trunk: add basic ubuntu support
This commit is contained in:
Chris PeBenito
parent
ce8a5299a8
commit
12cf805e1c
4
Makefile
4
Makefile
@ -184,6 +184,10 @@ ifeq "$(DISTRO)" "rhel4"
|
||||
M4PARAM += -D distro_redhat
|
||||
endif
|
||||
|
||||
ifeq "$(DISTRO)" "ubuntu"
|
||||
M4PARAM += -D distro_debian
|
||||
endif
|
||||
|
||||
ifneq ($(OUTPUT_POLICY),)
|
||||
CHECKPOLICY += -c $(OUTPUT_POLICY)
|
||||
endif
|
||||
|
||||
@ -507,9 +507,6 @@ template(`ssh_server_template', `
|
||||
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
|
||||
userdom_search_all_users_home_dirs($1_t)
|
||||
|
||||
# Allow checking users mail at login
|
||||
mta_getattr_spool($1_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_read_nfs_files($1_t)
|
||||
')
|
||||
@ -522,6 +519,11 @@ template(`ssh_server_template', `
|
||||
kerberos_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# Allow checking users mail at login
|
||||
mta_getattr_spool($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_t)
|
||||
')
|
||||
|
||||
@ -122,6 +122,12 @@ logging_send_syslog_msg(pam_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(pam_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(pam_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
locallogin_use_fds(pam_t)
|
||||
')
|
||||
@ -223,6 +229,12 @@ seutil_read_file_contexts(pam_console_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(pam_console_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gpm_getattr_gpmctl(pam_console_t)
|
||||
gpm_setattr_gpmctl(pam_console_t)
|
||||
@ -264,6 +276,12 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
|
||||
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
|
||||
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(system_chkpwd_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# updpwd local policy
|
||||
@ -292,6 +310,12 @@ logging_send_syslog_msg(updpwd_t)
|
||||
|
||||
miscfiles_read_localization(updpwd_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(updpwd_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Utempter local policy
|
||||
@ -324,6 +348,12 @@ logging_search_logs(utempter_t)
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
userdom_write_unpriv_users_tmp_files(utempter_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(utempter_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(utempter_t)
|
||||
')
|
||||
|
||||
@ -114,6 +114,12 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_dontaudit_read_config(getty_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(getty_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(getty_t)
|
||||
')
|
||||
|
||||
@ -163,6 +163,12 @@ ifdef(`distro_redhat',`
|
||||
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
|
||||
')
|
||||
|
||||
ifndef(`distro_ubuntu',`
|
||||
# Run the shell in the sysadm role for single-user mode.
|
||||
# causes problems with upstart
|
||||
userdom_shell_domtrans_sysadm(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_rw_login_records(init_t)
|
||||
')
|
||||
@ -175,11 +181,6 @@ optional_policy(`
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
||||
# Run the shell in the sysadm_t domain for single-user mode.
|
||||
optional_policy(`
|
||||
userdom_shell_domtrans_sysadm(init_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init script local policy
|
||||
|
||||
@ -80,6 +80,12 @@ logging_send_syslog_msg(ldconfig_t)
|
||||
|
||||
userdom_use_all_users_fds(ldconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(ldconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
|
||||
|
||||
@ -138,6 +138,12 @@ userdom_use_unpriv_users_fds(local_login_t)
|
||||
userdom_sigchld_all_users(local_login_t)
|
||||
userdom_create_all_users_keys(local_login_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(local_login_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(local_login_t)
|
||||
files_read_default_files(local_login_t)
|
||||
|
||||
@ -164,6 +164,12 @@ seutil_dontaudit_read_config(auditd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(auditd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(auditd_t)
|
||||
')
|
||||
@ -220,6 +226,12 @@ mls_file_read_all_levels(klogd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(klogd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(klogd_t)
|
||||
')
|
||||
@ -357,6 +369,12 @@ ifdef(`distro_suse',`
|
||||
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(syslogd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inn_manage_log(syslogd_t)
|
||||
')
|
||||
|
||||
@ -112,6 +112,12 @@ miscfiles_read_localization(insmod_t)
|
||||
|
||||
seutil_read_file_contexts(insmod_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(insmod_t)
|
||||
')
|
||||
')
|
||||
|
||||
if( ! secure_mode_insmod ) {
|
||||
kernel_domtrans_to(insmod_t,insmod_exec_t)
|
||||
}
|
||||
@ -205,6 +211,12 @@ files_list_home(depmod_t)
|
||||
userdom_read_staff_home_content_files(depmod_t)
|
||||
userdom_read_sysadm_home_content_files(depmod_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(depmod_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# Read System.map from home directories.
|
||||
unconfined_read_home_content_files(depmod_t)
|
||||
@ -282,3 +294,9 @@ ifdef(`distro_gentoo',`
|
||||
consoletype_exec(update_modules_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(update_modules_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -128,6 +128,12 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(mount_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`allow_mount_anyfile',`
|
||||
auth_read_all_dirs_except_shadow(mount_t)
|
||||
auth_read_all_files_except_shadow(mount_t)
|
||||
|
||||
@ -145,6 +145,12 @@ libs_use_shared_libs(checkpolicy_t)
|
||||
|
||||
userdom_use_all_users_fds(checkpolicy_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(checkpolicy_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load_policy local policy
|
||||
@ -183,6 +189,12 @@ seutil_libselinux_linked(load_policy_t)
|
||||
|
||||
userdom_use_all_users_fds(load_policy_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(load_policy_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# cjp: cover up stray file descriptors.
|
||||
dontaudit load_policy_t selinux_config_t:file write;
|
||||
@ -276,6 +288,12 @@ userdom_use_unpriv_users_fds(newrole_t)
|
||||
userdom_dontaudit_search_all_users_home_content(newrole_t)
|
||||
userdom_search_all_users_home_dirs(newrole_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(newrole_t)
|
||||
')
|
||||
')
|
||||
|
||||
# if secure mode is enabled, then newrole
|
||||
# can only transition to unprivileged users
|
||||
if(secure_mode) {
|
||||
@ -329,6 +347,12 @@ miscfiles_read_localization(restorecond_t)
|
||||
|
||||
seutil_libselinux_linked(restorecond_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(restorecond_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(restorecond_t)
|
||||
')
|
||||
@ -396,6 +420,12 @@ ifndef(`direct_sysadm_daemon',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(run_init_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
daemontools_domtrans_start(run_init_t)
|
||||
')
|
||||
@ -471,6 +501,12 @@ ifdef(`distro_debian',`
|
||||
files_read_var_lib_symlinks(semanage_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(semanage_t)
|
||||
')
|
||||
')
|
||||
|
||||
# cjp: need a more general way to handle this:
|
||||
ifdef(`enable_mls',`
|
||||
# read secadm tmp files
|
||||
@ -575,6 +611,12 @@ ifdef(`distro_redhat', `
|
||||
fs_relabel_tmpfs_chr_file(setfiles_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(setfiles_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
udev_dontaudit_rw_dgram_sockets(setfiles_t)
|
||||
|
||||
@ -142,6 +142,12 @@ ifdef(`distro_redhat', `
|
||||
files_exec_etc_files(dhcpc_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(dhcpc_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(dhcpc_t)
|
||||
')
|
||||
@ -297,6 +303,12 @@ seutil_use_runinit_fds(ifconfig_t)
|
||||
|
||||
userdom_use_all_users_fds(ifconfig_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(ifconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user