patch from Dan Tue, 20 Jun 2006 16:19:13 -0400
This commit is contained in:
Chris PeBenito
parent
1b11a1fe65
commit
123a990b6f
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bootloader,1.2.3)
|
||||
policy_module(bootloader,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -49,7 +49,7 @@ logging_log_file(var_log_ksyms_t)
|
||||
#
|
||||
|
||||
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
|
||||
allow bootloader_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||
@ -111,6 +111,7 @@ files_dontaudit_search_pids(bootloader_t)
|
||||
# for blkid.tab
|
||||
files_manage_etc_runtime_files(bootloader_t)
|
||||
files_etc_filetrans_etc_runtime(bootloader_t,file)
|
||||
files_dontaudit_search_home(bootloader_t)
|
||||
|
||||
init_getattr_initctl(bootloader_t)
|
||||
init_use_script_ptys(bootloader_t)
|
||||
@ -127,6 +128,8 @@ logging_rw_generic_logs(bootloader_t)
|
||||
|
||||
miscfiles_read_localization(bootloader_t)
|
||||
|
||||
modutils_domtrans_insmod_uncond(bootloader_t)
|
||||
|
||||
seutil_read_bin_policy(bootloader_t)
|
||||
seutil_read_loadpolicy(bootloader_t)
|
||||
seutil_dontaudit_search_config(bootloader_t)
|
||||
@ -179,6 +182,10 @@ optional_policy(`
|
||||
fstools_exec(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kudzu_domtrans(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dev_rw_lvm_control(bootloader_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logwatch,1.1.1)
|
||||
policy_module(logwatch,1.1.2)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -23,7 +23,7 @@ files_tmp_file(logwatch_tmp_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow logwatch_t self:capability setgid;
|
||||
allow logwatch_t self:capability { dac_override dac_read_search setgid };
|
||||
allow logwatch_t self:fifo_file rw_file_perms;
|
||||
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(netutils,1.1.3)
|
||||
policy_module(netutils,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
|
||||
corenet_udp_sendrecv_all_ports(netutils_t)
|
||||
corenet_tcp_connect_all_ports(netutils_t)
|
||||
corenet_sendrecv_all_client_packets(netutils_t)
|
||||
corenet_udp_bind_generic_node(netutils_t)
|
||||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
|
||||
@ -3,6 +3,5 @@
|
||||
|
||||
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
||||
|
||||
/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
||||
|
||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink,1.1.3)
|
||||
policy_module(prelink,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -351,6 +351,26 @@ interface(`files_dontaudit_list_non_security',`
|
||||
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on all non-security
|
||||
## directories and files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mounton_non_security',`
|
||||
gen_require(`
|
||||
attribute file_type, security_file_type;
|
||||
')
|
||||
|
||||
allow $1 { file_type -security_file_type }:dir mounton;
|
||||
allow $1 { file_type -security_file_type }:file mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to modify any directory
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.2.11)
|
||||
policy_module(files,1.2.12)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.3.10)
|
||||
policy_module(filesystem,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -69,6 +69,11 @@ fs_type(hugetlbfs_t)
|
||||
files_mountpoint(hugetlbfs_t)
|
||||
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
|
||||
|
||||
type ibmasmfs_t;
|
||||
fs_type(ibmasmfs_t)
|
||||
allow ibmasmfs_t self:filesystem associate;
|
||||
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
|
||||
|
||||
type inotifyfs_t;
|
||||
fs_type(inotifyfs_t)
|
||||
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
||||
|
||||
@ -7,7 +7,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||
|
||||
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
|
||||
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@ -29,19 +29,22 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
|
||||
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
||||
|
||||
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
||||
')
|
||||
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
||||
|
||||
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
||||
@ -65,11 +68,11 @@ ifdef(`distro_debian', `
|
||||
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
||||
ifdef(`targeted_policy', `', `
|
||||
ifdef(`strict_policy',`
|
||||
/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
|
||||
')
|
||||
|
||||
@ -77,4 +80,3 @@ ifdef(`targeted_policy', `', `
|
||||
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
|
||||
@ -15,6 +15,7 @@ template(`apache_content_template',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
attribute httpd_exec_scripts;
|
||||
attribute httpd_script_exec_type;
|
||||
type httpd_t, httpd_suexec_t, httpd_log_t;
|
||||
')
|
||||
# allow write access to public file transfer
|
||||
@ -35,7 +36,7 @@ template(`apache_content_template',`
|
||||
role system_r types httpd_$1_script_t;
|
||||
|
||||
# This type is used for executable scripts files
|
||||
type httpd_$1_script_exec_t; # customizable;
|
||||
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
||||
corecmd_shell_entry_type(httpd_$1_script_t)
|
||||
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
|
||||
|
||||
@ -336,6 +337,58 @@ template(`apache_per_userdomain_template', `
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read httpd user scripts executables.
