another round of renaming
This commit is contained in:
Chris PeBenito
parent
0eba5d6ce4
commit
15722ec99e
@ -49,7 +49,7 @@ corecmd_search_sbin(acct_t)
|
||||
corecmd_exec_bin(acct_t)
|
||||
corecmd_exec_shell(acct_t)
|
||||
|
||||
domain_use_wide_inherit_fd(acct_t)
|
||||
domain_use_interactive_fds(acct_t)
|
||||
|
||||
files_read_etc_files(acct_t)
|
||||
files_read_etc_runtime_files(acct_t)
|
||||
@ -69,7 +69,7 @@ logging_send_syslog_msg(acct_t)
|
||||
miscfiles_read_localization(acct_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(acct_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(acct_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(acct_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(acct_t)
|
||||
|
||||
@ -234,7 +234,7 @@ corenet_tcp_connect_amanda_port(amanda_recover_t)
|
||||
corecmd_exec_shell(amanda_recover_t)
|
||||
corecmd_exec_bin(amanda_recover_t)
|
||||
|
||||
domain_use_wide_inherit_fd(amanda_recover_t)
|
||||
domain_use_interactive_fds(amanda_recover_t)
|
||||
|
||||
files_read_etc_files(amanda_recover_t)
|
||||
files_read_etc_runtime_files(amanda_recover_t)
|
||||
|
||||
@ -48,10 +48,10 @@ term_use_unallocated_ttys(consoletype_t)
|
||||
|
||||
init_use_fd(consoletype_t)
|
||||
init_use_script_ptys(consoletype_t)
|
||||
init_use_script_fd(consoletype_t)
|
||||
init_use_script_fds(consoletype_t)
|
||||
init_write_script_pipes(consoletype_t)
|
||||
|
||||
domain_use_wide_inherit_fd(consoletype_t)
|
||||
domain_use_interactive_fds(consoletype_t)
|
||||
|
||||
files_dontaudit_read_root_files(consoletype_t)
|
||||
files_list_usr(consoletype_t)
|
||||
@ -60,7 +60,7 @@ libs_use_ld_so(consoletype_t)
|
||||
libs_use_shared_libs(consoletype_t)
|
||||
|
||||
userdom_use_sysadm_terms(consoletype_t)
|
||||
userdom_use_sysadm_fd(consoletype_t)
|
||||
userdom_use_sysadm_fds(consoletype_t)
|
||||
userdom_rw_sysadm_pipes(consoletype_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -78,7 +78,7 @@ optional_policy(`authlogin', `
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_read_pipes(consoletype_t)
|
||||
cron_use_system_job_fd(consoletype_t)
|
||||
cron_use_system_job_fds(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`firstboot',`
|
||||
|
||||
@ -49,7 +49,7 @@ miscfiles_read_localization(ddcprobe_t)
|
||||
|
||||
modutils_read_module_deps(ddcprobe_t)
|
||||
|
||||
userdom_use_all_users_fd(ddcprobe_t)
|
||||
userdom_use_all_users_fds(ddcprobe_t)
|
||||
|
||||
#reh why? this does not seem even necessary to function properly
|
||||
kudzu_getattr_exec_files(ddcprobe_t)
|
||||
|
||||
@ -44,7 +44,7 @@ ifdef(`strict_policy',`
|
||||
|
||||
term_dontaudit_use_console(dmesg_t)
|
||||
|
||||
domain_use_wide_inherit_fd(dmesg_t)
|
||||
domain_use_interactive_fds(dmesg_t)
|
||||
|
||||
files_list_etc(dmesg_t)
|
||||
# for when /usr is not mounted:
|
||||
@ -62,7 +62,7 @@ ifdef(`strict_policy',`
|
||||
miscfiles_read_localization(dmesg_t)
|
||||
|
||||
userdom_use_sysadm_terms(dmesg_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_sigchld_newrole(dmesg_t)
|
||||
|
||||
@ -84,7 +84,7 @@ corecmd_exec_sbin(kudzu_t)
|
||||
corecmd_exec_bin(kudzu_t)
|
||||
|
||||
domain_exec_all_entry_files(kudzu_t)
|
||||
domain_use_wide_inherit_fd(kudzu_t)
|
||||
domain_use_interactive_fds(kudzu_t)
|
||||
|
||||
files_search_var(kudzu_t)
|
||||
files_search_locks(kudzu_t)
|
||||
@ -120,7 +120,7 @@ modutils_domtrans_insmod(kudzu_t)
|
||||
sysnet_read_config(kudzu_t)
|
||||
|
||||
userdom_search_sysadm_home_dir(kudzu_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(kudzu_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(kudzu_t)
|
||||
|
||||
@ -88,7 +88,7 @@ corecmd_exec_shell(logrotate_t)
|
||||
corecmd_exec_ls(logrotate_t)
|
||||
|
||||
domain_signal_all_domains(logrotate_t)
|
||||
domain_use_wide_inherit_fd(logrotate_t)
|
||||
domain_use_interactive_fds(logrotate_t)
|
||||
domain_getattr_all_entry_files(logrotate_t)
