another round of renaming
This commit is contained in:
parent
2283dc74e2
commit
103fe2807f
@ -68,7 +68,7 @@ logging_send_syslog_msg(acct_t)
|
||||
|
||||
miscfiles_read_localization(acct_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(acct_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(acct_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(acct_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
@ -80,7 +80,7 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`cron',`
|
||||
optional_policy(`authlogin',`
|
||||
# for monthly cron job
|
||||
auth_filetrans_login_records(acct_t)
|
||||
auth_log_filetrans_login_records(acct_t)
|
||||
auth_manage_login_records(acct_t)
|
||||
')
|
||||
|
||||
|
@ -116,11 +116,11 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
|
||||
|
||||
allow amanda_t amanda_log_t:file create_file_perms;
|
||||
allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
|
||||
logging_filetrans_log(amanda_t,amanda_log_t,{ file dir })
|
||||
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
|
||||
|
||||
allow amanda_t amanda_tmp_t:dir create_dir_perms;
|
||||
allow amanda_t amanda_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(amanda_t, amanda_tmp_t, { file dir })
|
||||
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(amanda_t)
|
||||
kernel_read_kernel_sysctls(amanda_t)
|
||||
@ -206,14 +206,14 @@ allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
|
||||
allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
|
||||
userdom_filetrans_sysadm_home_dir(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:file create_file_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
|
||||
allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_system_state(amanda_recover_t)
|
||||
kernel_read_kernel_sysctls(amanda_recover_t)
|
||||
@ -252,7 +252,7 @@ miscfiles_read_localization(amanda_recover_t)
|
||||
|
||||
sysnet_read_config(amanda_recover_t)
|
||||
|
||||
userdom_search_sysadm_home_subdirs(amanda_recover_t)
|
||||
userdom_search_sysadm_home_content_dirs(amanda_recover_t)
|
||||
|
||||
optional_policy(`mount',`
|
||||
mount_send_nfs_client_request(amanda_recover_t)
|
||||
|
@ -105,7 +105,7 @@ optional_policy(`rpm',`
|
||||
')
|
||||
|
||||
optional_policy(`userdomain',`
|
||||
userdom_use_unpriv_users_fd(consoletype_t)
|
||||
userdom_use_unpriv_users_fds(consoletype_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -40,7 +40,7 @@ allow firstboot_t firstboot_etc_t:file { getattr read };
|
||||
|
||||
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
|
||||
allow firstboot_t firstboot_rw_t:file create_file_perms;
|
||||
files_filetrans_etc(firstboot_t,firstboot_rw_t,file)
|
||||
files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
|
||||
|
||||
# The big hammer
|
||||
unconfined_domain(firstboot_t)
|
||||
@ -99,13 +99,13 @@ modutils_read_module_config(firstboot_t)
|
||||
modutils_read_module_deps(firstboot_t)
|
||||
|
||||
# Add/remove user home directories
|
||||
userdom_manage_generic_user_home_dirs(firstboot_t)
|
||||
userdom_manage_generic_user_home_files(firstboot_t)
|
||||
userdom_manage_generic_user_home_symlinks(firstboot_t)
|
||||
userdom_manage_generic_user_home_pipes(firstboot_t)
|
||||
userdom_manage_generic_user_home_sockets(firstboot_t)
|
||||
userdom_filetrans_generic_user_home_dir(firstboot_t)
|
||||
userdom_filetrans_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
|
||||
userdom_manage_generic_user_home_content_dirs(firstboot_t)
|
||||
userdom_manage_generic_user_home_content_files(firstboot_t)
|
||||
userdom_manage_generic_user_home_content_symlinks(firstboot_t)
|
||||
userdom_manage_generic_user_home_content_pipes(firstboot_t)
|
||||
userdom_manage_generic_user_home_content_sockets(firstboot_t)
|
||||
userdom_home_filetrans_generic_user_home_dir(firstboot_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domtrans(firstboot_t)
|
||||
|
@ -31,11 +31,11 @@ allow kudzu_t self:udp_socket { create ioctl };
|
||||
|
||||
allow kudzu_t kudzu_tmp_t:dir create_file_perms;
|
||||
allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
|
||||
files_filetrans_tmp(kudzu_t, kudzu_tmp_t, { file dir chr_file })
|
||||
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
|
||||
|
||||
allow kudzu_t kudzu_var_run_t:file create_file_perms;
|
||||
allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
|
||||
files_filetrans_pid(kudzu_t,kudzu_var_run_t)
|
||||
files_pid_filetrans(kudzu_t,kudzu_var_run_t)
|
||||
|
||||
kernel_change_ring_buffer_level(kudzu_t)
|
||||
kernel_list_proc(kudzu_t)
|
||||
@ -119,7 +119,7 @@ modutils_domtrans_insmod(kudzu_t)
|
||||
|
||||
sysnet_read_config(kudzu_t)
|
||||
|
||||
userdom_search_sysadm_home_dir(kudzu_t)
|
||||
userdom_search_sysadm_home_dirs(kudzu_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
@ -51,18 +51,18 @@ allow logrotate_t self:msgq create_msgq_perms;
|
||||
allow logrotate_t self:msg { send receive };
|
||||
|
||||
allow logrotate_t logrotate_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(logrotate_t,logrotate_lock_t)
|
||||
files_lock_filetrans(logrotate_t,logrotate_lock_t)
|
||||
|
||||
can_exec(logrotate_t, logrotate_tmp_t)
|
||||
|
||||
allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
|
||||
allow logrotate_t logrotate_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(logrotate_t, logrotate_tmp_t, { file dir })
|
||||
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
|
||||
|
||||
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||||
allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
|
||||
allow logrotate_t logrotate_var_lib_t:file create_file_perms;
|
||||
files_filetrans_var_lib(logrotate_t, logrotate_var_lib_t)
|
||||
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t)
|
||||
|
||||
kernel_read_system_state(logrotate_t)
|
||||
kernel_read_kernel_sysctls(logrotate_t)
|
||||
@ -118,7 +118,7 @@ seutil_dontaudit_read_config(logrotate_t)
|
||||
|
||||
sysnet_read_config(logrotate_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(logrotate_t)
|
||||
userdom_use_unpriv_users_fds(logrotate_t)
|
||||
|
||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||
cron_search_spool(logrotate_t)
|
||||
|
@ -32,7 +32,7 @@ allow logwatch_t logwatch_cache_t:file create_file_perms;
|
||||
|
||||
allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
|
||||
allow logwatch_t logwatch_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(logwatch_t, logwatch_tmp_t, { file dir })
|
||||
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
|
||||
|
||||
kernel_read_fs_sysctls(logwatch_t)
|
||||
kernel_read_kernel_sysctls(logwatch_t)
|
||||
@ -71,7 +71,7 @@ miscfiles_read_localization(logwatch_t)
|
||||
|
||||
selinux_dontaudit_getattr_dir(logwatch_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
|
||||
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
|
||||
|
||||
mta_send_mail(logwatch_t)
|
||||
|
@ -46,7 +46,7 @@ allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow mrtg_t mrtg_log_t:file create_file_perms;
|
||||
allow mrtg_t mrtg_log_t:dir rw_dir_perms;
|
||||
logging_filetrans_log(mrtg_t,mrtg_log_t,{ file dir })
|
||||
logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
|
||||
|
||||
allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
|
||||
allow mrtg_t mrtg_var_lib_t:file create_file_perms;
|
||||
|
@ -39,7 +39,7 @@ allow netutils_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow netutils_t netutils_tmp_t:dir create_dir_perms;
|
||||
allow netutils_t netutils_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(netutils_t, netutils_tmp_t, { file dir })
|
||||
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
|
||||
|
||||
kernel_search_proc(netutils_t)
|
||||
|
||||
|
@ -129,14 +129,14 @@ template(`portage_compile_domain_template',`
|
||||
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_tmp_t:fifo_file manage_file_perms;
|
||||
allow $1_t $1_tmp_t:sock_file manage_file_perms;
|
||||
files_filetrans_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_filetrans_tmpfs($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# write merge logs
|
||||
allow $1_t portage_log_t:dir setattr;
|
||||
|
@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_fetch_t portage_t:process sigchld;
|
||||
|
||||
allow portage_t portage_log_t:file create_file_perms;
|
||||
logging_filetrans_log(portage_t,portage_log_t)
|
||||
logging_log_filetrans(portage_t,portage_log_t)
|
||||
|
||||
# transition to sandbox for compiling
|
||||
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
|
||||
@ -126,7 +126,7 @@ allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
|
||||
|
||||
allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
|
||||
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir })
|
||||
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
|
||||
|
||||
# portage makes home dir the portage tmp dir, so
|
||||
# wget looks for .wgetrc there
|
||||
@ -166,7 +166,7 @@ miscfiles_read_localization(portage_fetch_t)
|
||||
sysnet_read_config(portage_fetch_t)
|
||||
sysnet_dns_name_resolve(portage_fetch_t)
|
||||
|
||||
userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)
|
||||
userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
|
@ -27,13 +27,13 @@ allow prelink_t self:process { execheap execmem execstack };
|
||||
allow prelink_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow prelink_t prelink_cache_t:file manage_file_perms;
|
||||
files_filetrans_etc(prelink_t, prelink_cache_t, file)
|
||||
files_filetrans_var_lib(prelink_t, prelink_cache_t, file)
|
||||
files_etc_filetrans(prelink_t, prelink_cache_t, file)
|
||||
files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
|
||||
|
||||
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
|
||||
allow prelink_t prelink_log_t:file { create ra_file_perms };
|
||||
allow prelink_t prelink_log_t:lnk_file read;
|
||||
logging_filetrans_log(prelink_t, prelink_log_t)
|
||||
logging_log_filetrans(prelink_t, prelink_log_t)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
|
@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms;
|
||||
|
||||
allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(readahead_t,readahead_var_run_t)
|
||||
files_pid_filetrans(readahead_t,readahead_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(readahead_t)
|
||||
kernel_read_system_state(readahead_t)
|
||||
@ -68,7 +68,7 @@ logging_send_syslog_msg(readahead_t)
|
||||
miscfiles_read_localization(readahead_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(readahead_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(readahead_t)
|
||||
|
@ -73,19 +73,19 @@ allow rpm_t self:file rw_file_perms;;
|
||||
|
||||
allow rpm_t rpm_tmp_t:dir create_dir_perms;
|
||||
allow rpm_t rpm_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(rpm_t, rpm_tmp_t, { file dir })
|
||||
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
|
||||
|
||||
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
|
||||
allow rpm_t rpm_tmpfs_t:file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_filetrans_tmpfs(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Access /var/lib/rpm files
|
||||
allow rpm_t rpm_var_lib_t:file create_file_perms;
|
||||
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(rpm_t,rpm_var_lib_t,dir)
|
||||
files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctls(rpm_t)
|
||||
@ -171,7 +171,7 @@ seutil_manage_bin_policy(rpm_t)
|
||||
|
||||
sysnet_read_config(rpm_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(rpm_t)
|
||||
userdom_use_unpriv_users_fds(rpm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
unconfined_domain(rpm_t)
|
||||
@ -184,7 +184,7 @@ ifdef(`targeted_policy',`
|
||||
# conflicts since rpm_t is an alias of
|
||||
# unconfined in the targeted policy
|
||||
allow rpm_t rpm_log_t:file create_file_perms;
|
||||
logging_filetrans_log(rpm_t,rpm_log_t)
|
||||
logging_log_filetrans(rpm_t,rpm_log_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
@ -240,14 +240,14 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms;
|
||||
allow rpm_script_t rpm_script_tmp_t:dir mounton;
|
||||
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
|
||||
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
|
||||
|
||||
allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
|
||||
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_filetrans_tmpfs(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow rpm_t rpm_script_t:fd use;
|
||||
allow rpm_script_t rpm_t:fd use;
|
||||
|
@ -180,7 +180,7 @@ template(`su_per_userdomain_template',`
|
||||
miscfiles_read_localization($1_su_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_su_t)
|
||||
userdom_search_user_home($1,$1_su_t)
|
||||
userdom_search_user_home_dirs($1,$1_su_t)
|
||||
|
||||
ifdef(`enable_polyinstantiation',`
|
||||
fs_mount_xattr_fs($1_su_t)
|
||||
@ -196,8 +196,8 @@ template(`su_per_userdomain_template',`
|
||||
allow $1_su_t self:process sigstop;
|
||||
|
||||
corecmd_exec_bin($1_su_t)
|
||||
userdom_manage_all_users_home_files($1_su_t)
|
||||
userdom_manage_all_users_home_symlinks($1_su_t)
|
||||
userdom_manage_all_users_home_content_files($1_su_t)
|
||||
userdom_manage_all_users_home_content_symlinks($1_su_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
@ -120,14 +120,14 @@ template(`sudo_per_userdomain_template',`
|
||||
|
||||
miscfiles_read_localization($1_sudo_t)
|
||||
|
||||
userdom_manage_user_home_files($1,$1_sudo_t)
|
||||
userdom_manage_user_home_symlinks($1,$1_sudo_t)
|
||||
userdom_manage_user_home_content_files($1,$1_sudo_t)
|
||||
userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
|
||||
userdom_manage_user_tmp_files($1,$1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
|
||||
userdom_use_user_terminals($1,$1_sudo_t)
|
||||
userdom_use_unpriv_users_fd($1_sudo_t)
|
||||
userdom_use_unpriv_users_fds($1_sudo_t)
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_all_users_home($1_sudo_t)
|
||||
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind($1_sudo_t)
|
||||
|
@ -82,7 +82,7 @@ seutil_read_default_contexts(updfstab_t)
|
||||
seutil_read_file_contexts(updfstab_t)
|
||||
|
||||
userdom_use_sysadm_ttys(updfstab_t)
|
||||
userdom_dontaudit_search_all_users_home(updfstab_t)
|
||||
userdom_dontaudit_search_all_users_home_content(updfstab_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
@ -127,10 +127,10 @@ logging_send_syslog_msg(chfn_t)
