetwork_sendrecv_tcp_on_all_interfaces(sendmail_t)
corenetwork_sendrecv_raw_on_all_interfaces(sendmail_t)
corenetwork_sendrecv_udp_on_all_interfaces(sendmail_t)
corenetwork_sendrecv_tcp_on_all_nodes(sendmail_t)
corenetwork_sendrecv_raw_on_all_nodes(sendmail_t)
corenetwork_sendrecv_udp_on_all_nodes(sendmail_t)
corenetwork_sendrecv_tcp_on_all_ports(sendmail_t)
corenetwork_sendrecv_udp_on_all_ports(sendmail_t)
corenetwork_bind_tcp_on_all_nodes(sendmail_t)
corenetwork_bind_udp_on_all_nodes(sendmail_t)
corenetwork_bind_tcp_on_smtp_port(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_raw_sendrecv_all_if(sendmail_t)
corenet_udp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
corenet_raw_sendrecv_all_nodes(sendmail_t)
corenet_udp_sendrecv_all_nodes(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
corenet_udp_sendrecv_all_ports(sendmail_t)
corenet_tcp_bind_all_nodes(sendmail_t)
corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
devices_get_pseudorandom_data(sendmail_t)
fs_get_all_fs_attributes(sendmail_t)
fs_getattr_all_fs(sendmail_t)
terminal_ignore_use_console(sendmail_t)
term_dontaudit_use_console(sendmail_t)
init_use_file_descriptors(sendmail_t)
init_script_use_pseudoterminal(sendmail_t)
@ -89,7 +89,7 @@ mta_manage_mail_spool(sendmail_t)
sysnetwork_read_network_config(sendmail_t)
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(sendmail_t)
term_dontaudit_use_unallocated_tty(sendmail_t)
terminal_ignore_use_general_pseudoterminal(sendmail_t)
files_ignore_read_rootfs_file(sendmail_t)
')

View File

@ -40,7 +40,7 @@ define(`authlogin_per_userdomain_template',`
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
fs_ignore_get_persistent_fs_attributes($1_chkpwd_t)
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
@ -62,7 +62,7 @@ define(`authlogin_per_userdomain_template',`
#can_ldap($1_chkpwd_t)
# Transition from the user domain to this domain.
domain_auto_trans($1,chkpwd_exec_t,$1_chkpwd_t)
domain_auto_trans($1_t,chkpwd_exec_t,$1_chkpwd_t)
allow $1_chkpwd_t $1_t:fd use;
allow $1_t $1_chkpwd_t:fd use;
@ -78,12 +78,12 @@ define(`authlogin_per_userdomain_template',`
tunable_policy(`use_dns',`
allow $1_chkpwd_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
corenetwork_sendrecv_raw_on_all_nodes($1_chkpwd_t)
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
corenetwork_sendrecv_udp_on_dns_port($1_chkpwd_t)
corenet_udp_sendrecv_all_if($1_chkpwd_t)
corenet_raw_sendrecv_all_if($1_chkpwd_t)
corenet_udp_sendrecv_all_nodes($1_chkpwd_t)
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
corenet_udp_bind_all_nodes($1_chkpwd_t)
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
sysnetwork_read_network_config($1_chkpwd_t)
')
@ -207,12 +207,12 @@ define(`authlogin_check_password_transition',`
tunable_policy(`use_dns',`
allow $1 self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces($1)
corenetwork_sendrecv_raw_on_all_interfaces($1)
corenetwork_sendrecv_udp_on_all_nodes($1)
corenetwork_sendrecv_raw_on_all_nodes($1)
corenetwork_bind_udp_on_all_nodes($1)
corenetwork_sendrecv_udp_on_dns_port($1)
corenet_udp_sendrecv_all_if($1)
corenet_raw_sendrecv_all_if($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_udp_sendrecv_dns_port($1)
sysnetwork_read_network_config($1)
')
')
@ -505,7 +505,7 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
define(`authlogin_pam_execute',`
requires_block_template(`$0'_depend)
can_exec($1,pam_exec_file_t)
can_exec($1,pam_exec_t)
')
define(`authlogin_pam_execute_depend',`
@ -652,7 +652,7 @@ define(`authlogin_pam_console_manage_runtime_data',`
files_search_system_state_data_directory($1)
files_search_runtime_data_directory($1)
allow $1 pam_var_console_t:dir rw_dir_perms;
B allow $1 pam_var_console_t:file create_file_perms;
allow $1 pam_var_console_t:file create_file_perms;
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
')

View File

@ -93,8 +93,8 @@ files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
terminal_use_all_private_physical_terminals(pam_t)
terminal_use_all_private_pseudoterminals(pam_t)
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
init_script_ignore_modify_runtime_data(pam_t)
@ -139,17 +139,17 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(pam_console_t)
kernel_read_system_state(pam_console_t)
kernel_read_hardware_state(pam_console_t)
kernel_use_file_descriptors(pam_console_t)
kernel_use_fd(pam_console_t)
# Allow to set attributes on /dev entries
storage_get_fixed_disk_attributes(pam_console_t)
storage_set_fixed_disk_attributes(pam_console_t)
storage_get_removable_device_attributes(pam_console_t)
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t)
storage_set_removable_device_attributes(pam_console_t)
terminal_use_console(pam_console_t)
terminal_get_general_physical_terminal_attributes(pam_console_t)
terminal_set_general_physical_terminal_attributes(pam_console_t)
term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
init_use_file_descriptors(pam_console_t)
init_use_file_descriptors(pam_console_t)
@ -175,7 +175,7 @@ ifdef(`direct_sysadm_daemon', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(pam_console_t)
term_dontaudit_use_unallocated_tty(pam_console_t)
terminal_ignore_use_general_pseudoterminal(pam_console_t)
files_ignore_read_rootfs_file(pam_console_t)
')
@ -236,9 +236,9 @@ allow system_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state(system_chkpwd_t)
fs_ignore_get_persistent_fs_attributes(system_chkpwd_t)
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
terminal_use_general_physical_terminal(system_chkpwd_t)
term_use_unallocated_tty(system_chkpwd_t)
files_read_general_system_config(system_chkpwd_t)
# for nscd
@ -255,12 +255,12 @@ selinux_read_config(system_chkpwd_t)
tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
corenet_udp_sendrecv_all_if(system_chkpwd_t)
corenet_raw_sendrecv_all_if(system_chkpwd_t)
corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
corenet_udp_bind_all_nodes(system_chkpwd_t)
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
sysnetwork_read_network_config(system_chkpwd_t)
')
@ -278,15 +278,15 @@ dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
#
allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket rw_stream_socket_perms;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
allow utempter_t wtmp_t:file rw_file_perms;
terminal_get_all_private_physical_terminal_attributes(utempter_t)
terminal_get_all_private_pseudoterminal_attributes(utempter_t)
terminal_ignore_use_all_private_physical_terminals(utempter_t)
terminal_ignore_use_all_private_pseudoterminals(utempter_t)
terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
term_getattr_all_user_ttys(utempter_t)
term_getattr_all_user_ptys(utempter_t)
term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
init_script_modify_runtime_data(utempter_t)