|
||||
# Read /proc/PID directories for all domains.
|
||||
domain_read_all_domains_state(logrotate_t)
|
||||
|
||||
@ -81,7 +81,7 @@ corenet_tcp_connect_all_ports(mrtg_t)
|
||||
dev_read_sysfs(mrtg_t)
|
||||
dev_read_urand(mrtg_t)
|
||||
|
||||
domain_use_wide_inherit_fd(mrtg_t)
|
||||
domain_use_interactive_fds(mrtg_t)
|
||||
|
||||
files_read_usr_files(mrtg_t)
|
||||
files_search_var(mrtg_t)
|
||||
@ -116,7 +116,7 @@ selinux_dontaudit_getattr_dir(mrtg_t)
|
||||
# Use the network.
|
||||
sysnet_read_config(mrtg_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(mrtg_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
|
||||
userdom_use_sysadm_terms(mrtg_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
@ -58,7 +58,7 @@ corenet_tcp_connect_all_ports(netutils_t)
|
||||
|
||||
fs_getattr_xattr_fs(netutils_t)
|
||||
|
||||
domain_use_wide_inherit_fd(netutils_t)
|
||||
domain_use_interactive_fds(netutils_t)
|
||||
|
||||
files_read_etc_files(netutils_t)
|
||||
# for nscd
|
||||
@ -76,7 +76,7 @@ miscfiles_read_localization(netutils_t)
|
||||
|
||||
sysnet_read_config(netutils_t)
|
||||
|
||||
userdom_use_all_users_fd(netutils_t)
|
||||
userdom_use_all_users_fds(netutils_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_ptys(netutils_t)
|
||||
@ -117,7 +117,7 @@ corenet_tcp_bind_all_nodes(ping_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs(ping_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ping_t)
|
||||
domain_use_interactive_fds(ping_t)
|
||||
|
||||
files_read_etc_files(ping_t)
|
||||
files_dontaudit_search_var(ping_t)
|
||||
@ -155,7 +155,7 @@ optional_policy(`nscd',`
|
||||
')
|
||||
|
||||
optional_policy(`pcmcia',`
|
||||
pcmcia_use_cardmgr_fd(ping_t)
|
||||
pcmcia_use_cardmgr_fds(ping_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug',`
|
||||
@ -199,7 +199,7 @@ corenet_tcp_connect_all_ports(traceroute_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
|
||||
domain_use_wide_inherit_fd(traceroute_t)
|
||||
domain_use_interactive_fds(traceroute_t)
|
||||
|
||||
files_read_etc_files(traceroute_t)
|
||||
files_dontaudit_search_var(traceroute_t)
|
||||
|
||||
@ -170,7 +170,7 @@ template(`portage_compile_domain_template',`
|
||||
dev_read_urand($1_t)
|
||||
|
||||
domain_exec_all_entry_files($1_t)
|
||||
domain_use_wide_inherit_fd($1_t)
|
||||
domain_use_interactive_fds($1_t)
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_exec_usr_src_files($1_t)
|
||||
|
||||
@ -149,7 +149,7 @@ corenet_tcp_connect_generic_port(portage_fetch_t)
|
||||
|
||||
dev_dontaudit_read_rand(portage_fetch_t)
|
||||
|
||||
domain_use_wide_inherit_fd(portage_fetch_t)
|
||||
domain_use_interactive_fds(portage_fetch_t)
|
||||
|
||||
files_read_etc_files(portage_fetch_t)
|
||||
files_read_etc_runtime_files(portage_fetch_t)
|
||||
|
||||
@ -41,7 +41,7 @@ storage_raw_read_fixed_disk(quota_t)
|
||||
|
||||
term_dontaudit_use_console(quota_t)
|
||||
|
||||
domain_use_wide_inherit_fd(quota_t)
|
||||
domain_use_interactive_fds(quota_t)
|
||||
|
||||
files_list_all(quota_t)
|
||||
files_read_all_files(quota_t)
|
||||
@ -59,7 +59,7 @@ libs_use_shared_libs(quota_t)
|
||||
|
||||
logging_send_syslog_msg(quota_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(quota_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(quota_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(quota_t)
|
||||
|
||||
@ -37,7 +37,7 @@ dev_getattr_all_blk_files(readahead_t)
|
||||
dev_dontaudit_read_all_blk_files(readahead_t)
|
||||
dev_dontaudit_getattr_memory_dev(readahead_t)
|
||||
|
||||
domain_use_wide_inherit_fd(readahead_t)
|
||||
domain_use_interactive_fds(readahead_t)
|
||||
|
||||
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||
files_list_non_security(readahead_t)
|
||||
@ -67,7 +67,7 @@ logging_send_syslog_msg(readahead_t)
|
||||
|
||||
miscfiles_read_localization(readahead_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(readahead_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(readahead_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -164,7 +164,7 @@ interface(`rpm_manage_log',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_use_script_fd',`