|
||||
# uses unix_chkpwd for checking passwords
|
||||
seutil_dontaudit_search_config(chfn_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(chfn_t)
|
||||
userdom_use_unpriv_users_fds(chfn_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(chfn_t)
|
||||
userdom_dontaudit_search_all_users_home_content(chfn_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(chfn_t)
|
||||
@ -155,7 +155,7 @@ files_search_var(crack_t)
|
||||
|
||||
allow crack_t crack_tmp_t:dir create_dir_perms;
|
||||
allow crack_t crack_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(crack_t, crack_tmp_t, { file dir })
|
||||
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(crack_t)
|
||||
|
||||
@ -176,7 +176,7 @@ libs_use_shared_libs(crack_t)
|
||||
|
||||
logging_send_syslog_msg(crack_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(crack_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(crack_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(crack_t,crack_exec_t)
|
||||
@ -244,9 +244,9 @@ auth_use_nsswitch(groupadd_t)
|
||||
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(groupadd_t)
|
||||
userdom_use_unpriv_users_fds(groupadd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_sysadm_home_dir(groupadd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(groupadd_t)
|
||||
@ -333,13 +333,13 @@ miscfiles_read_localization(passwd_t)
|
||||
|
||||
seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(passwd_t)
|
||||
userdom_use_unpriv_users_fds(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
userdom_read_all_users_state(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(passwd_t)
|
||||
userdom_dontaudit_search_all_users_home_content(passwd_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(passwd_t)
|
||||
@ -372,7 +372,7 @@ allow sysadm_passwd_t self:msg { send receive };
|
||||
# allow vipw to create temporary files under /var/tmp/vi.recover
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
|
||||
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_search_var(sysadm_passwd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(sysadm_passwd_t)
|
||||
@ -427,10 +427,10 @@ logging_send_syslog_msg(sysadm_passwd_t)
|
||||
|
||||
seutil_dontaudit_search_config(sysadm_passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(sysadm_passwd_t)
|
||||
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(sysadm_passwd_t)
|
||||
userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(sysadm_passwd_t)
|
||||
@ -501,13 +501,13 @@ miscfiles_read_localization(useradd_t)
|
||||
seutil_read_config(useradd_t)
|
||||
seutil_read_file_contexts(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(useradd_t)
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_sysadm_home_dir(useradd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
|
||||
# Add/remove user home directories
|
||||
userdom_filetrans_generic_user_home_dir(useradd_t)
|
||||
userdom_manage_generic_user_home_dirs(useradd_t)
|
||||
userdom_filetrans_generic_user_home(useradd_t,notdevfile_class_set)
|
||||
userdom_home_filetrans_generic_user_home_dir(useradd_t)
|
||||
userdom_manage_generic_user_home_content_dirs(useradd_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
|
||||
|
||||
mta_manage_spool(useradd_t)
|
||||
|
||||
|
@ -38,11 +38,11 @@ allow vpnc_t self:socket create_socket_perms;
|
||||
|
||||
allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
|
||||
allow vpnc_t vpnc_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(vpnc_t, vpnc_tmp_t, { file dir })
|
||||
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
|
||||
|
||||
allow vpnc_t vpnc_var_run_t:file create_file_perms;
|
||||
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(vpnc_t,vpnc_var_run_t)
|
||||
files_pid_filetrans(vpnc_t,vpnc_var_run_t)
|
||||
|
||||
kernel_read_system_state(vpnc_t)
|
||||
kernel_read_network_state(vpnc_t)
|
||||
@ -98,11 +98,11 @@ miscfiles_read_localization(vpnc_t)
|
||||
seutil_dontaudit_search_config(vpnc_t)
|
||||
|
||||
sysnet_exec_ifconfig(vpnc_t)
|
||||
sysnet_filetrans_config(vpnc_t)
|
||||
sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
userdom_use_all_users_fds(vpnc_t)
|
||||
userdom_dontaudit_search_all_users_home(vpnc_t)
|
||||
userdom_dontaudit_search_all_users_home_content(vpnc_t)
|
||||
|
||||
optional_policy(`dbus',`
|
||||
dbus_system_bus_client_template(vpnc,vpnc_t)
|
||||
|
@ -105,7 +105,7 @@ template(`cdrecord_per_userdomain_template', `
|
||||
userdom_use_user_terminals($1,$1_cdrecord_t)
|
||||
userdom_use_user_terminals($1,$2)
|
||||
|
||||
userdom_read_user_home_files($1,$1_cdrecord_t)
|
||||
userdom_read_user_home_content_files($1,$1_cdrecord_t)
|
||||
|
||||
# Handle nfs home dirs
|
||||
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
|
||||
@ -138,9 +138,9 @@ template(`cdrecord_per_userdomain_template', `
|
||||
userdom_list_user_tmp($1,$1_cdrecord_t)
|
||||
userdom_read_user_tmp_files($1,$1_cdrecord_t)
|
||||
userdom_read_user_tmp_symlinks($1,$1_cdrecord_t)
|
||||
userdom_search_user_home($1,$1_cdrecord_t)
|
||||
userdom_read_user_home_files($1,$1_cdrecord_t)
|
||||
userdom_read_user_home_symlinks($1,$1_cdrecord_t)
|
||||
userdom_search_user_home_dirs($1,$1_cdrecord_t)
|
||||
userdom_read_user_home_content_files($1,$1_cdrecord_t)
|
||||
userdom_read_user_home_content_symlinks($1,$1_cdrecord_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
',`
|
||||
@ -155,8 +155,8 @@ template(`cdrecord_per_userdomain_template', `
|
||||
fs_donaudit_read_removable_files($1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_home_files($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle default_t content
|
||||
@ -173,7 +173,7 @@ template(`cdrecord_per_userdomain_template', `
|
||||
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
|
||||
files_list_tmp($1_cdrecord_t)
|
||||
files_list_home($1_cdrecord_t)
|
||||
userdom_search_user_home($1,$1_cdrecord_t)
|
||||
userdom_search_user_home_dirs($1,$1_cdrecord_t)
|
||||
|
||||
userdom_list_user_untrusted_content($1,$1_cdrecord_t)
|
||||
userdom_read_user_untrusted_content_files($1,$1_cdrecord_t)
|
||||
@ -184,7 +184,7 @@ template(`cdrecord_per_userdomain_template', `
|
||||
',`
|
||||
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t)
|
||||
|
@ -59,7 +59,7 @@ template(`gpg_per_userdomain_template',`
|
||||
files_tmp_file($1_gpg_agent_tmp_t)
|
||||
|
||||
type $1_gpg_secret_t;
|
||||
userdom_user_home_file($1,$1_gpg_secret_t)
|
||||
userdom_user_home_content($1,$1_gpg_secret_t)
|
||||
|
||||
type $1_gpg_helper_t;
|
||||
domain_type($1_gpg_helper_t)
|
||||
@ -243,7 +243,7 @@ template(`gpg_per_userdomain_template',`
|
||||
allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
|
||||
allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
|
||||
allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
||||
files_filetrans_tmp($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
||||
|
||||
corecmd_search_bin($1_gpg_agent_t)
|
||||
|
||||
|
@ -48,14 +48,14 @@ template(`irc_per_userdomain_template',`
|
||||
role $3 types $1_irc_t;
|
||||
|
||||
type $1_irc_exec_t;
|
||||
userdom_user_home_file($1,$1_irc_exec_t)
|
||||
userdom_user_home_content($1,$1_irc_exec_t)
|
||||
domain_entry_file($1_irc_t,$1_irc_exec_t)
|
||||
|
||||
type $1_irc_home_t;
|
||||
userdom_user_home_file($1,$1_irc_home_t)
|
||||
userdom_user_home_content($1,$1_irc_home_t)
|
||||
|
||||
type $1_irc_tmp_t;
|
||||
userdom_user_home_file($1,$1_irc_tmp_t)
|
||||
userdom_user_home_content($1,$1_irc_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -71,7 +71,7 @@ template(`irc_per_userdomain_template',`
|
||||
allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
|
||||
allow $1_irc_t $1_irc_home_t:file create_file_perms;
|
||||
allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
|
||||
userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
|
||||
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
|
||||
|
||||
# access files under /tmp
|
||||
allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
|
||||
@ -79,7 +79,7 @@ template(`irc_per_userdomain_template',`
|
||||
allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
|
||||
allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($2,irc_exec_t,$1_irc_t)
|
||||
|
@ -68,14 +68,14 @@ template(`java_per_userdomain_template',`
|
||||
|
||||
allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
|
||||
allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
|
||||
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
|
||||
|
||||
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# cjp: rw_dir_perms here doesnt make sense
|
||||
allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
|
||||
@ -140,14 +140,14 @@ template(`java_per_userdomain_template',`
|
||||
sysnet_read_config($1_javaplugin_t)
|
||||
|
||||
userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t)
|
||||
userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t)
|
||||
userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_subdirs($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_files($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_symlinks($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_pipes($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_sockets($1,$1_javaplugin_t)
|
||||
userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
|
||||
userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t)
|
||||
userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_content_dirs($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_content_files($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_content_pipes($1,$1_javaplugin_t)
|
||||
userdom_manage_user_home_content_sockets($1,$1_javaplugin_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
# libdeploy.so legacy
|
||||
tunable_policy(`allow_execmem',`
|
||||
|
@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',`
|
||||
allow $1_lockdev_t $2:process sigchld;
|
||||
|
||||
allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
|
||||
files_filetrans_lock($1_lockdev_t,$1_lockdev_lock_t)
|
||||
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t)
|
||||
|
||||
files_read_all_locks($1_lockdev_t)
|
||||
|
||||
|
@ -74,14 +74,14 @@ template(`screen_per_userdomain_template',`
|
||||
allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
|
||||
allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
|
||||
allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp($1_screen_t, $1_screen_tmp_t, { file dir })
|
||||
files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
|
||||
|
||||
# Create fifo
|
||||
allow $1_screen_t screen_dir_t:dir rw_dir_perms;
|
||||
allow $1_screen_t screen_dir_t:dir create_dir_perms;
|
||||
allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
|
||||
type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
|
||||
files_filetrans_pid($1_screen_t,screen_dir_t,dir)
|
||||
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
|
||||
|
||||
allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
|
||||
allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
|
||||
|
@ -45,7 +45,7 @@ template(`tvtime_per_userdomain_template',`
|
||||
role $3 types $1_tvtime_t;
|
||||
|
||||
type $1_tvtime_home_t alias $1_tvtime_rw_t;
|
||||
userdom_user_home_file($1,$1_tvtime_home_t)
|
||||
userdom_user_home_content($1,$1_tvtime_home_t)
|
||||
files_poly_member($1_tvtime_home_t)
|
||||
|
||||
type $1_tvtime_tmp_t;
|
||||
@ -69,18 +69,18 @@ template(`tvtime_per_userdomain_template',`
|
||||
allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
|
||||
allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
|
||||
type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
|
||||
userdom_filetrans_user_home_dir($1,$1_tvtime_t,$1_tvtime_home_t,dir)
|
||||
userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
|
||||
|
||||
allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
|
||||
allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
|
||||
files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Type transition
|
||||
domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
|
||||
@ -128,7 +128,7 @@ template(`tvtime_per_userdomain_template',`
|
||||
miscfiles_read_fonts($1_tvtime_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_tvtime_t)
|
||||
userdom_read_user_home_files($1,$1_tvtime_t)
|
||||
userdom_read_user_home_content_files($1,$1_tvtime_t)
|
||||
|
||||
# X access, Home files
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
@ -81,7 +81,7 @@ template(`uml_per_userdomain_template',`
|
||||
|
||||
allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
|
||||
allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_uml_t, $1_uml_tmp_t, { file dir })
|
||||
files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
|
||||
can_exec($1_uml_t, $1_uml_tmp_t)
|
||||
|
||||
allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
@ -89,7 +89,7 @@ template(`uml_per_userdomain_template',`
|
||||
allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_filetrans_tmpfs($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
can_exec($1_uml_t, $1_uml_tmpfs_t)
|
||||
|
||||
# access config files
|
||||
@ -102,7 +102,7 @@ template(`uml_per_userdomain_template',`
|
||||
allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
|
||||
allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
|
||||
allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
|
||||
userdom_filetrans_user_home_dir($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
|
||||
userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $2 uml_ro_t:dir r_dir_perms;
|
||||
allow $2 uml_ro_t:file r_file_perms;
|
||||
|
@ -32,7 +32,7 @@ allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
|
||||
allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
|
||||
allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(uml_switch_t,uml_switch_var_run_t,file)
|
||||
files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(uml_switch_t)
|
||||
kernel_list_proc(uml_switch_t)
|
||||
@ -58,7 +58,7 @@ logging_send_syslog_msg(uml_switch_t)
|
||||
miscfiles_read_localization(uml_switch_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(uml_switch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(uml_switch_t)
|
||||
|
@ -105,7 +105,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
|
||||
files_list_var_lib($1_userhelper_t)