View File

@ -34,12 +34,12 @@ kernel_read_hardware_state(hwclock_t)
devices_modify_realtime_clock(hwclock_t)
fs_get_persistent_fs_attributes(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
terminal_ignore_use_console(hwclock_t)
terminal_use_general_physical_terminal(hwclock_t)
terminal_use_all_private_physical_terminals(hwclock_t)
terminal_use_all_private_pseudoterminals(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_tty(hwclock_t)
term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t)
init_use_file_descriptors(hwclock_t)
init_script_use_pseudoterminal(hwclock_t)
@ -58,7 +58,7 @@ logging_send_system_log_message(hwclock_t)
miscfiles_read_localization(hwclock_t)
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hwclock_t)
term_dontaudit_use_unallocated_tty(hwclock_t)
terminal_ignore_use_general_pseudoterminal(hwclock_t)
files_ignore_read_rootfs_file(hwclock_t)
')

View File

@ -200,9 +200,8 @@ define(`corecommands_shell_explicit_transition',`
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
allow $1 shell_exec_t:file rx_file_perms
allow $1 $2:process transition;
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
domain_trans($1,shell_exec_t,$2)
allow $1 $2:fd use;
allow $2 $1:fd use;

View File

@ -38,7 +38,7 @@ define(`domain_make_domain',`
# Use trusted objects in /dev
devices_use_dev_null($1)
devices_use_dev_zero($1)
terminal_use_controlling_terminal($1)
term_use_controlling_term($1)
# read the root directory
files_read_root_dir($1)

View File

@ -9,7 +9,7 @@ define(`files_make_file',`
requires_block_template(`$0'_depend)
fs_associate($1)
fs_noxattr_associate($1)
fs_associate_noxattr($1)
typeattribute $1 file_type;
')
@ -92,7 +92,7 @@ define(`files_make_tmpfs_file',`
requires_block_template(`$0'_depend)
files_make_file($1)
fs_tmpfs_associate($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile;
')
@ -938,7 +938,7 @@ define(`files_manage_pseudorandom_saved_seed',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_lib_t:dir rw_file_perms;
allow $1 var_lib_t:dir rw_dir_perms;
allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
@ -992,7 +992,7 @@ define(`files_manage_system_lock_files_depend',`
define(`files_remove_all_lock_files',`
requires_block_template(`$0'_depend)
allow $1 lockfile:dir rw_file_perms;
allow $1 lockfile:dir rw_dir_perms;
allow $1 lockfile:file { getattr unlink };
')
@ -1271,15 +1271,15 @@ define(`files_manage_system_spools',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_spool_t:dir rw_file_perms;
allow $1 var_spool_t:file { getattr create read write append unlink setattr };
allow $1 var_spool_t:dir rw_dir_perms;
allow $1 var_spool_t:file create_file_perms;
')
define(`files_manage_system_spools_depend',`
type var_t, var_spool_t;
class dir rw_file_perms;
class file { getattr create read write append unlink setattr };
class dir rw_dir_perms;
class file create_file_perms;
')
## </module>

View File

@ -13,14 +13,14 @@ attribute tmpfsfile;
# other than the generic /.* specification.
type default_t, file_type, mountpoint;
fs_associate(default_t)
fs_noxattr_associate(default_t)
fs_associate_noxattr(default_t)
#
# etc_t is the type of the system etc directories.
#
type etc_t, file_type;
fs_associate(etc_t)
fs_noxattr_associate(etc_t)
fs_associate_noxattr(etc_t)
#
# etc_runtime_t is the type of various
@ -29,7 +29,7 @@ fs_noxattr_associate(etc_t)
#
type etc_runtime_t, file_type;
fs_associate(etc_runtime_t)
fs_noxattr_associate(etc_runtime_t)
fs_associate_noxattr(etc_runtime_t)
#
# file_t is the default type of a file that has not yet been
@ -38,8 +38,8 @@ fs_noxattr_associate(etc_runtime_t)
#
type file_t, file_type, mountpoint;
fs_associate(file_t)
fs_noxattr_associate(file_t)
kernel_make_root_fs_mountpoint(file_t)
fs_associate_noxattr(file_t)
kernel_rootfs_mountpoint(file_t)
sid file context_template(system_u:object_r:file_t,s0)
#
@ -48,41 +48,41 @@ sid file context_template(system_u:object_r:file_t,s0)
#
type home_root_t, file_type, mountpoint;
fs_associate(home_root_t)
fs_noxattr_associate(home_root_t)
fs_associate_noxattr(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t, file_type;
fs_associate(lost_found_t)
fs_noxattr_associate(lost_found_t)
fs_associate_noxattr(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t, file_type, mountpoint;
fs_associate(mnt_t)
fs_noxattr_associate(mnt_t)
fs_associate_noxattr(mnt_t)
type no_access_t, file_type;
fs_associate(no_access_t)
fs_noxattr_associate(no_access_t)
fs_associate_noxattr(no_access_t)
type poly_t, file_type;
fs_associate(poly_t)
fs_noxattr_associate(poly_t)
fs_associate_noxattr(poly_t)
type readable_t, file_type;
fs_associate(readable_t)
fs_noxattr_associate(readable_t)
fs_associate_noxattr(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
type root_t, file_type, mountpoint;
fs_associate(root_t)
fs_noxattr_associate(root_t)
kernel_make_root_fs_mountpoint(root_t)
fs_associate_noxattr(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / context_template(system_u:object_r:root_t,s0)
#
@ -90,42 +90,42 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0)
#
type src_t, file_type;
fs_associate(src_t)
fs_noxattr_associate(src_t)
fs_associate_noxattr(src_t)
#
# tmp_t is the type of the temporary directories
#
type tmp_t, file_type, tmpfile, mountpoint;
fs_associate(tmp_t)
fs_noxattr_associate(tmp_t)
fs_associate_noxattr(tmp_t)
#
# usr_t is the type for /usr.
#
type usr_t, file_type, mountpoint;
fs_associate(usr_t)
fs_noxattr_associate(usr_t)
fs_associate_noxattr(usr_t)
#
# var_t is the type of /var
#
type var_t, file_type, mountpoint;
fs_associate(var_t)
fs_noxattr_associate(var_t)
fs_associate_noxattr(var_t)
#
# var_lib_t is the type of /var/lib
#
type var_lib_t, file_type;
fs_associate(var_lib_t)
fs_noxattr_associate(var_lib_t)
fs_associate_noxattr(var_lib_t)
#
# var_lock_t is tye type of /var/lock
#
type var_lock_t, file_type, lockfile;
fs_associate(var_lock_t)
fs_noxattr_associate(var_lock_t)
fs_associate_noxattr(var_lock_t)
#
# var_run_t is the type of /var/run, usually
@ -133,11 +133,11 @@ fs_noxattr_associate(var_lock_t)
#
type var_run_t, file_type, pidfile;
fs_associate(var_run_t)
fs_noxattr_associate(var_run_t)
fs_associate_noxattr(var_run_t)
#
# var_spool_t is the type of /var/spool
#
type var_spool_t, file_type;
fs_associate(var_spool_t)
fs_noxattr_associate(var_spool_t)
fs_associate_noxattr(var_spool_t)

View File

@ -45,14 +45,14 @@ allow getty_t getty_log_t:file { getattr append setattr };
kernel_read_hardware_state(getty_t)
# for error condition handling
fs_get_persistent_fs_attributes(getty_t)
fs_getattr_xattr_fs(getty_t)
# Chown, chmod, read and write ttys.
terminal_use_all_private_physical_terminals(getty_t)
terminal_use_general_physical_terminal(getty_t)
terminal_set_all_private_physical_terminal_attributes(getty_t)
terminal_set_general_physical_terminal_attributes(getty_t)
terminal_set_console_attributes(getty_t)
term_use_all_user_ttys(getty_t)
term_use_unallocated_tty(getty_t)
term_setattr_all_user_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
authlogin_modify_login_records(getty_t)

