patch from Dan Tue, 20 Jun 2006 16:19:13 -0400

This commit is contained in:
Chris PeBenito 2006-06-21 18:25:06 +00:00
parent 1b11a1fe65
commit 123a990b6f
35 changed files with 341 additions and 114 deletions

View File

@ -1,5 +1,5 @@
policy_module(bootloader,1.2.3) policy_module(bootloader,1.2.4)
######################################## ########################################
# #
@ -49,7 +49,7 @@ logging_log_file(var_log_ksyms_t)
# #
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown }; allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_file_perms; allow bootloader_t self:fifo_file rw_file_perms;
allow bootloader_t bootloader_etc_t:file r_file_perms; allow bootloader_t bootloader_etc_t:file r_file_perms;
@ -111,6 +111,7 @@ files_dontaudit_search_pids(bootloader_t)
# for blkid.tab # for blkid.tab
files_manage_etc_runtime_files(bootloader_t) files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t,file) files_etc_filetrans_etc_runtime(bootloader_t,file)
files_dontaudit_search_home(bootloader_t)
init_getattr_initctl(bootloader_t) init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t) init_use_script_ptys(bootloader_t)
@ -127,6 +128,8 @@ logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t) miscfiles_read_localization(bootloader_t)
modutils_domtrans_insmod_uncond(bootloader_t)
seutil_read_bin_policy(bootloader_t) seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t) seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t) seutil_dontaudit_search_config(bootloader_t)
@ -179,6 +182,10 @@ optional_policy(`
fstools_exec(bootloader_t) fstools_exec(bootloader_t)
') ')
optional_policy(`
kudzu_domtrans(bootloader_t)
')
optional_policy(` optional_policy(`
dev_rw_lvm_control(bootloader_t) dev_rw_lvm_control(bootloader_t)

View File

@ -1,5 +1,5 @@
policy_module(logwatch,1.1.1) policy_module(logwatch,1.1.2)
################################# #################################
# #
@ -23,7 +23,7 @@ files_tmp_file(logwatch_tmp_t)
# Local policy # Local policy
# #
allow logwatch_t self:capability setgid; allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:fifo_file rw_file_perms; allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms; allow logwatch_t self:unix_stream_socket create_stream_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(netutils,1.1.3) policy_module(netutils,1.1.4)
######################################## ########################################
# #
@ -54,6 +54,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t) corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t) corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t) corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
fs_getattr_xattr_fs(netutils_t) fs_getattr_xattr_fs(netutils_t)

View File

@ -3,6 +3,5 @@
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)

View File

@ -1,5 +1,5 @@
policy_module(prelink,1.1.3) policy_module(prelink,1.1.4)
######################################## ########################################
# #

View File

@ -351,6 +351,26 @@ interface(`files_dontaudit_list_non_security',`
dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
') ')
########################################
## <summary>
## Mount a filesystem on all non-security
## directories and files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_mounton_non_security',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
allow $1 { file_type -security_file_type }:file mounton;
')
######################################## ########################################
## <summary> ## <summary>
## Allow attempts to modify any directory ## Allow attempts to modify any directory

View File

@ -1,5 +1,5 @@
policy_module(files,1.2.11) policy_module(files,1.2.12)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(filesystem,1.3.10) policy_module(filesystem,1.3.11)
######################################## ########################################
# #
@ -69,6 +69,11 @@ fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t) files_mountpoint(hugetlbfs_t)
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
type ibmasmfs_t;
fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
type inotifyfs_t; type inotifyfs_t;
fs_type(inotifyfs_t) fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)

View File

@ -31,13 +31,16 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_R
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
ifdef(`distro_suse', ` ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
') ')
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@ -69,7 +72,7 @@ ifdef(`distro_debian', `
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
ifdef(`targeted_policy', `', ` ifdef(`strict_policy',`
/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0) /var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
') ')
@ -77,4 +80,3 @@ ifdef(`targeted_policy', `', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)