|
||||
# Write to utmp.
|
||||
files_filetrans_pid($1_userhelper_t,initrc_var_run_t)
|
||||
files_pid_filetrans($1_userhelper_t,initrc_var_run_t)
|
||||
# Read the /etc/security/default_type file
|
||||
files_read_etc_files($1_userhelper_t)
|
||||
# Read /var.
|
||||
@ -153,7 +153,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
seutil_read_config($1_userhelper_t)
|
||||
seutil_read_default_contexts($1_userhelper_t)
|
||||
|
||||
userdom_use_unpriv_users_fd($1_userhelper_t)
|
||||
userdom_use_unpriv_users_fds($1_userhelper_t)
|
||||
# Allow $1_userhelper_t to transition to user domains.
|
||||
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
|
||||
userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
|
||||
|
@ -50,11 +50,11 @@ allow webalizer_t webalizer_etc_t:file { getattr read };
|
||||
|
||||
allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
|
||||
allow webalizer_t webalizer_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(webalizer_t, webalizer_tmp_t, { file dir })
|
||||
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
|
||||
|
||||
allow webalizer_t webalizer_var_lib_t:file create_file_perms;
|
||||
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(webalizer_t,webalizer_var_lib_t)
|
||||
files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t)
|
||||
|
||||
kernel_read_kernel_sysctls(webalizer_t)
|
||||
kernel_read_system_state(webalizer_t)
|
||||
@ -86,8 +86,8 @@ miscfiles_read_localization(webalizer_t)
|
||||
|
||||
sysnet_read_config(webalizer_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(webalizer_t)
|
||||
userdom_dontaudit_search_all_users_home(webalizer_t)
|
||||
userdom_use_unpriv_users_fds(webalizer_t)
|
||||
userdom_dontaudit_search_all_users_home_content(webalizer_t)
|
||||
|
||||
apache_read_log(webalizer_t)
|
||||
apache_manage_sys_content(webalizer_t)
|
||||
|
@ -447,9 +447,9 @@ interface(`bootloader_manage_kernel_modules',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_filetrans_modules(domain,privatetype,[class(es)])
|
||||
# bootloader_modules_filetrans(domain,privatetype,[class(es)])
|
||||
#
|
||||
interface(`bootloader_filetrans_modules',`
|
||||
interface(`bootloader_modules_filetrans',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
@ -80,16 +80,16 @@ allow bootloader_t boot_t:lnk_file create_lnk_perms;
|
||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||
# uncomment the following lines if you use "lilo -p"
|
||||
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
#files_filetrans_etc(bootloader_t,bootloader_etc_t)
|
||||
#files_etc_filetrans(bootloader_t,bootloader_etc_t)
|
||||
|
||||
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
||||
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
||||
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
|
||||
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
||||
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
||||
files_filetrans_tmp(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
||||
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
||||
# for tune2fs (cjp: ?)
|
||||
files_filetrans_root(bootloader_t,bootloader_tmp_t)
|
||||
files_root_filetrans(bootloader_t,bootloader_tmp_t)
|
||||
|
||||
allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||
allow bootloader_t modules_object_t:file r_file_perms;
|
||||
@ -228,8 +228,8 @@ optional_policy(`rpm',`
|
||||
')
|
||||
|
||||
optional_policy(`userdomain',`
|
||||
userdom_dontaudit_search_staff_home_dir(bootloader_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(bootloader_t)
|
||||
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -559,7 +559,7 @@ interface(`dev_manage_generic_chr_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_filetrans_dev',`
|
||||
interface(`dev_filetrans',`
|
||||
gen_require(`
|
||||
type device_t;
|
||||
')
|
||||
|
@ -968,7 +968,7 @@ interface(`files_list_root',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_filetrans_root',`
|
||||
interface(`files_root_filetrans',`
|
||||
gen_require(`
|
||||
type root_t;
|
||||
')
|
||||
@ -1500,9 +1500,9 @@ interface(`files_manage_etc_runtime_files',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_filetrans_etc(domain,privatetype,[class(es)])
|
||||
# files_etc_filetrans(domain,privatetype,[class(es)])
|
||||
#
|
||||
interface(`files_filetrans_etc',`
|
||||
interface(`files_etc_filetrans',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
@ -1883,7 +1883,7 @@ interface(`files_list_home',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_filetrans_home',`
|
||||
interface(`files_home_filetrans',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
')
|
||||
@ -2297,9 +2297,9 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_filetrans_tmp(domain,private_type,[object class(es)])
|
||||
# files_tmp_filetrans(domain,private_type,[object class(es)])
|
||||
#
|
||||
interface(`files_filetrans_tmp',`
|
||||
interface(`files_tmp_filetrans',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
@ -2467,7 +2467,7 @@ interface(`files_read_usr_symlinks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_filetrans_usr',`
|
||||
interface(`files_usr_filetrans',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
@ -2717,7 +2717,7 @@ interface(`files_manage_var_symlinks',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_filetrans_var',`
|
||||
interface(`files_var_filetrans',`
|
||||
gen_require(`
|
||||
type var_t;
|
||||
')
|
||||
@ -2807,7 +2807,7 @@ interface(`files_list_var_lib',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_filetrans_var_lib',`
|
||||
interface(`files_var_lib_filetrans',`
|
||||
gen_require(`
|
||||
type var_t, var_lib_t;
|
||||
')
|
||||
@ -3019,9 +3019,9 @@ interface(`files_read_all_locks',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_filetrans_lock(domain,private_type,[object class(es)])
|
||||
# files_lock_filetrans(domain,private_type,[object class(es)])
|
||||
#
|
||||
interface(`files_filetrans_lock',`
|
||||
interface(`files_lock_filetrans',`
|
||||
gen_require(`
|
||||
type var_t, var_lock_t;
|
||||
')
|
||||
@ -3102,9 +3102,9 @@ interface(`files_list_pids',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_filetrans_pid(domain,pidfile,[object class(es)])
|
||||
# files_pid_filetrans(domain,pidfile,[object class(es)])
|
||||
#
|
||||
interface(`files_filetrans_pid',`
|
||||
interface(`files_pid_filetrans',`
|
||||
gen_require(`
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
@ -2425,9 +2425,9 @@ interface(`fs_manage_tmpfs_dirs',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# fs_filetrans_tmpfs(domain,derivedtype,[class])
|
||||
# fs_tmpfs_filetrans(domain,derivedtype,[class])
|
||||
#
|
||||
interface(`fs_filetrans_tmpfs',`
|
||||
interface(`fs_tmpfs_filetrans',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
@ -183,7 +183,7 @@ interface(`storage_create_fixed_disk',`
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
dev_filetrans_dev($1,fixed_disk_device_t,blk_file)
|
||||
dev_filetrans($1,fixed_disk_device_t,blk_file)
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
@ -225,7 +225,7 @@ interface(`storage_create_fixed_disk_tmpfs',`
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
fs_filetrans_tmpfs($1,fixed_disk_device_t,blk_file)
|
||||
fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
@ -84,7 +84,7 @@ template(`apache_content_template',`
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
|
||||
allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
|
||||
@ -274,7 +274,7 @@ template(`apache_per_userdomain_template', `
|
||||
apache_content_template($1)
|
||||
|
||||
typeattribute httpd_$1_content_t httpd_script_domains;
|
||||
userdom_user_home_file($1,httpd_$1_content_t)
|
||||
userdom_user_home_content($1,httpd_$1_content_t)
|
||||
|
||||
role $3 types httpd_$1_script_t;
|
||||
|
||||
@ -323,9 +323,9 @@ template(`apache_per_userdomain_template', `
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_user_home($1,httpd_t)
|
||||
userdom_search_user_home($1,httpd_suexec_t)
|
||||
userdom_search_user_home($1,httpd_$1_script_t)
|
||||
userdom_search_user_home_dirs($1,httpd_t)
|
||||
userdom_search_user_home_dirs($1,httpd_suexec_t)
|
||||
userdom_search_user_home_dirs($1,httpd_$1_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read };
|
||||
can_exec(httpd_t, httpd_exec_t)
|
||||
|
||||
allow httpd_t httpd_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(httpd_t,httpd_lock_t)
|
||||
files_lock_filetrans(httpd_t,httpd_lock_t)
|
||||
|
||||
allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
|
||||
allow httpd_t httpd_log_t:file { create ra_file_perms };
|
||||
allow httpd_t httpd_log_t:lnk_file read;
|
||||
# cjp: need to refine create interfaces to
|
||||
# cut this back to add_name only
|
||||
logging_filetrans_log(httpd_t,httpd_log_t)
|
||||
logging_log_filetrans(httpd_t,httpd_log_t)
|
||||
|
||||
allow httpd_t httpd_modules_t:file rx_file_perms;
|
||||
allow httpd_t httpd_modules_t:dir r_dir_perms;
|
||||
@ -190,23 +190,23 @@ allow httpd_t httpd_sys_content_t:file r_file_perms;
|
||||
|
||||
allow httpd_t httpd_tmp_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(httpd_t, httpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
|
||||
|
||||
allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
|
||||
allow httpd_t httpd_tmpfs_t:file create_file_perms;
|
||||
allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
|
||||
allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_filetrans_tmpfs(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow httpd_t httpd_var_lib_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(httpd_t,httpd_var_lib_t)
|
||||
files_var_lib_filetrans(httpd_t,httpd_var_lib_t)
|
||||
|
||||
allow httpd_t httpd_var_run_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
|
||||
allow httpd_t httpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(httpd_t,httpd_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
|
||||
|
||||
allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
|
||||
allow httpd_t squirrelmail_spool_t:file create_file_perms;
|
||||
@ -281,8 +281,8 @@ seutil_dontaudit_search_config(httpd_t)
|
||||
sysnet_use_ldap(httpd_t)
|
||||
sysnet_read_config(httpd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(httpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(httpd_t)
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
|
||||
|
||||
mta_send_mail(httpd_t)
|
||||
|
||||
@ -292,7 +292,7 @@ ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_t)
|
||||
userdom_search_generic_user_home_dirs(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -494,7 +494,7 @@ allow httpd_php_t httpd_log_t:file ra_file_perms;
|
||||
|
||||
allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
|
||||
allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(httpd_php_t, httpd_php_tmp_t, { file dir })
|
||||
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -502,7 +502,7 @@ libs_exec_lib_files(httpd_php_t)
|
||||
libs_use_ld_so(httpd_php_t)
|
||||
libs_use_shared_libs(httpd_php_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(httpd_php_t)
|
||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||
|
||||
optional_policy(`mysql',`
|
||||
mysql_stream_connect(httpd_php_t)
|
||||
@ -539,7 +539,7 @@ allow httpd_suexec_t httpd_t:fifo_file getattr;
|
||||
|
||||
allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
|
||||
allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
@ -568,7 +568,7 @@ miscfiles_read_localization(httpd_suexec_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_suexec_t)
|
||||
userdom_search_generic_user_home_dirs(httpd_suexec_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -678,7 +678,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_sys_script_t)
|
||||
userdom_search_generic_user_home_dirs(httpd_sys_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -72,16 +72,16 @@ allow apmd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow apmd_t apmd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(apmd_t,apmd_log_t)
|
||||
logging_log_filetrans(apmd_t,apmd_log_t)
|
||||
|
||||
allow apmd_t apmd_tmp_t:dir create_dir_perms;
|
||||
allow apmd_t apmd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(apmd_t, apmd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
|
||||
|
||||
allow apmd_t apmd_var_run_t:dir rw_dir_perms;
|
||||
allow apmd_t apmd_var_run_t:file create_file_perms;
|
||||
allow apmd_t apmd_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(apmd_t, apmd_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(apmd_t)
|
||||
kernel_rw_all_sysctls(apmd_t)
|
||||
@ -146,12 +146,12 @@ modutils_read_module_config(apmd_t)
|
||||
seutil_dontaudit_read_config(apmd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
|
||||
userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
|
||||
userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
|
||||
userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow apmd_t apmd_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(apmd_t,apmd_lock_t)
|
||||
files_lock_filetrans(apmd_t,apmd_lock_t)
|
||||
|
||||
can_exec(apmd_t, apmd_var_run_t)
|
||||
|
||||
@ -176,7 +176,7 @@ ifdef(`distro_redhat',`
|
||||
ifdef(`distro_suse',`
|
||||
allow apmd_t apmd_var_lib_t:file create_file_perms;
|
||||
allow apmd_t apmd_var_lib_t:dir create_dir_perms;
|
||||
files_filetrans_var_lib(apmd_t,apmd_var_lib_t)
|
||||
files_var_lib_filetrans(apmd_t,apmd_var_lib_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