View File

@ -27,15 +27,15 @@ sysnetwork_read_network_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
kernel_read_hardware_state(hostname_t)
kernel_ignore_use_file_descriptors(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
files_read_general_system_config(hostname_t)
files_ignore_search_system_state_data_directory(hostname_t)
fs_get_persistent_fs_attributes(hostname_t)
fs_getattr_xattr_fs(hostname_t)
terminal_ignore_use_console(hostname_t)
terminal_use_all_private_physical_terminals(hostname_t)
terminal_use_all_private_pseudoterminals(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
term_use_all_user_ptys(hostname_t)
init_use_file_descriptors(hostname_t)
init_script_use_pseudoterminal(hostname_t)
@ -59,19 +59,19 @@ ifdef(`distro_redhat', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hostname_t)
term_dontaudit_use_unallocated_tty(hostname_t)
terminal_ignore_use_general_pseudoterminal(hostname_t)
files_ignore_read_rootfs_file(hostname_t)
')
tunable_policy(`use_dns',`
allow hostname_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
corenetwork_sendrecv_raw_on_all_nodes(hostname_t)
corenetwork_bind_udp_on_all_nodes(hostname_t)
corenetwork_sendrecv_udp_on_dns_port(hostname_t)
corenet_udp_sendrecv_all_if(hostname_t)
corenet_raw_sendrecv_all_if(hostname_t)
corenet_udp_sendrecv_all_nodes(hostname_t)
corenet_raw_sendrecv_all_nodes(hostname_t)
corenet_udp_bind_all_nodes(hostname_t)
corenet_udp_sendrecv_dns_port(hostname_t)
sysnetwork_read_network_config(hostname_t)
')

View File

@ -8,7 +8,7 @@ policy_module(hotplug, 1.0)
type hotplug_t;
type hotplug_exec_t;
kernel_make_userland_entrypoint(hotplug_t,hotplug_exec_t)
kernel_userland_entry(hotplug_t,hotplug_exec_t)
init_make_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread;
@ -29,7 +29,7 @@ dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { getsession getattr };
allow hotplug_t self:fifo_file r_file_perms;
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:udp_socket create_socket_perms;
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
@ -46,27 +46,27 @@ files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
kernel_read_hardware_state(hotplug_t)
kernel_read_network_sysctl(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
kernel_read_usb_hardware_state(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
corenetwork_sendrecv_tcp_on_all_interfaces(hotplug_t)
corenetwork_sendrecv_raw_on_all_interfaces(hotplug_t)
corenetwork_sendrecv_tcp_on_all_nodes(hotplug_t)
corenetwork_sendrecv_raw_on_all_nodes(hotplug_t)
corenetwork_sendrecv_tcp_on_all_ports(hotplug_t)
corenetwork_bind_tcp_on_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_raw_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t)
corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_tcp_bind_all_nodes(hotplug_t)
# for SSP
devices_get_pseudorandom_data(hotplug_t)
fs_get_all_fs_attributes(hotplug_t)
fs_getattr_all_fs(hotplug_t)
storage_set_fixed_disk_attributes(hotplug_t)
storage_setattr_fixed_disk(hotplug_t)
storage_set_removable_device_attributes(hotplug_t)
terminal_ignore_use_console(hotplug_t)
term_dontaudit_use_console(hotplug_t)
corecommands_execute_general_programs(hotplug_t)
corecommands_execute_shell(hotplug_t)
@ -118,7 +118,7 @@ ifdef(`distro_redhat', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(hotplug_t)
term_dontaudit_use_unallocated_tty(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
files_ignore_read_rootfs_file(hotplug_t)
')

View File

@ -26,7 +26,7 @@ define(`init_make_init_domain',`
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors($1)
kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1)
')
')
@ -65,7 +65,7 @@ define(`init_make_daemon_domain',`
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors($1)
kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1)
')
')
@ -106,7 +106,7 @@ define(`init_make_system_domain',`
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors($1)
kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1)
')
')
@ -409,7 +409,7 @@ define(`init_script_get_process_group_depend',`
define(`init_script_use_pseudoterminal',`
requires_block_template(`$0'_depend)
terminal_list_pseudoterminals($1)
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
')

View File

@ -17,7 +17,7 @@ role system_r types init_t;
# init_exec_t is the type of the init program.
#
type init_exec_t;
kernel_make_userland_entrypoint(init_t,init_exec_t)
kernel_userland_entry(init_t,init_exec_t)
domain_make_entrypoint_file(init_t,init_exec_t)
#
@ -43,8 +43,8 @@ domain_make_entrypoint_file(initrc_t,initrc_exec_t)
type initrc_devpts_t;
fs_associate(initrc_devpts_t)
fs_noxattr_associate(initrc_devpts_t)
terminal_make_pseudoterminal(initrc_devpts_t)
fs_associate_noxattr(initrc_devpts_t)
term_pty(initrc_devpts_t)
type initrc_var_run_t;
files_make_daemon_runtime_file(initrc_var_run_t)
@ -79,21 +79,21 @@ allow init_t init_var_run_t:file { create getattr read append write setattr unli
files_create_daemon_runtime_data(init_t,init_var_run_t)
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
fs_tmpfs_associate(initctl_t)
fs_associate_tmpfs(initctl_t)
devices_create_dev_entry(init_t,initctl_t,fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
# Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_set_selinux_boolean(init_t)
kernel_set_boolean(init_t)
kernel_read_system_state(init_t)
kernel_read_hardware_state(init_t)
kernel_share_state(init_t)
terminal_use_all_terminals(init_t)
term_use_all_terms(init_t)
corecommands_chroot(init_t)
corecommands_execute_general_programs(init_t)
@ -129,7 +129,7 @@ miscfiles_read_localization(init_t)
ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(init_t)
fs_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
')
optional_policy(`authlogin.te',`
@ -181,26 +181,26 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_hardware_state(initrc_t)
kernel_modify_hardware_config_option(initrc_t)
kernel_rw_hardware_config_option(initrc_t)
kernel_read_all_sysctl(initrc_t)
kernel_modify_all_sysctl(initrc_t)
kernel_rw_all_sysctl(initrc_t)
kernel_get_selinux_enforcement_mode(initrc_t)
kernel_list_usb_hardware(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_ignore_get_message_interface_attributes(initrc_t)
kernel_dontaudit_getattr_message_if(initrc_t)
bootloader_read_kernel_symbol_table(initrc_t)
corenetwork_sendrecv_tcp_on_all_interfaces(initrc_t)
corenetwork_sendrecv_raw_on_all_interfaces(initrc_t)
corenetwork_sendrecv_udp_on_all_interfaces(initrc_t)
corenetwork_sendrecv_tcp_on_all_nodes(initrc_t)
corenetwork_sendrecv_raw_on_all_nodes(initrc_t)
corenetwork_sendrecv_udp_on_all_nodes(initrc_t)
corenetwork_sendrecv_tcp_on_all_ports(initrc_t)
corenetwork_sendrecv_udp_on_all_ports(initrc_t)
corenetwork_bind_tcp_on_all_nodes(initrc_t)
corenetwork_bind_udp_on_all_nodes(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_raw_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
corenet_raw_sendrecv_all_nodes(initrc_t)
corenet_udp_sendrecv_all_nodes(initrc_t)
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_bind_all_nodes(initrc_t)
corenet_udp_bind_all_nodes(initrc_t)
devices_get_random_data(initrc_t)
devices_get_pseudorandom_data(initrc_t)
@ -221,14 +221,14 @@ fs_register_binary_executable_type(initrc_t)
fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_get_all_fs_attributes(initrc_t)
fs_getattr_all_fs(initrc_t)
storage_get_fixed_disk_attributes(initrc_t)
storage_set_fixed_disk_attributes(initrc_t)
storage_getattr_fixed_disk(initrc_t)
storage_setattr_fixed_disk(initrc_t)
storage_set_removable_device_attributes(initrc_t)
terminal_use_all_terminals(initrc_t)
terminal_reset_physical_terminal_labels(initrc_t)
term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
authlogin_modify_login_records(initrc_t)
authlogin_modify_last_login_log(initrc_t)
@ -296,7 +296,7 @@ userdomain_read_all_users_data(initrc_t)
userdomain_use_admin_terminals(initrc_t)
ifdef(`distro_debian', `
fs_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
')
ifdef(`distro_redhat',`
@ -305,10 +305,10 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
kernel_ignore_use_file_descriptors(initrc_t)
kernel_dontaudit_use_fd(initrc_t)
files_ignore_read_rootfs_file(initrc_t)
kernel_set_selinux_enforcement_mode(initrc_t)
kernel_set_enforcement_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
@ -354,7 +354,7 @@ optional_policy(`rhgb.te',`
optional_policy(`rpm.te',`
# bash tries to access a block device in the initrd
kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
# for a bug in rm
files_ignore_write_all_daemon_runtime_data(initrc_t)