|
||||
interface(`rpm_use_script_fds',`
|
||||
gen_require(`
|
||||
type rpm_script_t;
|
||||
')
|
||||
|
||||
@ -12,7 +12,7 @@ init_system_domain(rpm_t,rpm_exec_t)
|
||||
domain_obj_id_change_exemption(rpm_t)
|
||||
domain_role_change_exemption(rpm_t)
|
||||
domain_system_change_exemption(rpm_t)
|
||||
domain_wide_inherit_fd(rpm_t)
|
||||
domain_interactive_fd(rpm_t)
|
||||
role system_r types rpm_t;
|
||||
|
||||
type rpm_file_t;
|
||||
@ -38,7 +38,7 @@ domain_system_change_exemption(rpm_script_t)
|
||||
corecmd_shell_entry_type(rpm_script_t)
|
||||
domain_type(rpm_script_t)
|
||||
domain_entry_file(rpm_t,rpm_script_exec_t)
|
||||
domain_wide_inherit_fd(rpm_script_t)
|
||||
domain_interactive_fd(rpm_script_t)
|
||||
role system_r types rpm_script_t;
|
||||
|
||||
type rpm_script_tmp_t;
|
||||
@ -144,7 +144,7 @@ domain_exec_all_entry_files(rpm_t)
|
||||
domain_read_all_domains_state(rpm_t)
|
||||
domain_getattr_all_domains(rpm_t)
|
||||
domain_dontaudit_ptrace_all_domains(rpm_t)
|
||||
domain_use_wide_inherit_fd(rpm_t)
|
||||
domain_use_interactive_fds(rpm_t)
|
||||
domain_dontaudit_getattr_all_pipes(rpm_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
|
||||
domain_dontaudit_getattr_all_udp_sockets(rpm_t)
|
||||
@ -300,7 +300,7 @@ corecmd_exec_sbin(rpm_script_t)
|
||||
domain_read_all_domains_state(rpm_script_t)
|
||||
domain_getattr_all_domains(rpm_script_t)
|
||||
domain_dontaudit_ptrace_all_domains(rpm_script_t)
|
||||
domain_use_wide_inherit_fd(rpm_script_t)
|
||||
domain_use_interactive_fds(rpm_script_t)
|
||||
domain_exec_all_entry_files(rpm_script_t)
|
||||
domain_signal_all_domains(rpm_script_t)
|
||||
domain_signull_all_domains(rpm_script_t)
|
||||
@ -327,7 +327,7 @@ modutils_domtrans_insmod(rpm_script_t)
|
||||
seutil_domtrans_loadpolicy(rpm_script_t)
|
||||
seutil_domtrans_restorecon(rpm_script_t)
|
||||
|
||||
userdom_use_all_users_fd(rpm_script_t)
|
||||
userdom_use_all_users_fds(rpm_script_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
unconfined_domain(rpm_script_t)
|
||||
|
||||
@ -8,7 +8,7 @@ template(`su_restricted_domain_template', `
|
||||
type $1_su_t;
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_wide_inherit_fd($1_su_t)
|
||||
domain_interactive_fd($1_su_t)
|
||||
role $3 types $1_su_t;
|
||||
|
||||
allow $2 $1_su_t:process signal;
|
||||
@ -47,7 +47,7 @@ template(`su_restricted_domain_template', `
|
||||
auth_dontaudit_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_su_t)
|
||||
domain_use_interactive_fds($1_su_t)
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
init_dontaudit_use_script_ptys($1_su_t)
|
||||
@ -121,7 +121,7 @@ template(`su_per_userdomain_template',`
|
||||
type $1_su_t;
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_wide_inherit_fd($1_su_t)
|
||||
domain_interactive_fd($1_su_t)
|
||||
role $3 types $1_su_t;
|
||||
|
||||
allow $2 $1_su_t:process signal;
|
||||
@ -161,7 +161,7 @@ template(`su_per_userdomain_template',`
|
||||
corecmd_search_bin($1_su_t)
|
||||
corecmd_search_sbin($1_su_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_su_t)
|
||||
domain_use_interactive_fds($1_su_t)
|
||||
|
||||
files_read_etc_files($1_su_t)
|
||||
files_read_etc_runtime_files($1_su_t)
|
||||
@ -196,8 +196,8 @@ template(`su_per_userdomain_template',`
|
||||
allow $1_su_t self:process sigstop;
|
||||
|
||||
corecmd_exec_bin($1_su_t)
|
||||
userdom_manage_all_user_files($1_su_t)
|
||||
userdom_manage_all_user_symlinks($1_su_t)
|
||||
userdom_manage_all_users_home_files($1_su_t)
|
||||
userdom_manage_all_users_home_symlinks($1_su_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
|
||||
@ -48,7 +48,7 @@ template(`sudo_per_userdomain_template',`
|
||||
type $1_sudo_t;
|
||||
domain_type($1_sudo_t)
|
||||
domain_entry_file($1_sudo_t,sudo_exec_t)
|
||||
domain_wide_inherit_fd($1_sudo_t)
|
||||
domain_interactive_fd($1_sudo_t)
|
||||
role $3 types $1_sudo_t;
|
||||
|
||||
##############################