|
||||
## </summary>
|
||||
## <param name="domain_prefix">
|
||||
## <summary>
|
||||
## Prefix of the domain. Example, user would be
|
||||
## the prefix for the uder_t domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`apache_read_user_scripts',`
|
||||
gen_require(`
|
||||
type httpd_$1_script_exec_t;
|
||||
')
|
||||
|
||||
allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
|
||||
allow $2 httpd_$1_script_exec_t:file r_file_perms;
|
||||
allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read user web content.
|
||||
## </summary>
|
||||
## <param name="domain_prefix">
|
||||
## <summary>
|
||||
## Prefix of the domain. Example, user would be
|
||||
## the prefix for the uder_t domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`apache_read_user_content',`
|
||||
gen_require(`
|
||||
type httpd_$1_content_t;
|
||||
')
|
||||
|
||||
allow $2 httpd_$1_content_t:dir r_dir_perms;
|
||||
allow $2 httpd_$1_content_t:file r_file_perms;
|
||||
allow $2 httpd_$1_content_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to apache.
|
||||
@ -464,12 +517,17 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
|
||||
#
|
||||
interface(`apache_manage_all_content',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
attribute httpdcontent, httpd_script_exec_type;
|
||||
')
|
||||
|
||||
allow $1 httpdcontent:dir manage_dir_perms;
|
||||
allow $1 httpdcontent:file manage_file_perms;
|
||||
allow $1 httpdcontent:lnk_file create_lnk_perms;
|
||||
|
||||
allow $1 httpd_script_exec_type:dir manage_dir_perms;
|
||||
allow $1 httpd_script_exec_type:file manage_file_perms;
|
||||
allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -513,6 +571,28 @@ interface(`apache_read_config',`
|
||||
allow $1 httpd_config_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## apache configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_manage_config',`
|
||||
gen_require(`
|
||||
type httpd_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 httpd_config_t:dir manage_dir_perms;
|
||||
allow $1 httpd_config_t:file manage_file_perms;
|
||||
allow $1 httpd_config_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the Apache helper program with
|
||||
@ -632,6 +712,28 @@ interface(`apache_dontaudit_append_log',`
|
||||
dontaudit $1 httpd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## to apache log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_manage_log',`
|
||||
gen_require(`
|
||||
type httpd_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 httpd_log_t:dir manage_dir_perms;
|
||||
allow $1 httpd_log_t:file manage_file_perms;
|
||||
allow $1 httpd_log_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search Apache
|
||||
@ -692,6 +794,28 @@ interface(`apache_exec_modules',`
|
||||
can_exec($1,httpd_modules_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run httpd_rotatelogs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_domtrans_rotatelogs',`
|
||||
gen_require(`
|
||||
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
|
||||
|
||||
allow httpd_rotatelogs_t $1:fd use;
|
||||
allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
|
||||
allow httpd_rotatelogs_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
@ -903,55 +1027,3 @@ interface(`apache_search_sys_script_state',`
|
||||
|
||||
allow $1 httpd_sys_script_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read httpd user scripts executables.
|
||||
## </summary>
|
||||
## <param name="domain_prefix">
|
||||
## <summary>
|
||||
## Prefix of the domain. Example, user would be
|
||||
## the prefix for the uder_t domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_read_user_scripts',`
|
||||
gen_require(`
|
||||
type httpd_$1_script_exec_t;
|
||||
')
|
||||
|
||||
allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
|
||||
allow $2 httpd_$1_script_exec_t:file r_file_perms;
|
||||
allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read user web content.