View File

@ -42,11 +42,11 @@ kernel_read_network_state(iptables_t)
kernel_read_hardware_state(iptables_t)
kernel_read_kernel_sysctl(iptables_t)
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_file_descriptors(iptables_t)
kernel_use_fd(iptables_t)
fs_get_persistent_fs_attributes(iptables_t)
fs_getattr_xattr_fs(iptables_t)
terminal_ignore_use_console(iptables_t)
term_dontaudit_use_console(iptables_t)
domain_use_widely_inheritable_file_descriptors(iptables_t)
@ -73,12 +73,12 @@ userdomain_use_all_users_file_descriptors(iptables_t)
tunable_policy(`use_dns',`
allow iptables_t self:udp_socket create_socket_perms;
corenetwork_sendrecv_udp_on_all_interfaces(iptables_t)
corenetwork_sendrecv_raw_on_all_interfaces(iptables_t)
corenetwork_sendrecv_udp_on_all_nodes(iptables_t)
corenetwork_sendrecv_raw_on_all_nodes(iptables_t)
corenetwork_bind_udp_on_all_nodes(iptables_t)
corenetwork_sendrecv_udp_on_dns_port(iptables_t)
corenet_udp_sendrecv_all_if(iptables_t)
corenet_raw_sendrecv_all_if(iptables_t)
corenet_udp_sendrecv_all_nodes(iptables_t)
corenet_raw_sendrecv_all_nodes(iptables_t)
corenet_udp_bind_all_nodes(iptables_t)
corenet_udp_sendrecv_dns_port(iptables_t)
sysnetwork_read_network_config(iptables_t)
')
@ -97,7 +97,7 @@ optional_policy(`udev.te', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(iptables_t)
term_dontaudit_use_unallocated_tty(iptables_t)
terminal_ignore_use_general_pseudoterminal(iptables_t)
files_ignore_read_rootfs_file(iptables_t)

View File

@ -14,10 +14,7 @@
define(`libraries_ldconfig_transition',`
requires_block_template(`$0'_depend)
allow $1 ldconfig_exec_t:file rx_file_perms;
allow $1 ldconfig_t:process transition;
type_transition $1 ldconfig_exec_t:process ldconfig_t;
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
allow $1 ldconfig_t:fd use;
allow ldconfig_t $1:fd use;
@ -215,7 +212,7 @@ define(`libraries_execute_library_scripts',`
requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms
allow $1 lib_t:lnk_file r_file_perms;
allow $1 lib_t:file { getattr read execute execute_no_trans };
')

View File

@ -60,7 +60,7 @@ allow ldconfig_t { shlib_t texrel_shlib_t }:file rx_file_perms;
kernel_read_system_state(ldconfig_t)
fs_get_persistent_fs_attributes(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
domain_use_widely_inheritable_file_descriptors(ldconfig_t)

View File

@ -54,21 +54,21 @@ files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t)
kernel_get_selinuxfs_mount_point(local_login_t)
kernel_validate_selinux_context(local_login_t)
kernel_compute_selinux_access_vector(local_login_t)
kernel_compute_selinux_create_context(local_login_t)
kernel_compute_selinux_relabel_context(local_login_t)
kernel_compute_selinux_reachable_user_contexts(local_login_t)
kernel_validate_context(local_login_t)
kernel_compute_access_vector(local_login_t)
kernel_compute_create_context(local_login_t)
kernel_compute_relabel_context(local_login_t)
kernel_compute_reachable_user_contexts(local_login_t)
# for SSP/ProPolice
devices_get_pseudorandom_data(local_login_t)
terminal_use_all_private_physical_terminals(local_login_t)
terminal_use_general_physical_terminal(local_login_t)
terminal_relabel_general_physical_terminal(local_login_t)
terminal_relabel_all_private_physical_terminals(local_login_t)
terminal_set_all_private_physical_terminal_attributes(local_login_t)
terminal_set_general_physical_terminal_attributes(local_login_t)
term_use_all_user_ttys(local_login_t)
term_use_unallocated_tty(local_login_t)
term_relabel_unallocated_ttys(local_login_t)
term_relabel_all_user_ttys(local_login_t)
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
authlogin_check_password_transition(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t)
@ -109,7 +109,7 @@ mta_get_mail_spool_attributes(local_login_t)
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_ignore_use_file_descriptors(local_login_t)
kernel_dontaudit_use_fd(local_login_t)
files_ignore_read_rootfs_file(local_login_t)
')
@ -205,7 +205,7 @@ allow sulogin_t self:unix_dgram_socket sendto;
allow sulogin_t self:unix_stream_socket connectto;
allow sulogin_t self:shm create_shm_perms;
allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq createmsgq_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
@ -241,11 +241,11 @@ ifdef(`sulogin_no_pam', `
', `
allow sulogin_t self:process setexec;
kernel_get_selinuxfs_mount_point(sulogin_t)
kernel_validate_selinux_context(sulogin_t)
kernel_compute_selinux_access_vector(sulogin_t)
kernel_compute_selinux_create_context(sulogin_t)
kernel_compute_selinux_relabel_context(sulogin_t)
kernel_compute_selinux_reachable_user_contexts(sulogin_t)
kernel_validate_context(sulogin_t)
kernel_compute_access_vector(sulogin_t)
kernel_compute_create_context(sulogin_t)
kernel_compute_relabel_context(sulogin_t)
kernel_compute_reachable_user_contexts(sulogin_t)
')
ifdef(`TODO',`

View File

@ -55,7 +55,7 @@ define(`logging_send_system_log_message',`
allow $1 self:unix_stream_socket create_socket_perms;
# cjp: this should most likely be removed:
terminal_use_console($1)
term_use_console($1)
')
define(`logging_send_system_log_message_depend',`