|
||||
@ -100,8 +100,8 @@ template(`sudo_per_userdomain_template',`
|
||||
corecmd_read_sbin_symlinks($1_sudo_t)
|
||||
corecmd_getattr_sbin_files($1_sudo_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_sudo_t)
|
||||
domain_sigchld_wide_inherit_fd($1_sudo_t)
|
||||
domain_use_interactive_fds($1_sudo_t)
|
||||
domain_sigchld_interactive_fds($1_sudo_t)
|
||||
domain_getattr_all_entry_files($1_sudo_t)
|
||||
|
||||
files_read_etc_files($1_sudo_t)
|
||||
|
||||
@ -56,7 +56,7 @@ corecmd_exec_bin(updfstab_t)
|
||||
corecmd_exec_sbin(updfstab_t)
|
||||
corecmd_exec_ls(updfstab_t)
|
||||
|
||||
domain_use_wide_inherit_fd(updfstab_t)
|
||||
domain_use_interactive_fds(updfstab_t)
|
||||
|
||||
files_manage_mnt_files(updfstab_t)
|
||||
files_manage_mnt_dirs(updfstab_t)
|
||||
@ -83,7 +83,7 @@ seutil_read_file_contexts(updfstab_t)
|
||||
|
||||
userdom_use_sysadm_ttys(updfstab_t)
|
||||
userdom_dontaudit_search_all_users_home(updfstab_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(updfstab_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(updfstab_t)
|
||||
|
||||
@ -107,7 +107,7 @@ corecmd_search_sbin(chfn_t)
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
domain_use_wide_inherit_fd(chfn_t)
|
||||
domain_use_interactive_fds(chfn_t)
|
||||
|
||||
files_manage_etc_files(chfn_t)
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
@ -221,7 +221,7 @@ init_use_fd(groupadd_t)
|
||||
init_read_utmp(groupadd_t)
|
||||
init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(groupadd_t)
|
||||
domain_use_interactive_fds(groupadd_t)
|
||||
|
||||
files_manage_etc_files(groupadd_t)
|
||||
files_relabel_etc_files(groupadd_t)
|
||||
@ -312,7 +312,7 @@ auth_relabel_shadow(passwd_t)
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(passwd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(passwd_t)
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
files_manage_etc_files(passwd_t)
|
||||
@ -335,7 +335,7 @@ seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_userdomains(passwd_t)
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
userdom_read_all_users_state(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
@ -406,7 +406,7 @@ corecmd_exec_bin(sysadm_passwd_t)
|
||||
corecmd_exec_shell(sysadm_passwd_t)
|
||||
files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
files_manage_etc_files(sysadm_passwd_t)
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
@ -482,7 +482,7 @@ corecmd_exec_shell(useradd_t)
|
||||
corecmd_exec_bin(useradd_t)
|
||||
corecmd_exec_sbin(useradd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(useradd_t)
|
||||
domain_use_interactive_fds(useradd_t)
|
||||
|
||||
files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
|
||||
@ -101,7 +101,7 @@ sysnet_exec_ifconfig(vpnc_t)
|
||||
sysnet_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
userdom_use_all_users_fd(vpnc_t)
|
||||
userdom_use_all_users_fds(vpnc_t)
|
||||
userdom_dontaudit_search_all_users_home(vpnc_t)
|
||||
|
||||
optional_policy(`dbus',`
|
||||
|
||||
@ -82,8 +82,8 @@ template(`cdrecord_per_userdomain_template', `
|
||||
# allow searching for cdrom-drive
|
||||
dev_list_all_dev_nodes($1_cdrecord_t)
|
||||
|
||||
domain_wide_inherit_fd($1_cdrecord_t)
|
||||
domain_use_wide_inherit_fd($1_cdrecord_t)
|
||||
domain_interactive_fd($1_cdrecord_t)
|
||||
domain_use_interactive_fds($1_cdrecord_t)
|
||||
|
||||
files_read_etc_files($1_cdrecord_t)
|
||||
|
||||
|
||||
@ -59,7 +59,7 @@ template(`gpg_per_userdomain_template',`
|
||||
files_tmp_file($1_gpg_agent_tmp_t)
|
||||
|
||||
type $1_gpg_secret_t;
|
||||
userdom_home_file($1,$1_gpg_secret_t)
|
||||
userdom_user_home_file($1,$1_gpg_secret_t)
|
||||
|
||||
type $1_gpg_helper_t;
|
||||
domain_type($1_gpg_helper_t)
|
||||
@ -114,7 +114,7 @@ template(`gpg_per_userdomain_template',`
|
||||
|
||||
fs_getattr_xattr_fs($1_gpg_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_gpg_t)
|
||||
domain_use_interactive_fds($1_gpg_t)
|
||||
|
||||
files_read_etc_files($1_gpg_t)
|
||||
files_read_usr_files($1_gpg_t)