@ -39,11 +39,11 @@ allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
|
||||
allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(arpwatch_t, arpwatch_tmp_t, { file dir })
|
||||
files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
|
||||
|
||||
allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
|
||||
allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(arpwatch_t,arpwatch_var_run_t)
|
||||
files_pid_filetrans(arpwatch_t,arpwatch_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(arpwatch_t)
|
||||
kernel_list_proc(arpwatch_t)
|
||||
@ -89,7 +89,7 @@ miscfiles_read_localization(arpwatch_t)
|
||||
sysnet_read_config(arpwatch_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(arpwatch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
|
||||
|
||||
mta_send_mail(arpwatch_t)
|
||||
|
||||
|
@ -42,20 +42,20 @@ allow automount_t automount_etc_t:file { getattr read };
|
||||
can_exec(automount_t, automount_etc_t)
|
||||
|
||||
allow automount_t automount_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(automount_t,automount_lock_t)
|
||||
files_lock_filetrans(automount_t,automount_lock_t)
|
||||
|
||||
allow automount_t automount_tmp_t:dir create_dir_perms;
|
||||
allow automount_t automount_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(automount_t, automount_tmp_t, { file dir })
|
||||
files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
|
||||
|
||||
# Allow automount to create and delete directories in / and /home
|
||||
allow automount_t automount_tmp_t:dir create_dir_perms;
|
||||
files_filetrans_home(automount_t,automount_tmp_t)
|
||||
files_filetrans_root(automount_t,automount_tmp_t,dir)
|
||||
files_home_filetrans(automount_t,automount_tmp_t)
|
||||
files_root_filetrans(automount_t,automount_tmp_t,dir)
|
||||
|
||||
allow automount_t automount_var_run_t:file create_file_perms;
|
||||
allow automount_t automount_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(automount_t,automount_var_run_t)
|
||||
files_pid_filetrans(automount_t,automount_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(automount_t)
|
||||
kernel_read_fs_sysctls(automount_t)
|
||||
@ -129,7 +129,7 @@ sysnet_use_ldap(automount_t)
|
||||
sysnet_read_config(automount_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(automount_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(automount_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_files(automount_t)
|
||||
|
@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms;
|
||||
allow avahi_t avahi_var_run_t:sock_file create_file_perms;
|
||||
allow avahi_t avahi_var_run_t:file create_file_perms;
|
||||
allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
|
||||
files_filetrans_pid(avahi_t,avahi_var_run_t)
|
||||
files_pid_filetrans(avahi_t,avahi_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(avahi_t)
|
||||
kernel_list_proc(avahi_t)
|
||||
@ -80,7 +80,7 @@ miscfiles_read_localization(avahi_t)
|
||||
sysnet_read_config(avahi_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(avahi_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(avahi_t)
|
||||
|
@ -76,16 +76,16 @@ can_exec(named_t, named_exec_t)
|
||||
|
||||
allow named_t named_log_t:file create_file_perms;
|
||||
allow named_t named_log_t:dir rw_dir_perms;
|
||||
logging_filetrans_log(named_t,named_log_t,{ file dir })
|
||||
logging_log_filetrans(named_t,named_log_t,{ file dir })
|
||||
|
||||
allow named_t named_tmp_t:dir create_dir_perms;
|
||||
allow named_t named_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(named_t, named_tmp_t, { file dir })
|
||||
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
|
||||
|
||||
allow named_t named_var_run_t:dir rw_dir_perms;
|
||||
allow named_t named_var_run_t:file create_file_perms;
|
||||
allow named_t named_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(named_t,named_var_run_t,{ file sock_file })
|
||||
files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
|
||||
|
||||
# read zone files
|
||||
allow named_t named_zone_t:dir r_dir_perms;
|
||||
@ -143,7 +143,7 @@ miscfiles_read_localization(named_t)
|
||||
sysnet_read_config(named_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(named_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(named_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(named_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(named_t)
|
||||
|
@ -69,20 +69,20 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t bluetooth_t:process sigchld;
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(bluetooth_t,bluetooth_lock_t)
|
||||
files_lock_filetrans(bluetooth_t,bluetooth_lock_t)
|
||||
|
||||
allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
|
||||
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||
files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||
|
||||
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
|
||||
files_filetrans_var_lib(bluetooth_t,bluetooth_var_lib_t)
|
||||
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t)
|
||||
|
||||
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(bluetooth_t)
|
||||
kernel_read_system_state(bluetooth_t)
|
||||
@ -135,7 +135,7 @@ sysnet_read_config(bluetooth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(bluetooth_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(bluetooth_t)
|
||||
@ -175,7 +175,7 @@ allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
|
||||
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
|
||||
allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
|
||||
files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(bluetooth_helper_t)
|
||||
kernel_read_kernel_sysctls(bluetooth_helper_t)
|
||||
@ -202,7 +202,7 @@ logging_send_syslog_msg(bluetooth_helper_t)
|
||||
miscfiles_read_localization(bluetooth_helper_t)
|
||||
miscfiles_read_fonts(bluetooth_helper_t)
|
||||
|
||||
userdom_search_all_users_home(bluetooth_helper_t)
|
||||
userdom_search_all_users_home_content(bluetooth_helper_t)
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_socket_use(bluetooth_helper_t)
|
||||
|
@ -33,17 +33,17 @@ allow canna_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow canna_t canna_log_t:file create_file_perms;
|
||||
allow canna_t canna_log_t:dir { rw_dir_perms setattr };
|
||||
logging_filetrans_log(canna_t,canna_log_t,{ file dir })
|
||||
logging_log_filetrans(canna_t,canna_log_t,{ file dir })
|
||||
|
||||
allow canna_t canna_var_lib_t:dir create_dir_perms;
|
||||
allow canna_t canna_var_lib_t:file create_file_perms;
|
||||
allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
|
||||
files_filetrans_var_lib(canna_t,canna_var_lib_t)
|
||||
files_var_lib_filetrans(canna_t,canna_var_lib_t)
|
||||
|
||||
allow canna_t canna_var_run_t:dir rw_dir_perms;
|
||||
allow canna_t canna_var_run_t:file create_file_perms;
|
||||
allow canna_t canna_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(canna_t, canna_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(canna_t)
|
||||
kernel_read_system_state(canna_t)
|
||||
@ -85,7 +85,7 @@ miscfiles_read_localization(canna_t)
|
||||
sysnet_read_config(canna_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(canna_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(canna_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(canna_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(canna_t)
|
||||
|
@ -33,11 +33,11 @@ allow comsat_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow comsat_t comsat_tmp_t:dir create_dir_perms;
|
||||
allow comsat_t comsat_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(comsat_t, comsat_tmp_t, { file dir })
|
||||
files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
|
||||
|
||||
allow comsat_t comsat_var_run_t:file create_file_perms;
|
||||
allow comsat_t comsat_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(comsat_t,comsat_var_run_t)
|
||||
files_pid_filetrans(comsat_t,comsat_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(comsat_t)
|
||||
kernel_read_network_state(comsat_t)
|
||||
|
@ -141,14 +141,14 @@ template(`cron_per_userdomain_template',`
|
||||
userdom_manage_user_tmp_pipes($1,$1_crond_t)
|
||||
userdom_manage_user_tmp_sockets($1,$1_crond_t)
|
||||
# Run scripts in user home directory and access shared libs.
|
||||
userdom_exec_user_home_files($1,$1_crond_t)
|
||||
userdom_exec_user_home_content_files($1,$1_crond_t)
|
||||
# Access user files and dirs.
|
||||
# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
|
||||
userdom_manage_user_home_files($1,$1_crond_t)
|
||||
userdom_manage_user_home_symlinks($1,$1_crond_t)
|
||||
userdom_manage_user_home_pipes($1,$1_crond_t)
|
||||
userdom_manage_user_home_sockets($1,$1_crond_t)
|
||||
# userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set)
|
||||
userdom_manage_user_home_content_files($1,$1_crond_t)
|
||||
userdom_manage_user_home_content_symlinks($1,$1_crond_t)
|
||||
userdom_manage_user_home_content_pipes($1,$1_crond_t)
|
||||
userdom_manage_user_home_content_sockets($1,$1_crond_t)
|
||||
# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
@ -242,7 +242,7 @@ template(`cron_per_userdomain_template',`
|
||||
# Access terminals.
|
||||
userdom_use_user_terminals($1,$1_crontab_t)
|
||||
# Read user crontabs
|
||||
userdom_read_user_home_files($1,$1_crontab_t)
|
||||
userdom_read_user_home_content_files($1,$1_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
|
@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms;
|
||||
allow crond_t self:msg { send receive };
|
||||
|
||||
allow crond_t crond_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(crond_t,crond_var_run_t)
|
||||
files_pid_filetrans(crond_t,crond_var_run_t)
|
||||
|
||||
allow crond_t cron_spool_t:dir rw_dir_perms;
|
||||
allow crond_t cron_spool_t:file r_file_perms;
|
||||
@ -134,9 +134,9 @@ seutil_sigchld_newrole(crond_t)
|
||||
|
||||
miscfiles_read_localization(crond_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(crond_t)
|
||||
userdom_use_unpriv_users_fds(crond_t)
|
||||
# Not sure why this is needed
|
||||
userdom_list_all_users_home_dir(crond_t)
|
||||
userdom_list_all_users_home_dirs(crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
@ -152,24 +152,24 @@ ifdef(`targeted_policy',`
|
||||
allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
|
||||
allow crond_t system_crond_tmp_t:sock_file create_file_perms;
|
||||
allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
unconfined_domain(crond_t)
|
||||
|
||||
# cjp: fix this to generic_user interfaces
|
||||
userdom_manage_user_home_subdirs(user,crond_t)
|
||||
userdom_manage_generic_user_home_files(crond_t)
|
||||
userdom_manage_generic_user_home_symlinks(crond_t)
|
||||
userdom_manage_generic_user_home_sockets(crond_t)
|
||||
userdom_manage_generic_user_home_pipes(crond_t)
|
||||
userdom_filetrans_generic_user_home(crond_t,{ dir file lnk_file fifo_file sock_file })
|
||||
userdom_manage_user_home_content_dirs(user,crond_t)
|
||||
userdom_manage_generic_user_home_content_files(crond_t)
|
||||
userdom_manage_generic_user_home_content_symlinks(crond_t)
|
||||
userdom_manage_generic_user_home_content_sockets(crond_t)
|
||||
userdom_manage_generic_user_home_content_pipes(crond_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
|
||||
|
||||
allow crond_t unconfined_t:dbus send_msg;
|
||||
allow crond_t initrc_t:dbus send_msg;
|
||||
',`
|
||||
allow crond_t crond_tmp_t:dir create_dir_perms;
|
||||
allow crond_t crond_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(crond_t, crond_tmp_t, { file dir })
|
||||
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
')
|
||||
@ -247,11 +247,11 @@ ifdef(`targeted_policy',`
|
||||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(system_crond_t,system_crond_lock_t)
|
||||
files_lock_filetrans(system_crond_t,system_crond_lock_t)
|
||||
|
||||
# write temporary files
|
||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(system_crond_t,system_crond_tmp_t)
|
||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t)
|
||||
|
||||
# write temporary files in crond tmp dir:
|
||||
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
||||
|
@ -92,7 +92,7 @@ files_search_etc(cupsd_t)
|
||||
allow cupsd_t cupsd_rw_etc_t:file manage_file_perms;
|
||||
allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms;
|
||||
type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t;
|
||||
files_filetrans_var(cupsd_t,cupsd_rw_etc_t,{ dir file })
|
||||
files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
|
||||
|
||||
# allow cups to execute its backend scripts
|
||||
can_exec(cupsd_t, cupsd_exec_t)
|
||||
@ -101,16 +101,16 @@ allow cupsd_t cupsd_exec_t:lnk_file read;
|
||||
|
||||
allow cupsd_t cupsd_log_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
|
||||
logging_filetrans_log(cupsd_t,cupsd_log_t,{ file dir })
|
||||
logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
|
||||
|
||||
allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
|
||||
allow cupsd_t cupsd_tmp_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
|
||||
files_filetrans_tmp(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow cupsd_t cupsd_var_run_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(cupsd_t,cupsd_var_run_t)
|
||||
files_pid_filetrans(cupsd_t,cupsd_var_run_t)
|
||||
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
|
||||
@ -190,7 +190,7 @@ seutil_dontaudit_read_config(cupsd_t)
|
||||
sysnet_read_config(cupsd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
|
||||
userdom_dontaudit_search_all_users_home(cupsd_t)
|
||||
userdom_dontaudit_search_all_users_home_content(cupsd_t)