View File

@ -61,9 +61,9 @@ files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
kernel_read_hardware_state(auditd_t)
fs_get_all_fs_attributes(auditd_t)
fs_getattr_all_fs(auditd_t)
terminal_ignore_use_console(auditd_t)
term_dontaudit_use_console(auditd_t)
init_use_file_descriptors(auditd_t)
init_script_use_pseudoterminal(auditd_t)
@ -80,7 +80,7 @@ libraries_use_shared_libraries(auditd_t)
miscfiles_read_localization(auditd_t)
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(auditd_t)
term_dontaudit_use_unallocated_tty(auditd_t)
terminal_ignore_use_general_pseudoterminal(auditd_t)
files_ignore_read_rootfs_file(auditd_t)
')
@ -132,7 +132,7 @@ bootloader_read_kernel_symbol_table(klogd_t)
devices_raw_read_memory(klogd_t)
fs_get_all_fs_attributes(klogd_t)
fs_getattr_all_fs(klogd_t)
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
files_read_runtime_system_config(klogd_t)
@ -191,24 +191,24 @@ kernel_read_kernel_sysctl(syslogd_t)
devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
terminal_ignore_use_console(syslogd_t)
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal
terminal_write_general_physical_terminal(syslogd_t)
term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users
init_script_read_runtime_data(syslogd_t)
init_script_ignore_write_runtime_data(syslogd_t)
terminal_write_all_private_physical_terminals(syslogd_t)
term_write_all_user_ttys(syslogd_t)
corenetwork_sendrecv_raw_on_all_interfaces(syslogd_t)
corenetwork_sendrecv_udp_on_all_interfaces(syslogd_t)
corenetwork_sendrecv_raw_on_all_nodes(syslogd_t)
corenetwork_sendrecv_udp_on_all_nodes(syslogd_t)
corenetwork_sendrecv_udp_on_all_ports(syslogd_t)
corenetwork_bind_udp_on_all_nodes(syslogd_t)
corenetwork_bind_udp_on_syslogd_port(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_raw_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
fs_get_all_fs_attributes(syslogd_t)
fs_getattr_all_fs(syslogd_t)
init_use_file_descriptors(syslogd_t)
init_script_use_pseudoterminal(syslogd_t)
@ -244,7 +244,7 @@ ifdef(`klogd.te', `', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(syslogd_t)
term_dontaudit_use_unallocated_tty(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t)
files_ignore_read_rootfs_file(syslogd_t)
')

View File

@ -55,7 +55,7 @@ allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
allow lvm_t lvm_lock_t:dir ra_dir_perms;
allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
files_create_private_lock_file(lvm_t,lvm_lock_t)
@ -70,11 +70,11 @@ files_create_private_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t)
kernel_get_selinuxfs_mount_point(lvm_t)
kernel_validate_selinux_context(lvm_t)
kernel_compute_selinux_access_vector(lvm_t)
kernel_compute_selinux_create_context(lvm_t)
kernel_compute_selinux_relabel_context(lvm_t)
kernel_compute_selinux_reachable_user_contexts(lvm_t)
kernel_validate_context(lvm_t)
kernel_compute_access_vector(lvm_t)
kernel_compute_create_context(lvm_t)
kernel_compute_relabel_context(lvm_t)
kernel_compute_reachable_user_contexts(lvm_t)
kernel_read_kernel_sysctl(lvm_t)
kernel_read_hardware_state(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
@ -82,13 +82,14 @@ kernel_read_hardware_state(sysfs_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctl(lvm_t)
# it has no reason to need this
kernel_ignore_get_core_interface_attributes(lvm_t)
kernel_dontaudit_getattr_core(lvm_t)
devices_add_generic_character_device(lvm_t)
devices_get_random_data(lvm_t)
devices_get_pseudorandom_data(lvm_t)
devices_use_lvm_control_channel(lvm_t)
devices_manage_dev_symbolic_links(lvm_t)
devices_relabel_dev_dirs(lvm_t)
devices_manage_generic_block_device(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
@ -97,9 +98,9 @@ devices_ignore_get_all_block_device_attributes(lvm_t)
devices_ignore_get_generic_character_device_attributes(lvm_t)
devices_ignore_get_generic_block_device_attributes(lvm_t)
devices_ignore_get_generic_pipe_attributes(lvm_t)
terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t)
term_dontaudit_getattr_all_user_ttys(lvm_t)
fs_get_persistent_fs_attributes(lvm_t)
fs_getattr_xattr_fs(lvm_t)
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
@ -141,14 +142,14 @@ ifdef(`distro_redhat',`
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(lvm_t)
term_dontaudit_use_unallocated_tty(lvm_t)
terminal_ignore_use_general_pseudoterminal(lvm_t)
files_ignore_read_rootfs_file(lvm_t)
')
optional_policy(`bootloader.te',`
bootloader_modify_temporary_data(lvm_t)
bootloader_rw_tmp_file(lvm_t)
')
optional_policy(`udev.te', `

View File

@ -16,7 +16,7 @@ files_make_file(modules_dep_t)
type insmod_t;
type insmod_exec_t;
kernel_make_userland_entrypoint(insmod_t,insmod_exec_t)
kernel_userland_entry(insmod_t,insmod_exec_t)
init_make_system_domain(insmod_t,insmod_exec_t)
role system_r types insmod_t;
@ -51,11 +51,11 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_search_hardware_state_dir(insmod_t)
kernel_search_usb_hardware_state_dir(insmod_t)
kernel_search_sysfs(insmod_t)
kernel_search_usbfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_modify_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctl(insmod_t)
bootloader_read_kernel_modules(insmod_t)
@ -66,7 +66,7 @@ devices_write_mtrr(insmod_t)
devices_get_pseudorandom_data(insmod_t)
devices_direct_agp_access(insmod_t)
fs_get_persistent_fs_attributes(insmod_t)
fs_getattr_xattr_fs(insmod_t)
corecommands_execute_general_programs(insmod_t)
corecommands_execute_system_programs(insmod_t)
@ -131,9 +131,9 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t)
fs_get_persistent_fs_attributes(depmod_t)
fs_getattr_xattr_fs(depmod_t)
terminal_use_console(depmod_t)
term_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
@ -191,9 +191,9 @@ kernel_read_system_state(update_modules_t)
devices_get_pseudorandom_data(update_modules_t)
fs_get_persistent_fs_attributes(update_modules_t)
fs_getattr_xattr_fs(update_modules_t)
terminal_use_console(update_modules_t)
term_use_console(update_modules_t)
init_use_file_descriptors(depmod_t)
init_script_use_file_descriptors(depmod_t)

View File

@ -16,12 +16,13 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
kernel_ignore_use_file_descriptors(mount_t)
kernel_dontaudit_use_fd(mount_t)
corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
devices_get_all_block_device_attributes(mount_t)
devices_list_device_nodes(mount_t)
@ -31,13 +32,13 @@ storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
fs_get_persistent_fs_attributes(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_persistent_fs(mount_t)
fs_relabelfrom_xattr_fs(mount_t)
terminal_use_console(mount_t)
term_use_console(mount_t)
# required for mount.smbfs
corecommands_execute_system_programs(mount_t)
@ -46,7 +47,6 @@ corecommands_execute_general_programs(mount_t)
domain_use_widely_inheritable_file_descriptors(mount_t)
files_search_all_directories(mount_t)
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
files_read_general_system_config(mount_t)
files_manage_runtime_system_config(mount_t)
files_mount_on_all_mountpoints(mount_t)
@ -85,20 +85,20 @@ optional_policy(`portmap.te', `
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
#allow mount_t rpc_pipefs_t:dir search;
corenetwork_sendrecv_tcp_on_all_interfaces(mount_t)
corenetwork_sendrecv_raw_on_all_interfaces(mount_t)
corenetwork_sendrecv_udp_on_all_interfaces(mount_t)
corenetwork_sendrecv_tcp_on_all_nodes(mount_t)
corenetwork_sendrecv_raw_on_all_nodes(mount_t)
corenetwork_sendrecv_udp_on_all_nodes(mount_t)
corenetwork_sendrecv_tcp_on_all_ports(mount_t)
corenetwork_sendrecv_udp_on_all_ports(mount_t)
corenetwork_bind_tcp_on_all_nodes(mount_t)
corenetwork_bind_udp_on_all_nodes(mount_t)
corenetwork_bind_tcp_on_general_port(mount_t)
corenetwork_bind_udp_on_general_port(mount_t)
corenetwork_bind_tcp_on_reserved_port(mount_t)
corenetwork_bind_udp_on_reserved_port(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
corenet_tcp_sendrecv_all_nodes(mount_t)
corenet_raw_sendrecv_all_nodes(mount_t)
corenet_udp_sendrecv_all_nodes(mount_t)
corenet_tcp_sendrecv_all_ports(mount_t)
corenet_udp_sendrecv_all_ports(mount_t)
corenet_tcp_bind_all_nodes(mount_t)
corenet_udp_bind_all_nodes(mount_t)
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
corenet_udp_bind_reserved_port(mount_t)
')
ifdef(`TODO',`