|
||||
## </summary>
|
||||
## <param name="domain_prefix">
|
||||
## <summary>
|
||||
## Prefix of the domain. Example, user would be
|
||||
## the prefix for the uder_t domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_read_user_content',`
|
||||
gen_require(`
|
||||
type httpd_$1_content_t;
|
||||
')
|
||||
|
||||
allow $2 httpd_$1_content_t:dir r_dir_perms;
|
||||
allow $2 httpd_$1_content_t:file r_file_perms;
|
||||
allow $2 httpd_$1_content_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.3.13)
|
||||
policy_module(apache,1.3.14)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -25,6 +25,8 @@ attribute httpdcontent;
|
||||
# domains that can exec all users scripts
|
||||
attribute httpd_exec_scripts;
|
||||
|
||||
attribute httpd_script_exec_type;
|
||||
|
||||
# user script domains
|
||||
attribute httpd_script_domains;
|
||||
|
||||
@ -68,6 +70,10 @@ role system_r types httpd_php_t;
|
||||
type httpd_php_tmp_t;
|
||||
files_tmp_file(httpd_php_tmp_t)
|
||||
|
||||
type httpd_rotatelogs_t;
|
||||
type httpd_rotatelogs_exec_t;
|
||||
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
|
||||
|
||||
type httpd_squirrelmail_t;
|
||||
files_type(httpd_squirrelmail_t)
|
||||
|
||||
@ -109,14 +115,6 @@ files_pid_file(httpd_var_run_t)
|
||||
type squirrelmail_spool_t;
|
||||
files_tmp_file(squirrelmail_spool_t)
|
||||
|
||||
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
|
||||
# This is a bug but it still exists in FC2
|
||||
# cjp: probably can remove this
|
||||
ifdef(`distro_redhat',`
|
||||
typealias httpd_log_t alias httpd_runtime_t;
|
||||
dontaudit httpd_t httpd_runtime_t:file ioctl;
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
typealias httpd_sys_content_t alias httpd_user_content_t;
|
||||
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
|
||||
@ -293,6 +291,15 @@ tunable_policy(`allow_httpd_anon_write',`
|
||||
miscfiles_manage_public_files(httpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO', `
|
||||
#
|
||||
# We need optionals to be able to be within booleans to make this work
|
||||
#
|
||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||
auth_domtrans_chk_passwd(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
@ -655,6 +662,9 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
files_search_var_lib(httpd_sys_script_t)
|
||||
files_search_spool(httpd_sys_script_t)
|
||||
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
')
|
||||
@ -688,3 +698,26 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
nscd_socket_use(httpd_unconfined_script_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
|
||||
allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
|
||||
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
|
||||
|
||||
files_read_etc_files(httpd_rotatelogs_t)
|
||||
|
||||
libs_use_ld_so(httpd_rotatelogs_t)
|
||||
libs_use_shared_libs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.2.6)
|
||||
policy_module(automount,1.2.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
|
||||
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
|
||||
dontaudit automount_t self:capability sys_tty_config;
|
||||
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
|
||||
allow automount_t self:fifo_file rw_file_perms;
|
||||
@ -64,8 +64,17 @@ kernel_read_proc_symlinks(automount_t)
|
||||
kernel_read_system_state(automount_t)
|
||||
kernel_read_network_state(automount_t)
|
||||
kernel_list_proc(automount_t)
|
||||
kernel_dontaudit_search_xen_state(automount_t)
|
||||
|
||||
files_search_boot(automount_t)
|
||||
# Automount is slowly adding all mount functionality internally
|
||||
files_search_all(automount_t)
|
||||
files_mounton_all_mountpoints(automount_t)
|
||||
files_mount_all_file_type_fs(automount_t)
|
||||
files_unmount_all_file_type_fs(automount_t)
|
||||
|
||||
fs_mount_all_fs(automount_t)
|
||||
fs_unmount_all_fs(automount_t)
|
||||
|
||||
corecmd_exec_sbin(automount_t)
|
||||
corecmd_exec_bin(automount_t)
|
||||
|
||||
@ -62,6 +62,25 @@ interface(`clamav_read_config',`
|
||||
allow $1 clamd_etc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search clamav libraries directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`clamav_search_lib',`
|
||||
gen_require(`
|
||||
type clamd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 clamd_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clamscan.