|
||||
|
||||
# Write to /var/spool/cups.
|
||||
lpd_manage_spool(cupsd_t)
|
||||
@ -299,11 +299,11 @@ allow ptal_t ptal_var_run_t:file create_file_perms;
|
||||
allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
|
||||
allow ptal_t ptal_var_run_t:sock_file create_file_perms;
|
||||
allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
|
||||
files_filetrans_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
|
||||
files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow ptal_t ptal_var_run_t:file create_file_perms;
|
||||
allow ptal_t ptal_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ptal_t,ptal_var_run_t)
|
||||
files_pid_filetrans(ptal_t,ptal_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ptal_t)
|
||||
kernel_list_proc(ptal_t)
|
||||
@ -345,7 +345,7 @@ miscfiles_read_localization(ptal_t)
|
||||
sysnet_read_config(ptal_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
||||
userdom_dontaudit_search_all_users_home(ptal_t)
|
||||
userdom_dontaudit_search_all_users_home_content(ptal_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(ptal_t)
|
||||
@ -390,7 +390,7 @@ files_search_etc(hplip_t)
|
||||
|
||||
allow hplip_t hplip_var_run_t:file create_file_perms;
|
||||
allow hplip_t hplip_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(hplip_t,hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t,hplip_var_run_t)
|
||||
|
||||
kernel_read_system_state(hplip_t)
|
||||
kernel_read_kernel_sysctls(hplip_t)
|
||||
@ -442,7 +442,7 @@ miscfiles_read_localization(hplip_t)
|
||||
sysnet_read_config(hplip_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(hplip_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
|
||||
|
||||
lpd_read_config(cupsd_t)
|
||||
|
||||
@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace;
|
||||
|
||||
allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
|
||||
allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(cupsd_config_t,cupsd_config_var_run_t)
|
||||
files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t)
|
||||
|
||||
can_exec(cupsd_config_t, cupsd_config_exec_t)
|
||||
|
||||
@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
|
||||
files_filetrans_var(cupsd_config_t,cupsd_rw_etc_t)
|
||||
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t)
|
||||
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
|
||||
@ -563,7 +563,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
|
||||
sysnet_read_config(cupsd_config_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
init_getattr_script_files(cupsd_config_t)
|
||||
@ -678,11 +678,11 @@ allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
|
||||
|
||||
allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
|
||||
allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(cupsd_lpd_t,cupsd_lpd_var_run_t)
|
||||
files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t)
|
||||
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
|
||||
|
@ -38,11 +38,11 @@ allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow cvs_t cvs_tmp_t:dir create_dir_perms;
|
||||
allow cvs_t cvs_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(cvs_t, cvs_tmp_t, { file dir })
|
||||
files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
|
||||
|
||||
allow cvs_t cvs_var_run_t:file create_file_perms;
|
||||
allow cvs_t cvs_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(cvs_t,cvs_var_run_t)
|
||||
files_pid_filetrans(cvs_t,cvs_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(cvs_t)
|
||||
kernel_read_system_state(cvs_t)
|
||||
|
@ -44,16 +44,16 @@ allow cyrus_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
|
||||
allow cyrus_t cyrus_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(cyrus_t, cyrus_tmp_t, { file dir })
|
||||
files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
|
||||
|
||||
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
|
||||
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
|
||||
files_filetrans_pid(cyrus_t,cyrus_var_run_t)
|
||||
files_pid_filetrans(cyrus_t,cyrus_var_run_t)
|
||||
|
||||
allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
|
||||
allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
|
||||
allow cyrus_t cyrus_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(cyrus_t,cyrus_var_run_t,{ file sock_file })
|
||||
files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(cyrus_t)
|
||||
kernel_read_system_state(cyrus_t)
|
||||
@ -106,8 +106,8 @@ miscfiles_read_certs(cyrus_t)
|
||||
sysnet_read_config(cyrus_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cyrus_t)
|
||||
userdom_use_unpriv_users_fd(cyrus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
|
||||
userdom_use_unpriv_users_fds(cyrus_t)
|
||||
userdom_use_sysadm_ptys(cyrus_t)
|
||||
|
||||
mta_manage_spool(cyrus_t)
|
||||
|
@ -39,11 +39,11 @@ optional_policy(`kerberos',`
|
||||
|
||||
allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms;
|
||||
allow dbskkd_t dbskkd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(dbskkd_t, dbskkd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
|
||||
|
||||
allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
|
||||
allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dbskkd_t,dbskkd_var_run_t)
|
||||
files_pid_filetrans(dbskkd_t,dbskkd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(dbskkd_t)
|
||||
kernel_read_system_state(dbskkd_t)
|
||||
|
@ -97,7 +97,7 @@ template(`dbus_per_userdomain_template',`
|
||||
|
||||
allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms;
|
||||
allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
|
||||
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
|
||||
|
||||
domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t)
|
||||
allow $2 $1_dbusd_t:fd use;
|
||||
|
@ -47,12 +47,12 @@ allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms;
|
||||
allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||
|
||||
allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
|
||||
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
|
||||
allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(system_dbusd_t,system_dbusd_var_run_t)
|
||||
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t)
|
||||
|
||||
kernel_read_system_state(system_dbusd_t)
|
||||
kernel_read_kernel_sysctls(system_dbusd_t)
|
||||
@ -108,7 +108,7 @@ seutil_read_default_contexts(system_dbusd_t)
|
||||
seutil_sigchld_newrole(system_dbusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(system_dbusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(system_dbusd_t)
|
||||
|
@ -41,15 +41,15 @@ can_exec(dhcpd_t,dhcpd_exec_t)
|
||||
|
||||
allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
|
||||
allow dhcpd_t dhcpd_state_t:file create_file_perms;
|
||||
sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t)
|
||||
sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t)
|
||||
|
||||
allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
|
||||
allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
|
||||
|
||||
allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
|
||||
allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dhcpd_t,dhcpd_var_run_t)
|
||||
files_pid_filetrans(dhcpd_t,dhcpd_var_run_t)
|
||||
|
||||
kernel_read_system_state(dhcpd_t)
|
||||
kernel_read_kernel_sysctls(dhcpd_t)
|
||||
@ -103,7 +103,7 @@ sysnet_read_config(dhcpd_t)
|
||||
sysnet_read_dhcp_config(dhcpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
||||
|
@ -32,15 +32,15 @@ allow distccd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow distccd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow distccd_t distccd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(distccd_t,distccd_log_t)
|
||||
logging_log_filetrans(distccd_t,distccd_log_t)
|
||||
|
||||
allow distccd_t distccd_tmp_t:dir create_dir_perms;
|
||||
allow distccd_t distccd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(distccd_t, distccd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
|
||||
|
||||
allow distccd_t distccd_var_run_t:file create_file_perms;
|
||||
allow distccd_t distccd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(distccd_t,distccd_var_run_t)
|
||||
files_pid_filetrans(distccd_t,distccd_var_run_t)
|
||||
|
||||
kernel_read_system_state(distccd_t)
|
||||
kernel_read_kernel_sysctls(distccd_t)
|
||||
@ -87,7 +87,7 @@ miscfiles_read_localization(distccd_t)
|
||||
sysnet_read_config(distccd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(distccd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(distccd_t)
|
||||
|
@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
|
||||
allow dovecot_t dovecot_var_run_t:file create_file_perms;
|
||||
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
|
||||
allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(dovecot_t,dovecot_var_run_t)
|
||||
files_pid_filetrans(dovecot_t,dovecot_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
@ -113,7 +113,7 @@ sysnet_read_config(dovecot_t)
|
||||
sysnet_use_ldap(dovecot_auth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
|
||||
userdom_priveleged_home_dir_manager(dovecot_t)
|
||||
|
||||
mta_manage_spool(dovecot_t)
|
||||
|
@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
|
||||
|
||||
allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
|
||||
mta_filetrans_spool(fetchmail_t,fetchmail_uidl_cache_t)
|
||||
mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t)
|
||||
|
||||
allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
|
||||
allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(fetchmail_t,fetchmail_var_run_t)
|
||||
files_pid_filetrans(fetchmail_t,fetchmail_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(fetchmail_t)
|
||||
kernel_list_proc(fetchmail_t)
|
||||
@ -90,7 +90,7 @@ miscfiles_read_certs(fetchmail_t)
|
||||
sysnet_read_config(fetchmail_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fetchmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(fetchmail_t)
|
||||
|
@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow fingerd_t fingerd_var_run_t:file create_file_perms;
|
||||
allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(fingerd_t,fingerd_var_run_t)
|
||||
files_pid_filetrans(fingerd_t,fingerd_var_run_t)
|
||||
|
||||
allow fingerd_t fingerd_etc_t:file r_file_perms;
|
||||
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
|
||||
allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow fingerd_t fingerd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(fingerd_t,fingerd_log_t)
|
||||
logging_log_filetrans(fingerd_t,fingerd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
@ -97,9 +97,9 @@ sysnet_read_config(fingerd_t)
|
||||
|
||||
miscfiles_read_localization(fingerd_t)
|
||||
|
||||
userdom_read_unpriv_users_home_files(fingerd_t)
|
||||
userdom_read_unpriv_users_home_content_files(fingerd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
|
||||
|
@ -25,11 +25,11 @@
|
||||
#
|
||||
template(`ftp_per_userdomain_template',`
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
userdom_manage_user_home_files($1,ftpd_t)
|
||||
userdom_manage_user_home_symlinks($1,ftpd_t)
|
||||
userdom_manage_user_home_sockets($1,ftpd_t)
|
||||
userdom_manage_user_home_pipes($1,ftpd_t)
|
||||
userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_manage_user_home_content_files($1,ftpd_t)
|
||||
userdom_manage_user_home_content_symlinks($1,ftpd_t)
|
||||
userdom_manage_user_home_content_sockets($1,ftpd_t)
|
||||
userdom_manage_user_home_content_pipes($1,ftpd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -48,22 +48,22 @@ allow ftpd_t ftpd_etc_t:file r_file_perms;
|
||||
|
||||
allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
|
||||
allow ftpd_t ftpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
|
||||
|
||||
allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
|
||||
fs_filetrans_tmpfs(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow ftpd_t ftpd_var_run_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ftpd_t,ftpd_var_run_t)
|
||||
files_pid_filetrans(ftpd_t,ftpd_var_run_t)
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
allow ftpd_t xferlog_t:file create_file_perms;
|
||||
logging_filetrans_log(ftpd_t,xferlog_t)
|
||||
logging_log_filetrans(ftpd_t,xferlog_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ftpd_t)
|
||||
kernel_read_system_state(ftpd_t)
|
||||
@ -126,7 +126,7 @@ seutil_dontaudit_search_config(ftpd_t)
|
||||
|
||||
sysnet_read_config(ftpd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(ftpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
@ -137,11 +137,11 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`ftp',`
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
userdom_manage_generic_user_home_files(ftpd_t)
|
||||
userdom_manage_generic_user_home_symlinks(ftpd_t)
|
||||
userdom_manage_generic_user_home_sockets(ftpd_t)
|
||||
userdom_manage_generic_user_home_pipes(ftpd_t)
|
||||
userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_manage_generic_user_home_content_files(ftpd_t)
|
||||
userdom_manage_generic_user_home_content_symlinks(ftpd_t)
|
||||
userdom_manage_generic_user_home_content_sockets(ftpd_t)
|
||||
userdom_manage_generic_user_home_content_pipes(ftpd_t)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
')
|
||||
@ -153,19 +153,19 @@ tunable_policy(`allow_ftpd_anon_write',`
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
# allow access to /home
|
||||
files_list_home(ftpd_t)
|
||||
userdom_read_all_users_home_files(ftpd_t)
|
||||
userdom_manage_all_users_home_dirs(ftpd_t)
|
||||
userdom_manage_all_users_home_files(ftpd_t)
|
||||
userdom_manage_all_users_home_symlinks(ftpd_t)
|
||||
userdom_read_all_users_home_content_files(ftpd_t)
|
||||
userdom_manage_all_users_home_content_dirs(ftpd_t)
|
||||
userdom_manage_all_users_home_content_files(ftpd_t)
|
||||
userdom_manage_all_users_home_content_symlinks(ftpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
allow ftpd_t ftpd_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(ftpd_t,ftpd_lock_t)
|
||||
files_lock_filetrans(ftpd_t,ftpd_lock_t)
|
||||
|
||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
')
|
||||
|
@ -36,14 +36,14 @@ allow gpm_t gpm_conf_t:lnk_file { getattr read };
|
||||
|
||||
allow gpm_t gpm_tmp_t:dir create_dir_perms;
|
||||
allow gpm_t gpm_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(gpm_t, gpm_tmp_t, { file dir })
|
||||
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
|
||||
|
||||
allow gpm_t gpm_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(gpm_t,gpm_var_run_t)
|
||||
files_pid_filetrans(gpm_t,gpm_var_run_t)
|
||||
|
||||
allow gpm_t gpmctl_t:sock_file create_file_perms;
|
||||
allow gpm_t gpmctl_t:fifo_file create_file_perms;
|
||||
dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file })