View File

@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms;
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
fs_getattr_xattr_fs(checkpolicy_t)
terminal_use_console(checkpolicy_t)
term_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
kernel_set_selinux_boolean(load_policy_t)
kernel_load_policy(load_policy_t)
kernel_set_boolean(load_policy_t)
fs_get_persistent_fs_attributes(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
terminal_use_console(load_policy_t)
terminal_list_pseudoterminals(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
init_script_use_pseudoterminal(load_policy_t)
@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
kernel_get_selinuxfs_mount_point(newrole_t)
kernel_validate_selinux_context(newrole_t)
kernel_compute_selinux_access_vector(newrole_t)
kernel_compute_selinux_create_context(newrole_t)
kernel_compute_selinux_relabel_context(newrole_t)
kernel_compute_selinux_reachable_user_contexts(newrole_t)
kernel_validate_context(newrole_t)
kernel_compute_access_vector(newrole_t)
kernel_compute_create_context(newrole_t)
kernel_compute_relabel_context(newrole_t)
kernel_compute_reachable_user_contexts(newrole_t)
devices_get_pseudorandom_data(newrole_t)
fs_get_persistent_fs_attributes(newrole_t)
fs_getattr_xattr_fs(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t)
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
authlogin_check_password_transition(newrole_t)
@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_use_fd(restorecon_t)
kernel_read_system_state(restorecon_t)
kernel_get_selinuxfs_mount_point(restorecon_t)
kernel_validate_selinux_context(restorecon_t)
kernel_compute_selinux_access_vector(restorecon_t)
kernel_compute_selinux_create_context(restorecon_t)
kernel_compute_selinux_relabel_context(restorecon_t)
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
kernel_validate_context(restorecon_t)
kernel_compute_access_vector(restorecon_t)
kernel_compute_create_context(restorecon_t)
kernel_compute_relabel_context(restorecon_t)
kernel_compute_reachable_user_contexts(restorecon_t)
fs_get_persistent_fs_attributes(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
terminal_use_general_physical_terminal(restorecon_t)
term_use_unallocated_tty(restorecon_t)
init_use_file_descriptors(restorecon_t)
init_script_use_pseudoterminal(restorecon_t)
@ -311,7 +311,7 @@ optional_policy(`hotplug.te',`
')
# relabeling rules
kernel_relabel_unlabeled_object(restorecon_t)
kernel_relabel_unlabeled(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t)
@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write };
#
kernel_get_selinuxfs_mount_point(run_init_t)
kernel_validate_selinux_context(run_init_t)
kernel_compute_selinux_access_vector(run_init_t)
kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
kernel_validate_context(run_init_t)
kernel_compute_access_vector(run_init_t)
kernel_compute_create_context(run_init_t)
kernel_compute_relabel_context(run_init_t)
kernel_compute_reachable_user_contexts(run_init_t)
ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',`
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
fs_get_persistent_fs_attributes(run_init_t)
fs_getattr_xattr_fs(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
term_dontaudit_list_ptys(run_init_t)
authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)
kernel_validate_selinux_context(setfiles_t)
kernel_compute_selinux_access_vector(setfiles_t)
kernel_compute_selinux_create_context(setfiles_t)
kernel_compute_selinux_relabel_context(setfiles_t)
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
kernel_validate_context(setfiles_t)
kernel_compute_access_vector(setfiles_t)
kernel_compute_create_context(setfiles_t)
kernel_compute_relabel_context(setfiles_t)
kernel_compute_reachable_user_contexts(setfiles_t)
fs_get_persistent_fs_attributes(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
terminal_use_all_private_physical_terminals(setfiles_t)
terminal_use_all_private_pseudoterminals(setfiles_t)
terminal_use_general_physical_terminal(setfiles_t)
term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
init_use_file_descriptors(setfiles_t)
init_script_use_file_descriptors(setfiles_t)
@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t)
userdomain_read_all_users_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled_object(setfiles_t)
kernel_relabel_unlabeled(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_read_all_directories(setfiles_t)
files_relabel_all_files(setfiles_t)

View File

@ -111,9 +111,9 @@ allow checkpolicy_t policy_src_t:file r_file_perms;
allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
fs_getattr_xattr_fs(checkpolicy_t)
terminal_use_console(checkpolicy_t)
term_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
@ -150,13 +150,13 @@ allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
kernel_set_selinux_boolean(load_policy_t)
kernel_load_policy(load_policy_t)
kernel_set_boolean(load_policy_t)
fs_get_persistent_fs_attributes(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
terminal_use_console(load_policy_t)
terminal_list_pseudoterminals(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
init_script_use_file_descriptors(load_policy_t)
init_script_use_pseudoterminal(load_policy_t)
@ -197,18 +197,18 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
kernel_get_selinuxfs_mount_point(newrole_t)
kernel_validate_selinux_context(newrole_t)
kernel_compute_selinux_access_vector(newrole_t)
kernel_compute_selinux_create_context(newrole_t)
kernel_compute_selinux_relabel_context(newrole_t)
kernel_compute_selinux_reachable_user_contexts(newrole_t)
kernel_validate_context(newrole_t)
kernel_compute_access_vector(newrole_t)
kernel_compute_create_context(newrole_t)
kernel_compute_relabel_context(newrole_t)
kernel_compute_reachable_user_contexts(newrole_t)
devices_get_pseudorandom_data(newrole_t)
fs_get_persistent_fs_attributes(newrole_t)
fs_getattr_xattr_fs(newrole_t)
terminal_use_all_private_physical_terminals(newrole_t)
terminal_use_all_private_pseudoterminals(newrole_t)
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
authlogin_check_password_transition(newrole_t)
@ -278,18 +278,18 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_use_fd(restorecon_t)
kernel_read_system_state(restorecon_t)
kernel_get_selinuxfs_mount_point(restorecon_t)
kernel_validate_selinux_context(restorecon_t)
kernel_compute_selinux_access_vector(restorecon_t)
kernel_compute_selinux_create_context(restorecon_t)
kernel_compute_selinux_relabel_context(restorecon_t)
kernel_compute_selinux_reachable_user_contexts(restorecon_t)
kernel_validate_context(restorecon_t)
kernel_compute_access_vector(restorecon_t)
kernel_compute_create_context(restorecon_t)
kernel_compute_relabel_context(restorecon_t)
kernel_compute_reachable_user_contexts(restorecon_t)
fs_get_persistent_fs_attributes(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
terminal_use_general_physical_terminal(restorecon_t)
term_use_unallocated_tty(restorecon_t)
init_use_file_descriptors(restorecon_t)
init_script_use_pseudoterminal(restorecon_t)
@ -311,7 +311,7 @@ optional_policy(`hotplug.te',`
')
# relabeling rules
kernel_relabel_unlabeled_object(restorecon_t)
kernel_relabel_unlabeled(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t)
@ -343,11 +343,11 @@ allow restorecon_t kernel_t:fifo_file { read write };
#
kernel_get_selinuxfs_mount_point(run_init_t)
kernel_validate_selinux_context(run_init_t)
kernel_compute_selinux_access_vector(run_init_t)
kernel_compute_selinux_create_context(run_init_t)
kernel_compute_selinux_relabel_context(run_init_t)
kernel_compute_selinux_reachable_user_contexts(run_init_t)
kernel_validate_context(run_init_t)
kernel_compute_access_vector(run_init_t)
kernel_compute_create_context(run_init_t)
kernel_compute_relabel_context(run_init_t)
kernel_compute_reachable_user_contexts(run_init_t)
ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
@ -360,11 +360,11 @@ ifdef(`targeted_policy',`',`
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
fs_get_persistent_fs_attributes(run_init_t)
fs_getattr_xattr_fs(run_init_t)
devices_ignore_list_device_nodes(run_init_t)
terminal_ignore_list_pseudoterminals(run_init_t)
term_dontaudit_list_ptys(run_init_t)
authlogin_check_password_transition(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t)
@ -414,17 +414,17 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)
kernel_validate_selinux_context(setfiles_t)
kernel_compute_selinux_access_vector(setfiles_t)
kernel_compute_selinux_create_context(setfiles_t)
kernel_compute_selinux_relabel_context(setfiles_t)
kernel_compute_selinux_reachable_user_contexts(setfiles_t)
kernel_validate_context(setfiles_t)
kernel_compute_access_vector(setfiles_t)
kernel_compute_create_context(setfiles_t)
kernel_compute_relabel_context(setfiles_t)
kernel_compute_reachable_user_contexts(setfiles_t)
fs_get_persistent_fs_attributes(setfiles_t)
fs_getattr_xattr_fs(setfiles_t)
terminal_use_all_private_physical_terminals(setfiles_t)
terminal_use_all_private_pseudoterminals(setfiles_t)
terminal_use_general_physical_terminal(setfiles_t)
term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
init_use_file_descriptors(setfiles_t)
init_script_use_file_descriptors(setfiles_t)
@ -447,7 +447,7 @@ userdomain_use_all_users_file_descriptors(setfiles_t)
userdomain_read_all_users_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled_object(setfiles_t)
kernel_relabel_unlabeled(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_read_all_directories(setfiles_t)
files_relabel_all_files(setfiles_t)