View File

@ -15,6 +15,7 @@ template(`apache_content_template',`
gen_require(` gen_require(`
attribute httpdcontent; attribute httpdcontent;
attribute httpd_exec_scripts; attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t; type httpd_t, httpd_suexec_t, httpd_log_t;
') ')
# allow write access to public file transfer # allow write access to public file transfer
@ -35,7 +36,7 @@ template(`apache_content_template',`
role system_r types httpd_$1_script_t; role system_r types httpd_$1_script_t;
# This type is used for executable scripts files # This type is used for executable scripts files
type httpd_$1_script_exec_t; # customizable; type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t) corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t) domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
@ -336,6 +337,58 @@ template(`apache_per_userdomain_template', `
') ')
') ')
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_scripts',`
gen_require(`
type httpd_$1_script_exec_t;
')
allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
allow $2 httpd_$1_script_exec_t:file r_file_perms;
allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`apache_read_user_content',`
gen_require(`
type httpd_$1_content_t;
')
allow $2 httpd_$1_content_t:dir r_dir_perms;
allow $2 httpd_$1_content_t:file r_file_perms;
allow $2 httpd_$1_content_t:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Transition to apache. ## Transition to apache.
@ -464,12 +517,17 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
# #
interface(`apache_manage_all_content',` interface(`apache_manage_all_content',`
gen_require(` gen_require(`
attribute httpdcontent; attribute httpdcontent, httpd_script_exec_type;
') ')
allow $1 httpdcontent:dir manage_dir_perms; allow $1 httpdcontent:dir manage_dir_perms;
allow $1 httpdcontent:file manage_file_perms; allow $1 httpdcontent:file manage_file_perms;
allow $1 httpdcontent:lnk_file create_lnk_perms; allow $1 httpdcontent:lnk_file create_lnk_perms;
allow $1 httpd_script_exec_type:dir manage_dir_perms;
allow $1 httpd_script_exec_type:file manage_file_perms;
allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
') ')
######################################## ########################################
@ -513,6 +571,28 @@ interface(`apache_read_config',`
allow $1 httpd_config_t:lnk_file { getattr read }; allow $1 httpd_config_t:lnk_file { getattr read };
') ')
########################################
## <summary>
## Allow the specified domain to manage
## apache configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_config',`
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir manage_dir_perms;
allow $1 httpd_config_t:file manage_file_perms;
allow $1 httpd_config_t:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Execute the Apache helper program with ## Execute the Apache helper program with
@ -632,6 +712,28 @@ interface(`apache_dontaudit_append_log',`
dontaudit $1 httpd_log_t:file { getattr append }; dontaudit $1 httpd_log_t:file { getattr append };
') ')
########################################
## <summary>
## Allow the specified domain to manage
## to apache log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_manage_log',`
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir manage_dir_perms;
allow $1 httpd_log_t:file manage_file_perms;
allow $1 httpd_log_t:lnk_file { getattr read };
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to search Apache ## Do not audit attempts to search Apache
@ -692,6 +794,28 @@ interface(`apache_exec_modules',`
can_exec($1,httpd_modules_t) can_exec($1,httpd_modules_t)
') ')
########################################
## <summary>
## Execute a domain transition to run httpd_rotatelogs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_domtrans_rotatelogs',`
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
allow httpd_rotatelogs_t $1:fd use;
allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
allow httpd_rotatelogs_t $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to manage ## Allow the specified domain to manage
@ -903,55 +1027,3 @@ interface(`apache_search_sys_script_state',`
allow $1 httpd_sys_script_t:dir search; allow $1 httpd_sys_script_t:dir search;
') ')
########################################
## <summary>
## Read httpd user scripts executables.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_user_scripts',`
gen_require(`
type httpd_$1_script_exec_t;
')
allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
allow $2 httpd_$1_script_exec_t:file r_file_perms;
allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
')
########################################
## <summary>
## Read user web content.
## </summary>
## <param name="domain_prefix">
## <summary>
## Prefix of the domain. Example, user would be
## the prefix for the uder_t domain.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_user_content',`
gen_require(`
type httpd_$1_content_t;
')
allow $2 httpd_$1_content_t:dir r_dir_perms;
allow $2 httpd_$1_content_t:file r_file_perms;
allow $2 httpd_$1_content_t:lnk_file { getattr read };
')