|
||||
dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file })
|
||||
|
||||
# cjp: this has no effect
|
||||
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
|
||||
@ -76,7 +76,7 @@ logging_send_syslog_msg(gpm_t)
|
||||
miscfiles_read_localization(gpm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(gpm_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(gpm_t)
|
||||
|
@ -38,11 +38,11 @@ allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
allow hald_t hald_tmp_t:dir create_dir_perms;
|
||||
allow hald_t hald_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(hald_t, hald_tmp_t, { file dir })
|
||||
files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
|
||||
|
||||
allow hald_t hald_var_run_t:file create_file_perms;
|
||||
allow hald_t hald_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(hald_t,hald_var_run_t)
|
||||
files_pid_filetrans(hald_t,hald_var_run_t)
|
||||
|
||||
kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
@ -141,7 +141,7 @@ seutil_read_default_contexts(hald_t)
|
||||
sysnet_read_config(hald_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(hald_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
|
@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow howl_t howl_var_run_t:file create_file_perms;
|
||||
allow howl_t howl_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(howl_t,howl_var_run_t)
|
||||
files_pid_filetrans(howl_t,howl_var_run_t)
|
||||
|
||||
kernel_read_network_state(howl_t)
|
||||
kernel_read_kernel_sysctls(howl_t)
|
||||
@ -74,7 +74,7 @@ miscfiles_read_localization(howl_t)
|
||||
sysnet_read_config(howl_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(howl_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(howl_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(howl_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(howl_t)
|
||||
|
@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(i18n_input_t,i18n_input_var_run_t)
|
||||
files_pid_filetrans(i18n_input_t,i18n_input_var_run_t)
|
||||
|
||||
can_exec(i18n_input_t, i18n_input_exec_t)
|
||||
|
||||
@ -83,8 +83,8 @@ miscfiles_read_localization(i18n_input_t)
|
||||
sysnet_read_config(i18n_input_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(i18n_input_t)
|
||||
userdom_read_unpriv_users_home_files(i18n_input_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
|
||||
userdom_read_unpriv_users_home_content_files(i18n_input_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(i18n_input_t)
|
||||
|
@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow inetd_t self:udp_socket { connect connected_socket_perms };
|
||||
|
||||
allow inetd_t inetd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(inetd_t,inetd_log_t)
|
||||
logging_log_filetrans(inetd_t,inetd_log_t)
|
||||
|
||||
allow inetd_t inetd_tmp_t:dir create_dir_perms;
|
||||
allow inetd_t inetd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(inetd_t, inetd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
|
||||
|
||||
allow inetd_t inetd_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(inetd_t,inetd_var_run_t)
|
||||
files_pid_filetrans(inetd_t,inetd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
@ -119,7 +119,7 @@ miscfiles_read_localization(inetd_t)
|
||||
sysnet_read_config(inetd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(inetd_t)
|
||||
@ -175,11 +175,11 @@ files_search_home(inetd_child_t)
|
||||
|
||||
allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
|
||||
allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(inetd_child_t, inetd_child_tmp_t, { file dir })
|
||||
files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
|
||||
|
||||
allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
|
||||
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(inetd_child_t,inetd_child_var_run_t)
|
||||
files_pid_filetrans(inetd_child_t,inetd_child_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(inetd_child_t)
|
||||
kernel_read_system_state(inetd_child_t)
|
||||
|
@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t)
|
||||
|
||||
allow innd_t innd_log_t:file manage_file_perms;
|
||||
allow innd_t innd_log_t:dir { setattr rw_dir_perms };
|
||||
logging_filetrans_log(innd_t,innd_log_t)
|
||||
logging_log_filetrans(innd_t,innd_log_t)
|
||||
|
||||
allow innd_t innd_var_lib_t:dir create_dir_perms;
|
||||
allow innd_t innd_var_lib_t:file create_file_perms;
|
||||
files_filetrans_var_lib(innd_t,innd_var_lib_t)
|
||||
files_var_lib_filetrans(innd_t,innd_var_lib_t)
|
||||
|
||||
allow innd_t innd_var_run_t:dir create_dir_perms;
|
||||
allow innd_t innd_var_run_t:file create_file_perms;
|
||||
allow innd_t innd_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(innd_t,innd_var_run_t)
|
||||
files_pid_filetrans(innd_t,innd_var_run_t)
|
||||
|
||||
allow innd_t news_spool_t:dir create_dir_perms;
|
||||
allow innd_t news_spool_t:file create_file_perms;
|
||||
@ -112,7 +112,7 @@ seutil_dontaudit_search_config(innd_t)
|
||||
sysnet_read_config(innd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(innd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(innd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(innd_t)
|
||||
|
||||
mta_send_mail(innd_t)
|
||||
|
||||
|
@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms;
|
||||
|
||||
allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
|
||||
allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(irqbalance_t,irqbalance_var_run_t)
|
||||
files_pid_filetrans(irqbalance_t,irqbalance_var_run_t)
|
||||
|
||||
kernel_read_system_state(irqbalance_t)
|
||||
kernel_read_kernel_sysctls(irqbalance_t)
|
||||
@ -52,7 +52,7 @@ logging_send_syslog_msg(irqbalance_t)
|
||||
miscfiles_read_localization(irqbalance_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(irqbalance_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(irqbalance_t)
|
||||
|
@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow kadmind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow kadmind_t kadmind_log_t:file create_file_perms;
|
||||
logging_filetrans_log(kadmind_t,kadmind_log_t)
|
||||
logging_log_filetrans(kadmind_t,kadmind_log_t)
|
||||
|
||||
allow kadmind_t krb5_conf_t:file r_file_perms;
|
||||
dontaudit kadmind_t krb5_conf_t:file write;
|
||||
@ -77,11 +77,11 @@ can_exec(kadmind_t, kadmind_exec_t)
|
||||
|
||||
allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
|
||||
allow kadmind_t kadmind_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
|
||||
allow kadmind_t kadmind_var_run_t:file create_file_perms;
|
||||
allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(kadmind_t,kadmind_var_run_t)
|
||||
files_pid_filetrans(kadmind_t,kadmind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(kadmind_t)
|
||||
kernel_list_proc(kadmind_t)
|
||||
@ -129,7 +129,7 @@ miscfiles_read_localization(kadmind_t)
|
||||
sysnet_read_config(kadmind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(kadmind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(kadmind_t)
|
||||
@ -172,18 +172,18 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
|
||||
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
|
||||
allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
|
||||
logging_filetrans_log(krb5kdc_t,krb5kdc_log_t)
|
||||
logging_log_filetrans(krb5kdc_t,krb5kdc_log_t)
|
||||
|
||||
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
|
||||
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
||||
|
||||
allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
|
||||
allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
|
||||
allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(krb5kdc_t,krb5kdc_var_run_t)
|
||||
files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t)
|
||||
|
||||
kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
@ -229,7 +229,7 @@ miscfiles_read_localization(krb5kdc_t)
|
||||
sysnet_read_config(krb5kdc_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(krb5kdc_t)
|
||||
|
@ -40,11 +40,11 @@ optional_policy(`kerberos',`
|
||||
|
||||
allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
|
||||
allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(ktalkd_t, ktalkd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
|
||||
|
||||
allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
|
||||
allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ktalkd_t,ktalkd_var_run_t)
|
||||
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ktalkd_t)
|
||||
kernel_read_system_state(ktalkd_t)
|
||||
|
@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
|
||||
allow slapd_t slapd_etc_t:file { getattr read };
|
||||
|
||||
allow slapd_t slapd_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(slapd_t,slapd_lock_t)
|
||||
files_lock_filetrans(slapd_t,slapd_lock_t)
|
||||
|
||||
# Allow access to write the replication log (should tighten this)
|
||||
allow slapd_t slapd_replog_t:dir create_dir_perms;
|
||||
@ -68,11 +68,11 @@ allow slapd_t slapd_replog_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow slapd_t slapd_tmp_t:dir create_dir_perms;
|
||||
allow slapd_t slapd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(slapd_t, slapd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
|
||||
allow slapd_t slapd_var_run_t:file create_file_perms;
|
||||
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(slapd_t,slapd_var_run_t)
|
||||
files_pid_filetrans(slapd_t,slapd_var_run_t)
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
@ -121,17 +121,17 @@ miscfiles_read_localization(slapd_t)
|
||||
sysnet_read_config(slapd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(slapd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
#reh slapcat will want to talk to the terminal
|
||||
term_use_generic_ptys(slapd_t)
|
||||
term_use_unallocated_ttys(slapd_t)
|
||||
|
||||
userdom_search_generic_user_home_dir(slapd_t)
|
||||
userdom_search_generic_user_home_dirs(slapd_t)
|
||||
#need to be able to read ldif files created by root
|
||||
# cjp: fix to not use templated interface:
|
||||
userdom_read_user_home_files(user,slapd_t)
|
||||
userdom_read_user_home_content_files(user,slapd_t)
|
||||
|
||||
term_dontaudit_use_unallocated_ttys(slapd_t)
|
||||
term_dontaudit_use_generic_ptys(slapd_t)
|
||||
|
@ -81,7 +81,7 @@ template(`lpd_per_userdomain_template',`
|
||||
|
||||
allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
|
||||
allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir })
|
||||
files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
|
||||
|
||||
allow $1_lpr_t $1_print_spool_t:file create_file_perms;
|
||||
allow $1_lpr_t print_spool_t:dir rw_dir_perms;
|
||||
@ -162,7 +162,7 @@ template(`lpd_per_userdomain_template',`
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
#list and read user specific untrusted content
|
||||
files_list_home($1_lpr_t)
|
||||
userdom_list_user_home($1,$1_lpr_t)
|
||||
userdom_list_user_home_dirs($1,$1_lpr_t)
|
||||
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
|
||||
|
||||
#list and read user specific temporary untrusted content
|
||||
@ -234,7 +234,7 @@ template(`lpr_admin_template',`
|
||||
type $1_lpr_t;
|
||||
')
|
||||
|
||||
userdom_read_all_users_home_files($1_lpr_t)
|
||||
userdom_read_all_users_home_content_files($1_lpr_t)
|
||||
|
||||
# Allow per user lpr domain read acces for specific user.
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
|
@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms };
|
||||
allow checkpc_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow checkpc_t checkpc_log_t:file create_file_perms;
|
||||
logging_filetrans_log(checkpc_t,checkpc_log_t)
|
||||
logging_log_filetrans(checkpc_t,checkpc_log_t)
|
||||
|
||||
allow checkpc_t lpd_var_run_t:dir { search getattr };
|
||||
files_search_pids(checkpc_t)
|
||||
@ -130,12 +130,12 @@ allow lpd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow lpd_t lpd_tmp_t:dir create_dir_perms;
|
||||
allow lpd_t lpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(lpd_t, lpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
|
||||
|
||||
allow lpd_t lpd_var_run_t:dir rw_dir_perms;
|
||||
allow lpd_t lpd_var_run_t:file create_file_perms;
|
||||
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(lpd_t,lpd_var_run_t)
|
||||
files_pid_filetrans(lpd_t,lpd_var_run_t)
|
||||
|
||||
# Write to /var/spool/lpd.
|
||||
allow lpd_t print_spool_t:dir rw_dir_perms;
|
||||
@ -149,7 +149,7 @@ can_exec(lpd_t, printconf_t)
|
||||
|
||||
# Create and bind to /dev/printer.
|
||||
allow lpd_t printer_t:lnk_file create_lnk_perms;
|
||||
dev_filetrans_dev(lpd_t,printer_t,lnk_file)
|
||||
dev_filetrans(lpd_t,printer_t,lnk_file)
|
||||
# cjp: I believe these have no effect:
|
||||
allow lpd_t printer_t:unix_stream_socket name_bind;
|
||||
allow lpd_t printer_t:unix_dgram_socket name_bind;
|
||||
@ -215,7 +215,7 @@ miscfiles_read_localization(lpd_t)
|
||||
sysnet_read_config(lpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(lpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(lpd_t)
|
||||
|
@ -37,15 +37,15 @@ template(`mailman_domain_template', `
|
||||
|
||||
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
|
||||
allow mailman_$1_t mailman_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(mailman_$1_t,mailman_lock_t)
|
||||
files_lock_filetrans(mailman_$1_t,mailman_lock_t)
|
||||
|
||||
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
|
||||
allow mailman_$1_t mailman_log_t:file create_file_perms;
|
||||
logging_filetrans_log(mailman_$1_t,mailman_log_t)
|
||||
logging_log_filetrans(mailman_$1_t,mailman_log_t)
|
||||
|
||||
allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
|
||||
allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(mailman_$1_t, mailman_$1_tmp_t, { file dir })
|
||||
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(mailman_$1_t)
|
||||
kernel_read_system_state(mailman_$1_t)
|
||||
|
@ -98,8 +98,8 @@ seutil_dontaudit_search_config(mailman_queue_t)
|
||||
|
||||
# some of the following could probably be changed to dontaudit, someone who
|
||||
# knows mailman well should test this out and send the changes
|
||||
userdom_search_sysadm_home_dir(mailman_queue_t)
|
||||
userdom_getattr_sysadm_home_dir(mailman_queue_t)
|
||||
userdom_search_sysadm_home_dirs(mailman_queue_t)
|
||||
userdom_getattr_sysadm_home_dirs(mailman_queue_t)
|
||||
|
||||
mta_tcp_connect_all_mailservers(mailman_queue_t)
|
||||
|
||||
|
@ -118,7 +118,7 @@ template(`mta_base_mail_template',`
|
||||
|
||||
allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
|
||||
allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp($1_mail_t, $1_mail_tmp_t, { file dir })
|
||||
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
||||
|
||||
allow $1_mail_t etc_mail_t:dir { getattr search };