|
||||
@ -250,7 +250,7 @@ template(`gpg_per_userdomain_template',`
|
||||
# Transition from the user domain to the derived domain.
|
||||
domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_gpg_agent_t)
|
||||
domain_use_interactive_fds($1_gpg_agent_t)
|
||||
|
||||
libs_use_ld_so($1_gpg_agent_t)
|
||||
libs_use_shared_libs($1_gpg_agent_t)
|
||||
|
||||
@ -48,14 +48,14 @@ template(`irc_per_userdomain_template',`
|
||||
role $3 types $1_irc_t;
|
||||
|
||||
type $1_irc_exec_t;
|
||||
userdom_home_file($1,$1_irc_exec_t)
|
||||
userdom_user_home_file($1,$1_irc_exec_t)
|
||||
domain_entry_file($1_irc_t,$1_irc_exec_t)
|
||||
|
||||
type $1_irc_home_t;
|
||||
userdom_home_file($1,$1_irc_home_t)
|
||||
userdom_user_home_file($1,$1_irc_home_t)
|
||||
|
||||
type $1_irc_tmp_t;
|
||||
userdom_home_file($1,$1_irc_tmp_t)
|
||||
userdom_user_home_file($1,$1_irc_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -118,7 +118,7 @@ template(`irc_per_userdomain_template',`
|
||||
# cjp: this seems excessive:
|
||||
corenet_tcp_connect_all_ports($1_irc_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_irc_t)
|
||||
domain_use_interactive_fds($1_irc_t)
|
||||
|
||||
files_dontaudit_search_pids($1_irc_t)
|
||||
files_search_var($1_irc_t)
|
||||
@ -141,7 +141,7 @@ template(`irc_per_userdomain_template',`
|
||||
miscfiles_read_localization($1_irc_t)
|
||||
|
||||
# Inherit and use descriptors from newrole.
|
||||
seutil_use_newrole_fd($1_irc_t)
|
||||
seutil_use_newrole_fds($1_irc_t)
|
||||
|
||||
sysnet_read_config($1_irc_t)
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ template(`screen_per_userdomain_template',`
|
||||
type $1_screen_t;
|
||||
domain_type($1_screen_t)
|
||||
domain_entry_file($1_screen_t,screen_exec_t)
|
||||
domain_wide_inherit_fd($1_screen_t)
|
||||
domain_interactive_fd($1_screen_t)
|
||||
role $3 types $1_screen_t;
|
||||
|
||||
type $1_screen_tmp_t;
|
||||
@ -133,7 +133,7 @@ template(`screen_per_userdomain_template',`
|
||||
# for SSP
|
||||
dev_read_urand($1_screen_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_screen_t)
|
||||
domain_use_interactive_fds($1_screen_t)
|
||||
|
||||
files_search_tmp($1_screen_t)
|
||||
files_search_home($1_screen_t)
|
||||
@ -164,7 +164,7 @@ template(`screen_per_userdomain_template',`
|
||||
userdom_use_user_terminals($1,$1_screen_t)
|
||||
userdom_create_user_pty($1,$1_screen_t)
|
||||
userdom_user_home_domtrans($1,$1_screen_t,$2)
|
||||
userdom_setattr_user_pty($1,$1_screen_t)
|
||||
userdom_setattr_user_ptys($1,$1_screen_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_screen_t)
|
||||
|
||||
@ -45,7 +45,7 @@ template(`tvtime_per_userdomain_template',`
|
||||
role $3 types $1_tvtime_t;
|
||||
|
||||
type $1_tvtime_home_t alias $1_tvtime_rw_t;
|
||||
userdom_home_file($1,$1_tvtime_home_t)
|
||||
userdom_user_home_file($1,$1_tvtime_home_t)
|
||||
files_poly_member($1_tvtime_home_t)
|
||||
|
||||
type $1_tvtime_tmp_t;
|
||||
|
||||
@ -161,7 +161,7 @@ template(`uml_per_userdomain_template',`
|
||||
corenet_tcp_connect_all_ports($1_uml_t)
|
||||
corenet_rw_tun_tap_dev($1_uml_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_uml_t)
|
||||
domain_use_interactive_fds($1_uml_t)
|
||||
|
||||
# for xterm
|
||||
files_read_etc_files($1_uml_t)
|
||||
@ -180,7 +180,7 @@ template(`uml_per_userdomain_template',`
|
||||
libs_exec_lib_files($1_uml_t)