View File

@ -14,7 +14,7 @@
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, dhcp_exec_t, dhcp_t)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
allow $1 dhcpc_t:fd use;
allow dhcpc_t $1:fd use;

View File

@ -77,7 +77,7 @@ files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
can_exec(dhcpc_t, dhcpc_exec_t)
# transition to ifconfig
domain_auto_trans(dhcp_t, ifconfig_exec_t, ifconfig_t)
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
allow dhcpc_t ifconfig_t:fd use;
allow ifconfig_t dhcpc_t:fd use;
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
@ -87,29 +87,29 @@ kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctl(dhcpc_t)
kernel_read_hardware_state(dhcpc_t)
kernel_use_file_descriptors(dhcpc_t)
kernel_use_fd(dhcpc_t)
corenetwork_sendrecv_tcp_on_all_interfaces(dhcpc_t)
corenetwork_sendrecv_raw_on_all_interfaces(dhcpc_t)
corenetwork_sendrecv_udp_on_all_interfaces(dhcpc_t)
corenetwork_sendrecv_tcp_on_all_nodes(dhcpc_t)
corenetwork_sendrecv_raw_on_all_nodes(dhcpc_t)
corenetwork_sendrecv_udp_on_all_nodes(dhcpc_t)
corenetwork_sendrecv_tcp_on_all_ports(dhcpc_t)
corenetwork_sendrecv_udp_on_all_ports(dhcpc_t)
corenetwork_bind_tcp_on_all_nodes(dhcpc_t)
corenetwork_bind_udp_on_all_nodes(dhcpc_t)
corenetwork_bind_udp_on_dhcpc_port(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
corenet_udp_sendrecv_all_if(dhcpc_t)
corenet_tcp_sendrecv_all_nodes(dhcpc_t)
corenet_raw_sendrecv_all_nodes(dhcpc_t)
corenet_udp_sendrecv_all_nodes(dhcpc_t)
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
# for SSP
devices_get_pseudorandom_data(dhcpc_t)
fs_get_all_fs_attributes(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
terminal_ignore_use_console(dhcpc_t)
terminal_ignore_use_all_private_physical_terminals(dhcpc_t)
terminal_ignore_use_all_private_pseudoterminals(dhcpc_t)
terminal_ignore_use_general_physical_terminal(dhcpc_t)
term_dontaudit_use_console(dhcpc_t)
term_dontaudit_use_all_user_ttys(dhcpc_t)
term_dontaudit_use_all_user_ptys(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t)
corecommands_execute_general_programs(dhcpc_t)
corecommands_execute_system_programs(dhcpc_t)
@ -138,7 +138,7 @@ ifdef(`distro_redhat', `
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
files_ignore_read_rootfs_file(dhcpc_t)
@ -259,16 +259,16 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_general_system_config(ifconfig_t);
kernel_use_file_descriptors(ifconfig_t)
kernel_use_fd(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_ignore_search_sysctl_dir(ifconfig_t)
kernel_ignore_search_network_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
fs_get_persistent_fs_attributes(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
terminal_ignore_use_all_private_physical_terminals(ifconfig_t)
terminal_ignore_use_all_private_pseudoterminals(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
domain_use_widely_inheritable_file_descriptors(ifconfig_t)

View File

@ -9,7 +9,7 @@ policy_module(udev,1.0)
type udev_t; # nscd_client_domain
type udev_exec_t;
type udev_helper_exec_t;
kernel_make_userland_entrypoint(udev_t,udev_exec_t)
kernel_userland_entry(udev_t,udev_exec_t)
kernel_make_object_identity_change_constraint_exception(udev_t)
domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
domain_make_file_descriptors_widely_inheritable(udev_t)
@ -60,27 +60,27 @@ allow udev_t udev_etc_t:file r_file_perms;
allow udev_t udev_tbl_t:file create_file_perms;
devices_create_dev_entry(udev_t,udev_tbl_t,file)
allow udev_t udev_var_run_t : dir rw_file_perms;
allow udev_t udev_var_run_t : file create_file_perms;
allow udev_t udev_var_run_t:dir rw_dir_perms;
allow udev_t udev_var_run_t:file create_file_perms;
kernel_read_system_state(udev_t)
kernel_get_core_interface_attributes(udev_t)
kernel_use_file_descriptors(udev_t)
kernel_getattr_core(udev_t)
kernel_use_fd(udev_t)
kernel_read_device_sysctl(udev_t)
kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t)
kernel_read_hardware_state(udev_t)
kernel_get_selinuxfs_mount_point(udev_t)
kernel_validate_selinux_context(udev_t)
kernel_compute_selinux_access_vector(udev_t)
kernel_compute_selinux_create_context(udev_t)
kernel_compute_selinux_relabel_context(udev_t)
kernel_compute_selinux_reachable_user_contexts(udev_t)
kernel_validate_context(udev_t)
kernel_compute_access_vector(udev_t)
kernel_compute_create_context(udev_t)
kernel_compute_relabel_context(udev_t)
kernel_compute_reachable_user_contexts(udev_t)
devices_manage_device_nodes(udev_t)
fs_get_all_fs_attributes(udev_t)
fs_getattr_all_fs(udev_t)
corecommands_execute_general_programs(udev_t)
corecommands_execute_system_programs(udev_t)