|
||||
|
||||
@ -214,16 +214,16 @@ template(`mta_per_userdomain_template',`
|
||||
# Write to the user domain tty. cjp: why?
|
||||
userdom_use_user_terminals($1,mta_user_agent)
|
||||
# Create dead.letter in user home directories.
|
||||
userdom_manage_user_home_files($1,$1_mail_t)
|
||||
userdom_filetrans_user_home($1,$1_mail_t,file)
|
||||
userdom_manage_user_home_content_files($1,$1_mail_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file)
|
||||
# for reading .forward - maybe we need a new type for it?
|
||||
# also for delivering mail to maildir
|
||||
userdom_manage_user_home_subdirs($1,mailserver_delivery)
|
||||
userdom_manage_user_home_files($1,mailserver_delivery)
|
||||
userdom_manage_user_home_symlinks($1,mailserver_delivery)
|
||||
userdom_manage_user_home_pipes($1,mailserver_delivery)
|
||||
userdom_manage_user_home_sockets($1,mailserver_delivery)
|
||||
userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
||||
userdom_manage_user_home_content_dirs($1,mailserver_delivery)
|
||||
userdom_manage_user_home_content_files($1,mailserver_delivery)
|
||||
userdom_manage_user_home_content_symlinks($1,mailserver_delivery)
|
||||
userdom_manage_user_home_content_pipes($1,mailserver_delivery)
|
||||
userdom_manage_user_home_content_sockets($1,mailserver_delivery)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file })
|
||||
# Read user temporary files.
|
||||
userdom_read_user_tmp_files($1,$1_mail_t)
|
||||
userdom_dontaudit_append_user_tmp_files($1,$1_mail_t)
|
||||
@ -279,7 +279,7 @@ template(`mta_admin_template',`
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
userdom_read_unpriv_users_home_files($1_mail_t)
|
||||
userdom_read_unpriv_users_home_content_files($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix',`
|
||||
@ -295,7 +295,7 @@ template(`mta_admin_template',`
|
||||
allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_filetrans_etc($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
# postfix needs this for newaliases
|
||||
files_getattr_tmp_dirs($1_mail_t)
|
||||
@ -304,7 +304,7 @@ template(`mta_admin_template',`
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
postfix_filetrans_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
')
|
||||
@ -534,12 +534,12 @@ interface(`mta_read_aliases',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_filetrans_aliases',`
|
||||
interface(`mta_etc_filetrans_aliases',`
|
||||
gen_require(`
|
||||
type etc_aliases_t;
|
||||
')
|
||||
|
||||
files_filetrans_etc($1,etc_aliases_t, file)
|
||||
files_etc_filetrans($1,etc_aliases_t, file)
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -661,7 +661,7 @@ interface(`mta_dontaudit_getattr_spool_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_filetrans_spool',`
|
||||
interface(`mta_spool_filetrans',`
|
||||
gen_require(`
|
||||
type mail_spool_t;
|
||||
')
|
||||
|
@ -77,12 +77,12 @@ ifdef(`targeted_policy',`
|
||||
# for reading .forward - maybe we need a new type for it?
|
||||
# also for delivering mail to maildir
|
||||
# cjp: fix this to generic_user interfaces
|
||||
userdom_manage_user_home_subdirs(user,mailserver_delivery)
|
||||
userdom_manage_generic_user_home_files(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_symlinks(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_sockets(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_pipes(mailserver_delivery)
|
||||
userdom_filetrans_generic_user_home(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_manage_user_home_content_dirs(user,mailserver_delivery)
|
||||
userdom_manage_generic_user_home_content_files(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
|
||||
userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
|
||||
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# cjp: another require-in-else to resolve
|
||||
# optional_policy(`postfix',`',`
|
||||
@ -140,7 +140,7 @@ optional_policy(`postfix',`
|
||||
allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
|
||||
allow system_mail_t etc_aliases_t:sock_file create_file_perms;
|
||||
allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_filetrans_etc(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_use_interactive_fds(system_mail_t)
|
||||
|
||||
@ -153,7 +153,7 @@ optional_policy(`postfix',`
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# compatability for old default main.cf
|
||||
postfix_filetrans_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
|
@ -42,23 +42,23 @@ allow mysqld_t self:udp_socket create_socket_perms;
|
||||
allow mysqld_t mysqld_db_t:dir create_dir_perms;
|
||||
allow mysqld_t mysqld_db_t:file create_file_perms;
|
||||
allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
|
||||
files_filetrans_var_lib(mysqld_t,mysqld_db_t,{ dir file })
|
||||
files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })
|
||||
|
||||
allow mysqld_t mysqld_etc_t:file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
||||
|
||||
allow mysqld_t mysqld_log_t:file create_file_perms;
|
||||
logging_filetrans_log(mysqld_t,mysqld_log_t)
|
||||
logging_log_filetrans(mysqld_t,mysqld_log_t)
|
||||
|
||||
allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
|
||||
allow mysqld_t mysqld_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(mysqld_t, mysqld_tmp_t, { file dir })
|
||||
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
|
||||
|
||||
allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
|
||||
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
|
||||
allow mysqld_t mysqld_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(mysqld_t,mysqld_var_run_t)
|
||||
files_pid_filetrans(mysqld_t,mysqld_var_run_t)
|
||||
|
||||
kernel_list_proc(mysqld_t)
|
||||
kernel_read_kernel_sysctls(mysqld_t)
|
||||
@ -108,7 +108,7 @@ sysnet_read_config(mysqld_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
||||
# for /root/.my.cnf - should not be needed:
|
||||
userdom_read_sysadm_home_files(mysqld_t)
|
||||
userdom_read_sysadm_home_content_files(mysqld_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# because Fedora has the sock_file in the database directory
|
||||
|
@ -32,7 +32,7 @@ allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
|
||||
allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
|
||||
allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
|
||||
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
|
||||
|
||||
kernel_read_system_state(NetworkManager_t)
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
@ -103,10 +103,10 @@ sysnet_delete_dhcpc_pid(NetworkManager_t)
|
||||
sysnet_search_dhcp_state(NetworkManager_t)
|
||||
# in /etc created by NetworkManager will be labelled net_conf_t.
|
||||
sysnet_manage_config(NetworkManager_t)
|
||||
sysnet_filetrans_config(NetworkManager_t)
|
||||
sysnet_etc_filetrans_config(NetworkManager_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
|
||||
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
@ -54,11 +54,11 @@ allow ypbind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow ypbind_t ypbind_tmp_t:dir create_dir_perms;
|
||||
allow ypbind_t ypbind_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(ypbind_t, ypbind_tmp_t, { file dir })
|
||||
files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
|
||||
|
||||
allow ypbind_t ypbind_var_run_t:file manage_file_perms;
|
||||
allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ypbind_t,ypbind_var_run_t)
|
||||
files_pid_filetrans(ypbind_t,ypbind_var_run_t)
|
||||
|
||||
allow ypbind_t var_yp_t:dir rw_dir_perms;
|
||||
allow ypbind_t var_yp_t:file create_file_perms;
|
||||
@ -113,7 +113,7 @@ miscfiles_read_localization(ypbind_t)
|
||||
sysnet_read_config(ypbind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
|
||||
|
||||
portmap_udp_send(ypbind_t)
|
||||
|
||||
@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
|
||||
allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(yppasswdd_t,yppasswdd_var_run_t)
|
||||
files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t)
|
||||
|
||||
allow yppasswdd_t var_yp_t:dir rw_dir_perms;
|
||||
allow yppasswdd_t var_yp_t:file create_file_perms;
|
||||
@ -214,7 +214,7 @@ miscfiles_read_localization(yppasswdd_t)
|
||||
sysnet_read_config(yppasswdd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(yppasswdd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
|
||||
|
||||
portmap_udp_send(yppasswdd_t)
|
||||
|
||||
@ -256,11 +256,11 @@ allow ypserv_t ypserv_conf_t:file { getattr read };
|
||||
|
||||
allow ypserv_t ypserv_tmp_t:dir create_dir_perms;
|
||||
allow ypserv_t ypserv_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(ypserv_t, ypserv_tmp_t, { file dir })
|
||||
files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
|
||||
|
||||
allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
|
||||
allow ypserv_t ypserv_var_run_t:file manage_file_perms;
|
||||
files_filetrans_pid(ypserv_t,ypserv_var_run_t)
|
||||
files_pid_filetrans(ypserv_t,ypserv_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ypserv_t)
|
||||
kernel_list_proc(ypserv_t)
|
||||
@ -309,7 +309,7 @@ miscfiles_read_localization(ypserv_t)
|
||||
sysnet_read_config(ypserv_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypserv_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
|
||||
|
||||
portmap_udp_send(ypserv_t)
|
||||
|
||||
|
@ -45,12 +45,12 @@ allow nscd_t self:udp_socket create_socket_perms;
|
||||
allow nscd_t self:nscd { admin getstat };
|
||||
|
||||
allow nscd_t nscd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(nscd_t,nscd_log_t)
|
||||
logging_log_filetrans(nscd_t,nscd_log_t)
|
||||
|
||||
allow nscd_t nscd_var_run_t:file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(nscd_t,nscd_var_run_t,{ file sock_file })
|
||||
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctls(nscd_t)
|
||||
kernel_list_proc(nscd_t)
|
||||
@ -111,7 +111,7 @@ seutil_sigchld_newrole(nscd_t)
|
||||
sysnet_read_config(nscd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(nscd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_ttys(nscd_t)
|
||||
|
@ -49,16 +49,16 @@ can_exec(ntpd_t,ntpd_exec_t)
|
||||
|
||||
allow ntpd_t ntpd_log_t:file create_file_perms;
|
||||
allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr };
|
||||
logging_filetrans_log(ntpd_t,ntpd_log_t,{ file dir })
|
||||
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
|
||||
|
||||
# for some reason it creates a file in /tmp
|
||||
allow ntpd_t ntpd_tmp_t:dir create_dir_perms;
|
||||
allow ntpd_t ntpd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(ntpd_t, ntpd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
|
||||
|
||||
allow ntpd_t ntpd_var_run_t:file create_file_perms;
|
||||
allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(ntpd_t,ntpd_var_run_t)
|
||||
files_pid_filetrans(ntpd_t,ntpd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(ntpd_t)
|
||||
kernel_read_system_state(ntpd_t)
|
||||
@ -113,8 +113,8 @@ miscfiles_read_localization(ntpd_t)
|
||||
sysnet_read_config(ntpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
|
||||
userdom_list_sysadm_home_dir(ntpd_t)
|
||||
userdom_dontaudit_list_sysadm_home_dir(ntpd_t)
|
||||
userdom_list_sysadm_home_dirs(ntpd_t)
|
||||
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(ntpd_t)
|
||||
|
@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
|
||||
|
||||
allow openct_t openct_var_run_t:file create_file_perms;
|
||||
allow openct_t openct_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(openct_t,openct_var_run_t)
|
||||
files_pid_filetrans(openct_t,openct_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(openct_t)
|
||||
kernel_list_proc(openct_t)
|
||||
@ -54,7 +54,7 @@ logging_send_syslog_msg(openct_t)
|
||||
miscfiles_read_localization(openct_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(openct_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(openct_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(openct_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(openct_t)
|
||||
|
@ -54,12 +54,12 @@ allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
|
||||
|
||||
allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
|
||||
allow pegasus_t pegasus_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
|
||||
allow pegasus_t pegasus_var_run_t:file create_file_perms;
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(pegasus_t,pegasus_var_run_t)
|
||||
files_pid_filetrans(pegasus_t,pegasus_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
kernel_read_fs_sysctls(pegasus_t)
|
||||
@ -109,7 +109,7 @@ miscfiles_read_localization(pegasus_t)
|
||||
sysnet_read_config(pegasus_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pegasus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(pegasus_t)
|
||||
|
@ -36,11 +36,11 @@ allow portmap_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow portmap_t portmap_tmp_t:dir create_dir_perms;
|
||||
allow portmap_t portmap_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(portmap_t, portmap_tmp_t, { file dir })
|
||||
files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
|
||||
|
||||
allow portmap_t portmap_var_run_t:file create_file_perms;
|
||||
allow portmap_t portmap_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(portmap_t,portmap_var_run_t)
|
||||
files_pid_filetrans(portmap_t,portmap_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(portmap_t)
|
||||
kernel_list_proc(portmap_t)
|
||||
@ -95,7 +95,7 @@ miscfiles_read_localization(portmap_t)
|
||||
sysnet_read_config(portmap_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(portmap_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(portmap_t)
|
||||
@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow portmap_helper_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow portmap_helper_t portmap_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(portmap_helper_t,portmap_var_run_t)