|
||||
|
||||
# Inherit and use descriptors from newrole.
|
||||
seutil_use_newrole_fd($1_uml_t)
|
||||
seutil_use_newrole_fds($1_uml_t)
|
||||
|
||||
# Use the network.
|
||||
sysnet_read_config($1_uml_t)
|
||||
|
||||
@ -40,7 +40,7 @@ kernel_read_proc_symlinks(uml_switch_t)
|
||||
|
||||
dev_read_sysfs(uml_switch_t)
|
||||
|
||||
domain_use_wide_inherit_fd(uml_switch_t)
|
||||
domain_use_interactive_fds(uml_switch_t)
|
||||
|
||||
fs_getattr_all_fs(uml_switch_t)
|
||||
fs_search_auto_mountpoints(uml_switch_t)
|
||||
@ -57,7 +57,7 @@ logging_send_syslog_msg(uml_switch_t)
|
||||
|
||||
miscfiles_read_localization(uml_switch_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(uml_switch_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(uml_switch_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -46,7 +46,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
domain_entry_file($1_userhelper_t,userhelper_exec_t)
|
||||
domain_role_change_exemption($1_userhelper_t)
|
||||
domain_obj_id_change_exemption($1_userhelper_t)
|
||||
domain_wide_inherit_fd($1_userhelper_t)
|
||||
domain_interactive_fd($1_userhelper_t)
|
||||
domain_subj_id_change_exemption($1_userhelper_t)
|
||||
role system_r types $1_userhelper_t;
|
||||
|
||||
@ -95,9 +95,9 @@ template(`userhelper_per_userdomain_template',`
|
||||
corecmd_sbin_domtrans($1_userhelper_t,$2)
|
||||
|
||||
# Inherit descriptors from the current session.
|
||||
domain_use_wide_inherit_fd($1_userhelper_t)
|
||||
domain_use_interactive_fds($1_userhelper_t)
|
||||
# for when the user types "exec userhelper" at the command line
|
||||
domain_sigchld_wide_inherit_fd($1_userhelper_t)
|
||||
domain_sigchld_interactive_fds($1_userhelper_t)
|
||||
|
||||
dev_read_urand($1_userhelper_t)
|
||||
# Read /dev directories and any symbolic links.
|
||||
|
||||
@ -10,7 +10,7 @@ type usernetctl_t;
|
||||
type usernetctl_exec_t;
|
||||
domain_type(usernetctl_t)
|
||||
domain_entry_file(usernetctl_t,usernetctl_exec_t)
|
||||
domain_wide_inherit_fd(usernetctl_t)
|
||||
domain_interactive_fd(usernetctl_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -125,7 +125,7 @@ corecmd_exec_sbin(bootloader_t)
|
||||
corecmd_exec_shell(bootloader_t)
|
||||
|
||||
domain_exec_all_entry_files(bootloader_t)
|
||||
domain_use_wide_inherit_fd(bootloader_t)
|
||||
domain_use_interactive_fds(bootloader_t)
|
||||
|
||||
files_read_etc_files(bootloader_t)
|
||||
files_exec_etc_files(bootloader_t)
|
||||
@ -138,7 +138,7 @@ files_dontaudit_search_pids(bootloader_t)
|
||||
|
||||
init_getattr_initctl(bootloader_t)
|
||||
init_use_script_ptys(bootloader_t)
|
||||
init_use_script_fd(bootloader_t)
|
||||
init_use_script_fds(bootloader_t)
|
||||
init_rw_script_pipes(bootloader_t)
|
||||
|
||||
libs_use_ld_so(bootloader_t)
|
||||
|
||||
@ -133,9 +133,9 @@ interface(`domain_entry_file',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_wide_inherit_fd(domain)
|
||||
# domain_interactive_fd(domain)
|
||||
#
|
||||
interface(`domain_wide_inherit_fd',`
|
||||
interface(`domain_interactive_fd',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
')
|
||||
@ -339,9 +339,9 @@ interface(`domain_cron_exemption_target',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_use_wide_inherit_fd(domain)
|
||||
# domain_use_interactive_fds(domain)
|
||||
#
|
||||
interface(`domain_use_wide_inherit_fd',`
|
||||
interface(`domain_use_interactive_fds',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
')
|
||||
@ -351,9 +351,9 @@ interface(`domain_use_wide_inherit_fd',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_dontaudit_use_wide_inherit_fd(domain)
|
||||
# domain_dontaudit_use_interactive_fds(domain)
|
||||
#
|
||||
interface(`domain_dontaudit_use_wide_inherit_fd',`
|
||||
interface(`domain_dontaudit_use_interactive_fds',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