View File

@ -19,7 +19,7 @@ define(`base_user_domain',`
# user pseudoterminal
type $1_devpts_t;
terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
term_user_pty($1_t,$1_devpts_t)
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
@ -36,7 +36,7 @@ define(`base_user_domain',`
files_make_tmpfs_file($1_tmpfs_t)
type $1_tty_device_t;
terminal_make_physical_terminal($1_t,$1_tty_device_t)
term_tty($1_t,$1_tty_device_t)
##############################
#
@ -50,7 +50,7 @@ define(`base_user_domain',`
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket rw_stream_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
@ -88,7 +88,7 @@ define(`base_user_domain',`
allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
allow $1_t $1_tmpfs_t:sock_file create_file_perms;
allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
@ -108,20 +108,20 @@ define(`base_user_domain',`
# Find CDROM devices:
kernel_read_device_sysctl($1_t)
# GNOME checks for usb and other devices:
kernel_modify_usb_hardware_config_option($1_t)
kernel_rw_usb_hardware_config_option($1_t)
corenetwork_sendrecv_tcp_on_all_interfaces($1_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_t)
corenetwork_sendrecv_udp_on_all_interfaces($1_t)
corenetwork_sendrecv_tcp_on_all_nodes($1_t)
corenetwork_sendrecv_raw_on_all_nodes($1_t)
corenetwork_sendrecv_udp_on_all_nodes($1_t)
corenetwork_sendrecv_tcp_on_all_ports($1_t)
corenetwork_sendrecv_udp_on_all_ports($1_t)
corenetwork_bind_tcp_on_all_nodes($1_t)
corenetwork_bind_udp_on_all_nodes($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
# allow port_t name binding for UDP because it is not very usable otherwise
corenetwork_bind_udp_on_general_port($1_t)
corenet_udp_bind_generic_port($1_t)
devices_get_input_event($1_t)
devices_read_misc($1_t)
@ -137,10 +137,10 @@ define(`base_user_domain',`
devices_ignore_use_direct_rendering_interface($1_t)
fs_get_all_fs_quotas($1_t)
fs_get_all_fs_attributes($1_t)
fs_getattr_all_fs($1_t)
# for eject
storage_get_fixed_disk_attributes($1_t)
storage_getattr_fixed_disk($1_t)
authlogin_read_login_records($1_t)
authlogin_ignore_write_login_records($1_t)
@ -180,21 +180,21 @@ define(`base_user_domain',`
}
if (use_nfs_home_dirs) {
fs_manage_nfs_directories($1_t)
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
fs_manage_nfs_symbolic_links($1_t)
fs_manage_nfs_symlinks($1_t)
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
fs_execute_nfs_files($1_t)
}
if (use_samba_home_dirs) {
fs_manage_windows_network_directories($1_t)
fs_manage_windows_network_files($1_t)
fs_manage_windows_network_symbolic_links($1_t)
fs_manage_windows_network_named_sockets($1_t)
fs_manage_windows_network_named_pipes($1_t)
fs_execute_windows_network_files($1_t)
fs_manage_cifs_dirs($1_t)
fs_manage_cifs_files($1_t)
fs_manage_cifs_symlinks($1_t)
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
fs_execute_cifs_files($1_t)
}
if (user_direct_mouse) {
@ -202,7 +202,7 @@ define(`base_user_domain',`
}
if (user_ttyfile_stat) {
terminal_get_all_private_physical_terminal_attributes($1_t)
term_getattr_all_user_ttys($1_t)
}
optional_policy(`usermanage.te',`
@ -427,7 +427,7 @@ define(`user_domain_template', `
#
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
term_create_pty($1_t,$1_devpts_t)
# Rules used to associate a homedir as a mountpoint
allow $1_home_t self:filesystem associate;
@ -457,7 +457,7 @@ define(`user_domain_template', `
bootloader_read_kernel_symbol_table($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenetwork_ignore_bind_tcp_on_all_reserved_ports($1_t)
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
files_read_general_system_config($1_t)
files_list_home_directories($1_t)
@ -481,14 +481,14 @@ define(`user_domain_template', `
if (user_dmesg) {
kernel_read_ring_buffer($1_t)
} else {
kernel_ignore_read_ring_buffer($1_t)
kernel_dontaudit_read_ring_buffer($1_t)
}
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
if (user_tcp_server) {
corenetwork_bind_tcp_on_general_port($1_t)
corenet_tcp_bind_generic_port($1_t)
}
# for running depmod as part of the kernel packaging process
@ -643,7 +643,7 @@ define(`admin_domain_template',`
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:file create_file_perms;
@ -655,47 +655,47 @@ define(`admin_domain_template',`
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_get_core_interface_attributes($1_t)
kernel_get_message_interface_attributes($1_t)
kernel_getattr_core($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_modify_all_sysctl($1_t)
kernel_set_selinux_enforcement_mode($1_t)
kernel_set_selinux_boolean($1_t)
kernel_set_selinux_security_parameters($1_t)
kernel_rw_all_sysctl($1_t)
kernel_set_enforcement_mode($1_t)
kernel_set_boolean($1_t)
kernel_set_security_parameters($1_t)
# Get security policy decisions:
kernel_get_selinuxfs_mount_point($1_t)
kernel_validate_selinux_context($1_t)
kernel_compute_selinux_access_vector($1_t)
kernel_compute_selinux_create_context($1_t)
kernel_compute_selinux_relabel_context($1_t)
kernel_compute_selinux_reachable_user_contexts($1_t)
kernel_validate_context($1_t)
kernel_compute_access_vector($1_t)
kernel_compute_create_context($1_t)
kernel_compute_relabel_context($1_t)
kernel_compute_reachable_user_contexts($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled_process($1_t)
kernel_signal_unlabeled_process($1_t)
kernel_sigstop_unlabeled_process($1_t)
kernel_signull_unlabeled_process($1_t)
kernel_sigchld_unlabeled_process($1_t)
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
corenetwork_bind_tcp_on_general_port($1_t)
corenet_tcp_bind_generic_port($1_t)
devices_get_generic_block_device_attributes($1_t)
devices_get_generic_character_device_attributes($1_t)
devices_get_all_block_device_attributes($1_t)
devices_get_all_character_device_attributes($1_t)
fs_get_all_fs_attributes($1_t)
fs_set_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
terminal_use_console($1_t)
terminal_use_general_physical_terminal($1_t)
terminal_use_all_private_pseudoterminals($1_t)
terminal_use_all_private_physical_terminals($1_t)
term_use_console($1_t)
term_use_unallocated_tty($1_t)
term_use_all_user_ptys($1_t)
term_use_all_user_ttys($1_t)
# Manage almost all files
authlogin_manage_all_files_except_shadow($1_t)
@ -862,7 +862,7 @@ define(`userdomain_use_admin_terminals',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
terminal_list_pseudoterminals($1)
term_list_ptys($1)
allow $1 admin_terminal:chr_file { getattr read write ioctl };
')
@ -932,7 +932,7 @@ define(`userdomain_read_all_users_data',`
files_list_home_directories($1)
allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perm;
allow $1 home_type:file r_file_perms;
')
define(`userdomain_read_all_users_data_depend',`

View File

@ -122,7 +122,7 @@ file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
allow sysadm_t userdomain:fd use;
optional_policy(`bootloader.te',`
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`clock.te',`