|
||||
files_pid_filetrans(portmap_helper_t,portmap_var_run_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(portmap_helper_t)
|
||||
corenet_udp_sendrecv_all_if(portmap_helper_t)
|
||||
|
@ -45,7 +45,7 @@ template(`postfix_domain_template',`
|
||||
allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
|
||||
|
||||
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
|
||||
files_filetrans_pid(postfix_$1_t,postfix_var_run_t)
|
||||
files_pid_filetrans(postfix_$1_t,postfix_var_run_t)
|
||||
|
||||
kernel_read_system_state(postfix_$1_t)
|
||||
kernel_read_network_state(postfix_$1_t)
|
||||
@ -216,7 +216,7 @@ interface(`postfix_read_config',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_filetrans_config',`
|
||||
interface(`postfix_config_filetrans',`
|
||||
gen_require(`
|
||||
type postfix_etc_t;
|
||||
')
|
||||
|
@ -257,7 +257,7 @@ allow postfix_local_t self:process { setsched setrlimit };
|
||||
|
||||
allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
|
||||
allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(postfix_local_t, postfix_local_tmp_t, { file dir })
|
||||
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
|
||||
|
||||
# connect to master process
|
||||
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
|
||||
@ -301,7 +301,7 @@ allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
|
||||
allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir })
|
||||
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(postfix_map_t)
|
||||
kernel_dontaudit_list_proc(postfix_map_t)
|
||||
|
@ -48,7 +48,7 @@ allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
|
||||
allow postgresql_t postgresql_db_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
|
||||
allow postgresql_t postgresql_db_t:sock_file create_file_perms;
|
||||
files_filetrans_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
|
||||
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow postgresql_t postgresql_etc_t:dir r_dir_perms;
|
||||
allow postgresql_t postgresql_etc_t:file r_file_perms;
|
||||
@ -58,24 +58,24 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(postgresql_t,postgresql_lock_t)
|
||||
files_lock_filetrans(postgresql_t,postgresql_lock_t)
|
||||
|
||||
allow postgresql_t postgresql_log_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_log_t:file create_file_perms;
|
||||
logging_filetrans_log(postgresql_t,postgresql_log_t,{ file dir })
|
||||
logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
|
||||
|
||||
allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
|
||||
allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
|
||||
allow postgresql_t postgresql_tmp_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
|
||||
allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
|
||||
files_filetrans_tmp(postgresql_t, postgresql_tmp_t, { dir file sock_file })
|
||||
fs_filetrans_tmpfs(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
|
||||
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
|
||||
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_var_run_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(postgresql_t,postgresql_var_run_t)
|
||||
files_pid_filetrans(postgresql_t,postgresql_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(postgresql_t)
|
||||
kernel_read_system_state(postgresql_t)
|
||||
@ -136,7 +136,7 @@ seutil_dontaudit_search_config(postgresql_t)
|
||||
|
||||
sysnet_read_config(postgresql_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
|
||||
|
||||
|
@ -80,23 +80,23 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
||||
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_t:file r_file_perms;
|
||||
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
||||
files_filetrans_etc(pppd_t,pppd_etc_t)
|
||||
files_etc_filetrans(pppd_t,pppd_etc_t)
|
||||
|
||||
allow pppd_t pppd_etc_rw_t:file create_file_perms;
|
||||
|
||||
allow pppd_t pppd_lock_t:file create_file_perms;
|
||||
files_filetrans_lock(pppd_t,pppd_lock_t)
|
||||
files_lock_filetrans(pppd_t,pppd_lock_t)
|
||||
|
||||
allow pppd_t pppd_log_t:file create_file_perms;
|
||||
logging_filetrans_log(pppd_t,pppd_log_t)
|
||||
logging_log_filetrans(pppd_t,pppd_log_t)
|
||||
|
||||
allow pppd_t pppd_tmp_t:dir create_dir_perms;
|
||||
allow pppd_t pppd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(pppd_t, pppd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
|
||||
|
||||
allow pppd_t pppd_var_run_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_var_run_t:file create_file_perms;
|
||||
files_filetrans_pid(pppd_t,pppd_var_run_t)
|
||||
files_pid_filetrans(pppd_t,pppd_var_run_t)
|
||||
|
||||
allow pppd_t pptp_t:process signal;
|
||||
|
||||
@ -170,10 +170,10 @@ sysnet_exec_ifconfig(pppd_t)
|
||||
sysnet_manage_config(pppd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pppd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
|
||||
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
||||
#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
|
||||
userdom_search_sysadm_home_dir(pppd_t)
|
||||
userdom_search_sysadm_home_dirs(pppd_t)
|
||||
userdom_search_unpriv_users_home_dirs(pppd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t)
|
||||
allow pptp_t pppd_log_t:file append;
|
||||
|
||||
allow pptp_t pptp_log_t:file create_file_perms;
|
||||
logging_filetrans_log(pptp_t,pptp_log_t)
|
||||
logging_log_filetrans(pptp_t,pptp_log_t)
|
||||
|
||||
allow pptp_t pptp_var_run_t:file create_file_perms;
|
||||
allow pptp_t pptp_var_run_t:dir rw_dir_perms;
|
||||
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
|
||||
files_filetrans_pid(pptp_t,pptp_var_run_t)
|
||||
files_pid_filetrans(pptp_t,pptp_var_run_t)
|
||||
|
||||
kernel_list_proc(pptp_t)
|
||||
kernel_read_kernel_sysctls(pptp_t)
|
||||
@ -294,7 +294,7 @@ miscfiles_read_localization(pptp_t)
|
||||
sysnet_read_config(pptp_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pptp_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(pptp_t)
|
||||
|
@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
|
||||
|
||||
allow privoxy_t privoxy_log_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||
logging_filetrans_log(privoxy_t,privoxy_log_t)
|
||||
logging_log_filetrans(privoxy_t,privoxy_log_t)
|
||||
|
||||
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(privoxy_t,privoxy_var_run_t)
|
||||
files_pid_filetrans(privoxy_t,privoxy_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(privoxy_t)
|
||||
kernel_list_proc(privoxy_t)
|
||||
@ -76,7 +76,7 @@ miscfiles_read_localization(privoxy_t)
|
||||
sysnet_dns_name_resolve(privoxy_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(privoxy_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
|
||||
# cjp: this should really not be needed
|
||||
userdom_use_sysadm_terms(privoxy_t)
|
||||
|
||||
|
@ -65,8 +65,8 @@ miscfiles_read_localization(procmail_t)
|
||||
# only works until we define a different type for maildir
|
||||
userdom_priveleged_home_dir_manager(procmail_t)
|
||||
# Do not audit attempts to access /root.
|
||||
userdom_dontaudit_search_sysadm_home_dir(procmail_t)
|
||||
userdom_dontaudit_search_staff_home_dir(procmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
|
||||
userdom_dontaudit_search_staff_home_dirs(procmail_t)
|
||||
|
||||
mta_manage_spool(procmail_t)
|
||||
|
||||
|
@ -41,11 +41,11 @@ files_search_etc(radiusd_t)
|
||||
|
||||
allow radiusd_t radiusd_log_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_log_t:dir create_dir_perms;
|
||||
logging_filetrans_log(radiusd_t,radiusd_log_t,{ file dir })
|
||||
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
|
||||
|
||||
allow radiusd_t radiusd_var_run_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(radiusd_t,radiusd_var_run_t)
|
||||
files_pid_filetrans(radiusd_t,radiusd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(radiusd_t)
|
||||
kernel_read_system_state(radiusd_t)
|
||||
@ -100,7 +100,7 @@ miscfiles_read_localization(radiusd_t)
|
||||
sysnet_read_config(radiusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(radiusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
|
||||
userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read };
|
||||
|
||||
allow radvd_t radvd_var_run_t:file create_file_perms;
|
||||
allow radvd_t radvd_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(radvd_t,radvd_var_run_t)
|
||||
files_pid_filetrans(radvd_t,radvd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(radvd_t)
|
||||
kernel_read_net_sysctls(radvd_t)
|
||||
@ -76,7 +76,7 @@ miscfiles_read_localization(radvd_t)
|
||||
sysnet_read_config(radvd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(radvd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(radvd_t)
|
||||
|
@ -40,7 +40,7 @@ allow remote_login_t self:msg { send receive };
|
||||
|
||||
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
|
||||
allow remote_login_t remote_login_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir })
|
||||
files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(remote_login_t)
|
||||
kernel_read_kernel_sysctls(remote_login_t)
|
||||
@ -120,8 +120,8 @@ sysnet_dns_name_resolve(remote_login_t)
|
||||
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(remote_login_t)
|
||||
userdom_search_all_users_home(remote_login_t)
|
||||
userdom_use_unpriv_users_fds(remote_login_t)
|
||||
userdom_search_all_users_home_content(remote_login_t)
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
# since very weak authentication is used.
|
||||
userdom_signal_unpriv_users(remote_login_t)
|
||||
|
@ -41,11 +41,11 @@ can_exec(rlogind_t, rlogind_exec_t)
|
||||
|
||||
allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
|
||||
allow rlogind_t rlogind_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(rlogind_t, rlogind_tmp_t, { file dir })
|
||||
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
|
||||
|
||||
allow rlogind_t rlogind_var_run_t:file create_file_perms;
|
||||
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(rlogind_t,rlogind_var_run_t)
|
||||
files_pid_filetrans(rlogind_t,rlogind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(rlogind_t)
|
||||
kernel_read_system_state(rlogind_t)
|
||||
@ -90,7 +90,7 @@ sysnet_read_config(rlogind_t)
|
||||
|
||||
userdom_setattr_unpriv_users_ptys(rlogind_t)
|
||||
# cjp: this is egregious
|
||||
userdom_read_all_users_home_files(rlogind_t)
|
||||
userdom_read_all_users_home_content_files(rlogind_t)
|
||||
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
|
||||
|
@ -30,11 +30,11 @@ allow roundup_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow roundup_t roundup_var_run_t:file create_file_perms;
|
||||
allow roundup_t roundup_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(roundup_t,roundup_var_run_t)
|
||||
files_pid_filetrans(roundup_t,roundup_var_run_t)
|
||||
|
||||
allow roundup_t roundup_var_lib_t:file create_file_perms;
|
||||
allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
|
||||
files_filetrans_var_lib(roundup_t,roundup_var_lib_t)
|
||||
files_var_lib_filetrans(roundup_t,roundup_var_lib_t)
|
||||
|
||||
kernel_read_kernel_sysctls(roundup_t)
|
||||
kernel_list_proc(roundup_t)
|
||||
@ -86,7 +86,7 @@ miscfiles_read_localization(roundup_t)
|
||||
sysnet_read_config(roundup_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(roundup_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(roundup_t)
|
||||
|
@ -43,7 +43,7 @@ allow rpcd_t self:file { getattr read };
|
||||
|
||||
allow rpcd_t rpcd_var_run_t:file manage_file_perms;
|
||||
allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
|
||||
files_filetrans_pid(rpcd_t,rpcd_var_run_t)
|
||||
files_pid_filetrans(rpcd_t,rpcd_var_run_t)
|
||||
|
||||
kernel_search_network_state(rpcd_t)
|
||||
# for rpc.rquotad
|
||||
@ -124,7 +124,7 @@ allow gssd_t self:fifo_file { read write };
|
||||
|
||||
allow gssd_t gssd_tmp_t:dir create_dir_perms;
|
||||
allow gssd_t gssd_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(gssd_t, gssd_tmp_t, { file dir })
|
||||
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
||||
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
|
@ -65,7 +65,7 @@ seutil_read_default_contexts(rshd_t)
|
||||
|
||||
sysnet_read_config(rshd_t)
|
||||
|
||||
userdom_search_all_users_home(rshd_t)
|
||||
userdom_search_all_users_home_content(rshd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain(rshd_t)
|
||||
|
@ -44,11 +44,11 @@ allow rsync_t rsync_data_t:lnk_file r_file_perms;
|
||||
|
||||
allow rsync_t rsync_tmp_t:dir create_dir_perms;
|
||||
allow rsync_t rsync_tmp_t:file create_file_perms;
|
||||
files_filetrans_tmp(rsync_t, rsync_tmp_t, { file dir })
|
||||
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
|
||||
|
||||
allow rsync_t rsync_var_run_t:file create_file_perms;
|
||||
allow rsync_t rsync_var_run_t:dir rw_dir_perms;
|
||||
files_filetrans_pid(rsync_t,rsync_var_run_t)
|
||||
files_pid_filetrans(rsync_t,rsync_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctls(rsync_t)
|
||||
kernel_read_system_state(rsync_t)
|
||||
|
@ -33,11 +33,11 @@ template(`samba_per_userdomain_template',`
|
||||
')
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
userdom_manage_user_home_files($1,smbd_t)
|
||||
userdom_manage_user_home_symlinks($1,smbd_t)
|
||||
userdom_manage_user_home_sockets($1,smbd_t)
|
||||
userdom_manage_user_home_pipes($1,smbd_t)
|
||||
userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
userdom_manage_user_home_content_files($1,smbd_t)
|
||||
userdom_manage_user_home_content_symlinks($1,smbd_t)
|
||||
userdom_manage_user_home_content_sockets($1,smbd_t)
|
||||
userdom_manage_user_home_content_pipes($1,smbd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
')
|
||||
')
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user