')
|
||||
@ -373,7 +373,7 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
|
||||
## </param>
|
||||
#
|
||||
# cjp: this was added because of newrole
|
||||
interface(`domain_sigchld_wide_inherit_fd',`
|
||||
interface(`domain_sigchld_interactive_fds',`
|
||||
gen_require(`
|
||||
attribute privfd;
|
||||
')
|
||||
|
||||
@ -274,7 +274,7 @@ template(`apache_per_userdomain_template', `
|
||||
apache_content_template($1)
|
||||
|
||||
typeattribute httpd_$1_content_t httpd_script_domains;
|
||||
userdom_home_file($1,httpd_$1_content_t)
|
||||
userdom_user_home_file($1,httpd_$1_content_t)
|
||||
|
||||
role $3 types httpd_$1_script_t;
|
||||
|
||||
|
||||
@ -247,7 +247,7 @@ auth_use_nsswitch(httpd_t)
|
||||
corecmd_exec_bin(httpd_t)
|
||||
corecmd_exec_sbin(httpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(httpd_t)
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
files_read_usr_files(httpd_t)
|
||||
files_list_mnt(httpd_t)
|
||||
|
||||
@ -50,7 +50,7 @@ fs_getattr_xattr_fs(apm_t)
|
||||
|
||||
term_use_all_terms(apm_t)
|
||||
|
||||
domain_use_wide_inherit_fd(apm_t)
|
||||
domain_use_interactive_fds(apm_t)
|
||||
|
||||
libs_use_ld_so(apm_t)
|
||||
libs_use_shared_libs(apm_t)
|
||||
@ -112,7 +112,7 @@ corecmd_exec_ls(apmd_t)
|
||||
|
||||
domain_exec_all_entry_files(apmd_t)
|
||||
domain_read_all_domains_state(apmd_t)
|
||||
domain_use_wide_inherit_fd(apmd_t)
|
||||
domain_use_interactive_fds(apmd_t)
|
||||
domain_dontaudit_getattr_all_sockets(apmd_t)
|
||||
domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
|
||||
domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
|
||||
@ -145,7 +145,7 @@ modutils_read_module_config(apmd_t)
|
||||
|
||||
seutil_dontaudit_read_config(apmd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(apmd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(apmd_t)
|
||||
userdom_dontaudit_search_all_users_home(apmd_t) # Excessive?
|
||||
|
||||
|
||||
@ -70,7 +70,7 @@ term_dontaudit_use_console(arpwatch_t)
|
||||
|
||||
corecmd_read_sbin_symlinks(arpwatch_t)
|
||||
|
||||
domain_use_wide_inherit_fd(arpwatch_t)
|
||||
domain_use_interactive_fds(arpwatch_t)
|
||||
|
||||
files_read_etc_files(arpwatch_t)
|
||||
files_read_usr_files(arpwatch_t)
|
||||
@ -88,7 +88,7 @@ miscfiles_read_localization(arpwatch_t)
|
||||
|
||||
sysnet_read_config(arpwatch_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(arpwatch_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(arpwatch_t)
|
||||
|
||||
mta_send_mail(arpwatch_t)
|
||||
|
||||
@ -88,7 +88,7 @@ dev_read_sysfs(automount_t)
|
||||
# for SSP
|
||||
dev_read_urand(automount_t)
|
||||
|
||||
domain_use_wide_inherit_fd(automount_t)
|
||||
domain_use_interactive_fds(automount_t)
|
||||
|
||||
files_dontaudit_write_var_dirs(automount_t)
|
||||
files_search_var_lib(automount_t)
|
||||
@ -128,7 +128,7 @@ sysnet_dns_name_resolve(automount_t)
|
||||
sysnet_use_ldap(automount_t)
|
||||
sysnet_read_config(automount_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(automount_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(automount_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(automount_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -60,7 +60,7 @@ fs_search_auto_mountpoints(avahi_t)
|
||||
|
||||
term_dontaudit_use_console(avahi_t)
|
||||
|
||||
domain_use_wide_inherit_fd(avahi_t)
|
||||
domain_use_interactive_fds(avahi_t)
|
||||
|
||||
files_read_etc_files(avahi_t)
|
||||
files_read_etc_runtime_files(avahi_t)
|
||||
@ -79,7 +79,7 @@ miscfiles_read_localization(avahi_t)
|
||||
|
||||
sysnet_read_config(avahi_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(avahi_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(avahi_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -125,7 +125,7 @@ term_dontaudit_use_console(named_t)