|
||||
@ -83,4 +102,3 @@ interface(`clamav_domtrans_clamscan',`
|
||||
allow clamscan_t $1:fifo_file rw_file_perms;
|
||||
allow clamscan_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(clamav,1.0.3)
|
||||
policy_module(clamav,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -21,6 +21,7 @@
|
||||
/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
|
||||
|
||||
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
|
||||
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
||||
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
||||
|
||||
@ -40,7 +40,7 @@ interface(`cups_stream_connect',`
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 cupsd_var_run_t:dir search;
|
||||
allow $1 cupsd_var_run_t:sock_file write;
|
||||
allow $1 cupsd_var_run_t:sock_file { getattr write };
|
||||
allow $1 cupsd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.9)
|
||||
policy_module(cups,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -313,6 +313,7 @@ allow cupsd_config_t self:fifo_file rw_file_perms;
|
||||
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
|
||||
@ -342,6 +343,9 @@ allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
|
||||
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
|
||||
|
||||
allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
|
||||
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
|
||||
kernel_read_system_state(cupsd_config_t)
|
||||
@ -357,6 +361,7 @@ corenet_sendrecv_all_client_packets(cupsd_config_t)
|
||||
|
||||
dev_read_sysfs(cupsd_config_t)
|
||||
dev_read_urand(cupsd_config_t)
|
||||
dev_read_rand(cupsd_config_t)
|
||||
|
||||
fs_getattr_all_fs(cupsd_config_t)
|
||||
fs_search_auto_mountpoints(cupsd_config_t)
|
||||
@ -397,6 +402,8 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
|
||||
|
||||
lpd_read_config(cupsd_config_t)
|
||||
|
||||
cups_stream_connect(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
init_getattr_script_files(cupsd_config_t)
|
||||
|
||||
@ -430,6 +437,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
hal_read_tmp_files(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -593,6 +601,7 @@ corenet_receive_hplip_server_packets(hplip_t)
|
||||
dev_read_sysfs(hplip_t)
|
||||
dev_rw_printer(hplip_t)
|
||||
dev_read_urand(hplip_t)
|
||||
dev_read_rand(hplip_t)
|
||||
dev_rw_generic_usb_dev(hplip_t)
|
||||
|
||||
fs_getattr_all_fs(hplip_t)
|
||||
|
||||
@ -101,10 +101,27 @@ interface(`hal_dbus_chat',`
|
||||
allow hald_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hald tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_read_tmp_files',`
|
||||
gen_require(`
|
||||
type hald_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 hald_tmp_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read hald state files.
|
||||
## Read hald PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -124,7 +141,7 @@ interface(`hal_read_pid_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/Write hald state files.
|
||||
## Read/Write hald PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.9)
|
||||
policy_module(hal,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -194,9 +194,3 @@ optional_policy(`
|
||||
cron_read_system_job_tmp_files(mta_user_agent)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for the start script to run make -C /etc/mail
|
||||
allow initrc_t etc_mail_t:dir rw_dir_perms;
|
||||
allow initrc_t etc_mail_t:file create_file_perms;
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.3.4)
|
||||
policy_module(networkmanager,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -92,6 +92,7 @@ libs_use_shared_libs(NetworkManager_t)
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
|
||||
miscfiles_read_localization(NetworkManager_t)
|
||||
miscfiles_read_certs(NetworkManager_t)
|
||||
|
||||
modutils_domtrans_insmod(NetworkManager_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntp,1.1.2)
|
||||
policy_module(ntp,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -62,6 +62,7 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ntpd_t)
|
||||
kernel_read_system_state(ntpd_t)
|
||||
kernel_read_network_state(ntpd_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(ntpd_t)
|
||||
corenet_tcp_sendrecv_all_if(ntpd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(openvpn,1.0.1)
|
||||
policy_module(openvpn,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,6 +44,7 @@ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
|
||||
allow openvpn_t openvpn_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
|
||||
|
||||
kernel_read_kernel_sysctls(openvpn_t)
|
||||
kernel_read_net_sysctls(openvpn_t)
|
||||
kernel_read_network_state(openvpn_t)
|
||||
kernel_read_system_state(openvpn_t)
|
||||
@ -81,6 +82,10 @@ miscfiles_read_localization(openvpn_t)
|
||||
|
||||