View File

@ -1,5 +1,5 @@
policy_module(apache,1.3.13) policy_module(apache,1.3.14)
# #
# NOTES: # NOTES:
@ -25,6 +25,8 @@ attribute httpdcontent;
# domains that can exec all users scripts # domains that can exec all users scripts
attribute httpd_exec_scripts; attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
# user script domains # user script domains
attribute httpd_script_domains; attribute httpd_script_domains;
@ -68,6 +70,10 @@ role system_r types httpd_php_t;
type httpd_php_tmp_t; type httpd_php_tmp_t;
files_tmp_file(httpd_php_tmp_t) files_tmp_file(httpd_php_tmp_t)
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t; type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t) files_type(httpd_squirrelmail_t)
@ -109,14 +115,6 @@ files_pid_file(httpd_var_run_t)
type squirrelmail_spool_t; type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t) files_tmp_file(squirrelmail_spool_t)
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
# This is a bug but it still exists in FC2
# cjp: probably can remove this
ifdef(`distro_redhat',`
typealias httpd_log_t alias httpd_runtime_t;
dontaudit httpd_t httpd_runtime_t:file ioctl;
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
typealias httpd_sys_content_t alias httpd_user_content_t; typealias httpd_sys_content_t alias httpd_user_content_t;
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
@ -293,6 +291,15 @@ tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t) miscfiles_manage_public_files(httpd_t)
') ')
ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
')
')
tunable_policy(`httpd_can_network_connect',` tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t) corenet_tcp_connect_all_ports(httpd_t)
') ')
@ -655,6 +662,9 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t) files_search_spool(httpd_sys_script_t)
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append }; allow httpd_sys_script_t httpd_log_t:file { getattr append };
') ')
@ -688,3 +698,26 @@ optional_policy(`
optional_policy(` optional_policy(`
nscd_socket_use(httpd_unconfined_script_t) nscd_socket_use(httpd_unconfined_script_t)
') ')
########################################
#
# httpd_rotatelogs local policy
#
allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
files_read_etc_files(httpd_rotatelogs_t)
libs_use_ld_so(httpd_rotatelogs_t)
libs_use_shared_libs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
')

View File

@ -1,5 +1,5 @@
policy_module(automount,1.2.6) policy_module(automount,1.2.7)
######################################## ########################################
# #
@ -28,7 +28,7 @@ files_mountpoint(automount_tmp_t)
# Local policy # Local policy
# #
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override }; allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
dontaudit automount_t self:capability sys_tty_config; dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_file_perms; allow automount_t self:fifo_file rw_file_perms;
@ -64,8 +64,17 @@ kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t) kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t) kernel_read_network_state(automount_t)
kernel_list_proc(automount_t) kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
files_search_boot(automount_t) files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
files_unmount_all_file_type_fs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
corecmd_exec_sbin(automount_t) corecmd_exec_sbin(automount_t)
corecmd_exec_bin(automount_t) corecmd_exec_bin(automount_t)

View File

@ -62,6 +62,25 @@ interface(`clamav_read_config',`
allow $1 clamd_etc_t:file r_file_perms; allow $1 clamd_etc_t:file r_file_perms;
') ')
########################################
## <summary>
## Search clamav libraries directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`clamav_search_lib',`
gen_require(`
type clamd_var_lib_t;
')
files_search_var_lib($1)
allow $1 clamd_var_lib_t:dir search_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Execute a domain transition to run clamscan. ## Execute a domain transition to run clamscan.
@ -83,4 +102,3 @@ interface(`clamav_domtrans_clamscan',`
allow clamscan_t $1:fifo_file rw_file_perms; allow clamscan_t $1:fifo_file rw_file_perms;
allow clamscan_t $1:process sigchld; allow clamscan_t $1:process sigchld;
') ')

View File

@ -1,5 +1,5 @@
policy_module(clamav,1.0.3) policy_module(clamav,1.0.4)
######################################## ########################################
# #

View File

@ -21,6 +21,7 @@
/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)

View File

@ -40,7 +40,7 @@ interface(`cups_stream_connect',`
files_search_pids($1) files_search_pids($1)
allow $1 cupsd_var_run_t:dir search; allow $1 cupsd_var_run_t:dir search;
allow $1 cupsd_var_run_t:sock_file write; allow $1 cupsd_var_run_t:sock_file { getattr write };
allow $1 cupsd_t:unix_stream_socket connectto; allow $1 cupsd_t:unix_stream_socket connectto;
') ')