sysnet_exec_ifconfig(openvpn_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(openvpn_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(openvpn_t,openvpn_exec_t)
|
||||
')
|
||||
|
||||
@ -403,6 +403,29 @@ interface(`postfix_exec_master',`
|
||||
can_exec($1,postfix_master_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the master postfix program in the
|
||||
## postfix_master domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_domtrans_smtp',`
|
||||
gen_require(`
|
||||
type postfix_smtp_t, postfix_smtp_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
|
||||
|
||||
allow postfix_smtp_t $1:fd use;
|
||||
allow postfix_smtp_t $1:fifo_file rw_file_perms;
|
||||
allow postfix_smtp_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search postfix mail spool directories.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postfix,1.2.7)
|
||||
policy_module(postfix,1.2.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -456,10 +456,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_use_fds(postfix_postdrop_t)
|
||||
cron_rw_pipes(postfix_postdrop_t)
|
||||
cron_use_system_job_fds(postfix_postdrop_t)
|
||||
cron_rw_system_job_pipes(postfix_postdrop_t)
|
||||
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ppp,1.2.3)
|
||||
policy_module(ppp,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -59,8 +59,8 @@ files_pid_file(pptp_var_run_t)
|
||||
|
||||
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
|
||||
dontaudit pppd_t self:capability sys_tty_config;
|
||||
allow pppd_t self:process signal;
|
||||
allow pppd_t self:fifo_file rw_file_perms;
|
||||
allow pppd_t self:file { read getattr };
|
||||
allow pppd_t self:socket create_socket_perms;
|
||||
allow pppd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pppd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(procmail,1.2.3)
|
||||
policy_module(procmail,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -78,6 +78,7 @@ ifdef(`targeted_policy', `
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(procmail_t)
|
||||
clamav_search_lib(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1290,6 +1290,8 @@ interface(`auth_use_nsswitch',`
|
||||
allow $1 var_auth_t:file create_file_perms;
|
||||
files_list_var_lib($1)
|
||||
|
||||
miscfiles_read_certs($1)
|
||||
|
||||
sysnet_dns_name_resolve($1)
|
||||
sysnet_use_ldap($1)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.3.5)
|
||||
policy_module(authlogin,1.3.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -121,7 +121,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.3.8)
|
||||
policy_module(libraries,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mount,1.3.6)
|
||||
policy_module(mount,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -111,6 +111,7 @@ ifdef(`targeted_policy',`
|
||||
tunable_policy(`allow_mount_anyfile',`
|
||||
auth_read_all_dirs_except_shadow(mount_t)
|
||||
auth_read_all_files_except_shadow(mount_t)
|
||||
files_mounton_non_security(mount_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -7,4 +7,6 @@
|
||||
ifdef(`targeted_policy',`
|
||||
/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.3.10)
|
||||
policy_module(unconfined,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xen,1.0.6)
|
||||
policy_module(xen,1.0.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
|
||||
# xend local policy
|
||||
#
|
||||
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
|
||||
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
|
||||
allow xend_t self:process { signal sigkill };
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xend_t self:fifo_file rw_file_perms;
|
||||
@ -168,6 +168,8 @@ sysnet_read_dhcpc_pid(xend_t)
|
||||
|
||||
xen_stream_connect_xenstore(xend_t)
|
||||
|
||||
netutils_domtrans(xend_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(xend_t)
|
||||
')
|
||||
@ -255,7 +257,8 @@ xen_append_log(xenstored_t)
|
||||
# xm local policy
|
||||
#
|
||||
|
||||
allow xm_t self:capability { dac_override ipc_lock };
|
||||
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
|
||||
|
||||
# internal communication is often done using fifo and unix sockets.
|
||||
allow xm_t self:fifo_file { read write };
|
||||
allow xm_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -265,6 +268,9 @@ allow xm_t xend_var_lib_t:fifo_file create_file_perms;
|
||||
allow xm_t xend_var_lib_t:file create_file_perms;
|
||||
files_search_var_lib(xm_t)
|
||||
|
||||
allow xm_t xen_image_t:dir rw_dir_perms;
|
||||
allow xm_t xen_image_t:file r_file_perms;
|
||||
|
||||
kernel_read_system_state(xm_t)
|
||||
kernel_read_kernel_sysctls(xm_t)
|
||||
kernel_read_xen_state(xm_t)
|
||||
@ -284,6 +290,7 @@ files_read_etc_files(xm_t)
|
||||
term_use_all_terms(xm_t)
|
||||
|
||||
init_rw_script_stream_sockets(xm_t)
|
||||
init_use_fds(xm_t)
|
||||
|
||||
libs_use_ld_so(xm_t)
|
||||
libs_use_shared_libs(xm_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user