View File

@ -1,5 +1,5 @@
policy_module(cups,1.3.9) policy_module(cups,1.3.10)
######################################## ########################################
# #
@ -313,6 +313,7 @@ allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms; allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom }; allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom }; allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
@ -342,6 +343,9 @@ allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
allow cupsd_config_t cupsd_var_run_t:file { getattr read }; allow cupsd_config_t cupsd_var_run_t:file { getattr read };
kernel_read_system_state(cupsd_config_t) kernel_read_system_state(cupsd_config_t)
@ -357,6 +361,7 @@ corenet_sendrecv_all_client_packets(cupsd_config_t)
dev_read_sysfs(cupsd_config_t) dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t) dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
fs_getattr_all_fs(cupsd_config_t) fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t)
@ -397,6 +402,8 @@ userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
lpd_read_config(cupsd_config_t) lpd_read_config(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t) init_getattr_script_files(cupsd_config_t)
@ -430,6 +437,7 @@ optional_policy(`
optional_policy(` optional_policy(`
hal_domtrans(cupsd_config_t) hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
') ')
optional_policy(` optional_policy(`
@ -593,6 +601,7 @@ corenet_receive_hplip_server_packets(hplip_t)
dev_read_sysfs(hplip_t) dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t) dev_rw_printer(hplip_t)
dev_read_urand(hplip_t) dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t) dev_rw_generic_usb_dev(hplip_t)
fs_getattr_all_fs(hplip_t) fs_getattr_all_fs(hplip_t)

View File

@ -101,10 +101,27 @@ interface(`hal_dbus_chat',`
allow hald_t $1:dbus send_msg; allow hald_t $1:dbus send_msg;
') ')
########################################
## <summary>
## Read hald tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`hal_read_tmp_files',`
gen_require(`
type hald_tmp_t;
')
allow $1 hald_tmp_t:file r_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read hald state files. ## Read hald PID files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -124,7 +141,7 @@ interface(`hal_read_pid_files',`
######################################## ########################################
## <summary> ## <summary>
## Read/Write hald state files. ## Read/Write hald PID files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>

View File

@ -1,5 +1,5 @@
policy_module(hal,1.3.9) policy_module(hal,1.3.10)
######################################## ########################################
# #

View File

@ -194,9 +194,3 @@ optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent) cron_read_system_job_tmp_files(mta_user_agent)
') ')
') ')
ifdef(`TODO',`
# for the start script to run make -C /etc/mail
allow initrc_t etc_mail_t:dir rw_dir_perms;
allow initrc_t etc_mail_t:file create_file_perms;
')

View File

@ -1,5 +1,5 @@
policy_module(networkmanager,1.3.4) policy_module(networkmanager,1.3.5)
######################################## ########################################
# #
@ -92,6 +92,7 @@ libs_use_shared_libs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t) miscfiles_read_localization(NetworkManager_t)
miscfiles_read_certs(NetworkManager_t)
modutils_domtrans_insmod(NetworkManager_t) modutils_domtrans_insmod(NetworkManager_t)

View File

@ -1,5 +1,5 @@
policy_module(ntp,1.1.2) policy_module(ntp,1.1.3)
######################################## ########################################
# #
@ -62,6 +62,7 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
kernel_read_kernel_sysctls(ntpd_t) kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t) kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
corenet_non_ipsec_sendrecv(ntpd_t) corenet_non_ipsec_sendrecv(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t) corenet_tcp_sendrecv_all_if(ntpd_t)

View File

@ -1,5 +1,5 @@
policy_module(openvpn,1.0.1) policy_module(openvpn,1.0.2)
######################################## ########################################
# #
@ -44,6 +44,7 @@ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
allow openvpn_t openvpn_var_run_t:file create_file_perms; allow openvpn_t openvpn_var_run_t:file create_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file) files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t) kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t) kernel_read_system_state(openvpn_t)
@ -81,6 +82,10 @@ miscfiles_read_localization(openvpn_t)
sysnet_exec_ifconfig(openvpn_t) sysnet_exec_ifconfig(openvpn_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(openvpn_t)
')
optional_policy(` optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t) daemontools_service_domain(openvpn_t,openvpn_exec_t)
') ')

View File

@ -403,6 +403,29 @@ interface(`postfix_exec_master',`
can_exec($1,postfix_master_exec_t) can_exec($1,postfix_master_exec_t)
') ')
########################################
## <summary>
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postfix_domtrans_smtp',`
gen_require(`
type postfix_smtp_t, postfix_smtp_exec_t;
')
domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
allow postfix_smtp_t $1:fd use;
allow postfix_smtp_t $1:fifo_file rw_file_perms;
allow postfix_smtp_t $1:process sigchld;
')
######################################## ########################################
## <summary> ## <summary>
## Search postfix mail spool directories. ## Search postfix mail spool directories.

View File

@ -1,5 +1,5 @@
policy_module(postfix,1.2.7) policy_module(postfix,1.2.8)
######################################## ########################################
# #
@ -456,10 +456,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(` optional_policy(`
cron_use_fds(postfix_postdrop_t) cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
cron_rw_pipes(postfix_postdrop_t)
cron_use_system_job_fds(postfix_postdrop_t)
cron_rw_system_job_pipes(postfix_postdrop_t)
') ')
optional_policy(` optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(ppp,1.2.3) policy_module(ppp,1.2.4)
######################################## ########################################
# #
@ -59,8 +59,8 @@ files_pid_file(pptp_var_run_t)
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override }; allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config; dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_file_perms; allow pppd_t self:fifo_file rw_file_perms;
allow pppd_t self:file { read getattr };
allow pppd_t self:socket create_socket_perms; allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms; allow pppd_t self:unix_stream_socket create_socket_perms;

View File

@ -1,5 +1,5 @@
policy_module(procmail,1.2.3) policy_module(procmail,1.2.4)
######################################## ########################################
# #
@ -78,6 +78,7 @@ ifdef(`targeted_policy', `
optional_policy(` optional_policy(`
clamav_domtrans_clamscan(procmail_t) clamav_domtrans_clamscan(procmail_t)
clamav_search_lib(procmail_t)
') ')
optional_policy(` optional_policy(`

View File

@ -1290,6 +1290,8 @@ interface(`auth_use_nsswitch',`
allow $1 var_auth_t:file create_file_perms; allow $1 var_auth_t:file create_file_perms;
files_list_var_lib($1) files_list_var_lib($1)
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1) sysnet_dns_name_resolve($1)
sysnet_use_ldap($1) sysnet_use_ldap($1)

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.3.5) policy_module(authlogin,1.3.6)
######################################## ########################################
# #

View File

@ -121,7 +121,7 @@ ifdef(`distro_gentoo',`
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`

View File

@ -1,5 +1,5 @@
policy_module(libraries,1.3.8) policy_module(libraries,1.3.9)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(mount,1.3.6) policy_module(mount,1.3.7)
######################################## ########################################
# #
@ -111,6 +111,7 @@ ifdef(`targeted_policy',`
tunable_policy(`allow_mount_anyfile',` tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t) auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
') ')
') ')

View File

@ -7,4 +7,6 @@
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
') ')

View File

@ -1,5 +1,5 @@
policy_module(unconfined,1.3.10) policy_module(unconfined,1.3.11)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(xen,1.0.6) policy_module(xen,1.0.7)
######################################## ########################################
# #
@ -68,7 +68,7 @@ init_daemon_domain(xm_t, xm_exec_t)
# xend local policy # xend local policy
# #
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config }; allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
allow xend_t self:process { signal sigkill }; allow xend_t self:process { signal sigkill };
# internal communication is often done using fifo and unix sockets. # internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms; allow xend_t self:fifo_file rw_file_perms;
@ -168,6 +168,8 @@ sysnet_read_dhcpc_pid(xend_t)
xen_stream_connect_xenstore(xend_t) xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)
optional_policy(` optional_policy(`
consoletype_domtrans(xend_t) consoletype_domtrans(xend_t)
') ')
@ -255,7 +257,8 @@ xen_append_log(xenstored_t)
# xm local policy # xm local policy
# #
allow xm_t self:capability { dac_override ipc_lock }; allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets. # internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file { read write }; allow xm_t self:fifo_file { read write };
allow xm_t self:unix_stream_socket create_stream_socket_perms; allow xm_t self:unix_stream_socket create_stream_socket_perms;
@ -265,6 +268,9 @@ allow xm_t xend_var_lib_t:fifo_file create_file_perms;
allow xm_t xend_var_lib_t:file create_file_perms; allow xm_t xend_var_lib_t:file create_file_perms;
files_search_var_lib(xm_t) files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file r_file_perms;
kernel_read_system_state(xm_t) kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t) kernel_read_kernel_sysctls(xm_t)
kernel_read_xen_state(xm_t) kernel_read_xen_state(xm_t)
@ -284,6 +290,7 @@ files_read_etc_files(xm_t)
term_use_all_terms(xm_t) term_use_all_terms(xm_t)
init_rw_script_stream_sockets(xm_t) init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
libs_use_ld_so(xm_t) libs_use_ld_so(xm_t)
libs_use_shared_libs(xm_t) libs_use_shared_libs(xm_t)