|
||||
|
||||
corecmd_search_sbin(named_t)
|
||||
|
||||
domain_use_wide_inherit_fd(named_t)
|
||||
domain_use_interactive_fds(named_t)
|
||||
|
||||
files_read_etc_files(named_t)
|
||||
files_read_etc_runtime_files(named_t)
|
||||
@ -142,7 +142,7 @@ miscfiles_read_localization(named_t)
|
||||
|
||||
sysnet_read_config(named_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(named_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(named_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(named_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
@ -250,7 +250,7 @@ corenet_tcp_connect_rndc_port(ndc_t)
|
||||
|
||||
fs_getattr_xattr_fs(ndc_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ndc_t)
|
||||
domain_use_interactive_fds(ndc_t)
|
||||
|
||||
files_read_etc_files(ndc_t)
|
||||
files_search_pids(ndc_t)
|
||||
|
||||
@ -114,7 +114,7 @@ term_use_unallocated_ttys(bluetooth_t)
|
||||
corecmd_exec_bin(bluetooth_t)
|
||||
corecmd_exec_shell(bluetooth_t)
|
||||
|
||||
domain_use_wide_inherit_fd(bluetooth_t)
|
||||
domain_use_interactive_fds(bluetooth_t)
|
||||
|
||||
files_read_etc_files(bluetooth_t)
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
@ -133,7 +133,7 @@ miscfiles_read_fonts(bluetooth_t)
|
||||
|
||||
sysnet_read_config(bluetooth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(bluetooth_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(bluetooth_t)
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ fs_search_auto_mountpoints(canna_t)
|
||||
|
||||
term_dontaudit_use_console(canna_t)
|
||||
|
||||
domain_use_wide_inherit_fd(canna_t)
|
||||
domain_use_interactive_fds(canna_t)
|
||||
|
||||
files_read_etc_files(canna_t)
|
||||
files_read_etc_runtime_files(canna_t)
|
||||
@ -84,7 +84,7 @@ miscfiles_read_localization(canna_t)
|
||||
|
||||
sysnet_read_config(canna_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(canna_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(canna_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(canna_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -41,7 +41,7 @@ fs_search_auto_mountpoints(cpucontrol_t)
|
||||
|
||||
term_dontaudit_use_console(cpucontrol_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cpucontrol_t)
|
||||
domain_use_interactive_fds(cpucontrol_t)
|
||||
|
||||
files_list_usr(cpucontrol_t)
|
||||
|
||||
@ -53,7 +53,7 @@ libs_use_shared_libs(cpucontrol_t)
|
||||
|
||||
logging_send_syslog_msg(cpucontrol_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(cpucontrol_t)
|
||||
@ -91,7 +91,7 @@ fs_search_auto_mountpoints(cpuspeed_t)
|
||||
|
||||
term_dontaudit_use_console(cpuspeed_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cpuspeed_t)
|
||||
domain_use_interactive_fds(cpuspeed_t)
|
||||
|
||||
files_read_etc_files(cpuspeed_t)
|
||||
files_read_etc_runtime_files(cpuspeed_t)
|
||||
@ -107,7 +107,7 @@ logging_send_syslog_msg(cpuspeed_t)
|
||||
|
||||
miscfiles_read_localization(cpuspeed_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(cpuspeed_t)
|
||||
|
||||
@ -223,7 +223,7 @@ template(`cron_per_userdomain_template',`
|
||||
corecmd_sbin_domtrans($1_crontab_t,$2)
|
||||
corecmd_shell_domtrans($1_crontab_t,$2)
|
||||
|
||||
domain_use_wide_inherit_fd($1_crontab_t)
|
||||
domain_use_interactive_fds($1_crontab_t)
|
||||
|
||||
files_read_etc_files($1_crontab_t)
|
||||
files_dontaudit_search_pids($1_crontab_t)
|
||||
@ -503,7 +503,7 @@ interface(`cron_anacron_domtrans_system_job',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_use_system_job_fd',`
|
||||
interface(`cron_use_system_job_fds',`
|
||||
gen_require(`
|
||||
type system_crond_t;
|
||||
')
|
||||
|
||||
@ -24,7 +24,7 @@ gen_require(`
|
||||
type crond_exec_t;
|
||||
')
|
||||
init_daemon_domain(crond_t,crond_exec_t)
|
||||
domain_wide_inherit_fd(crond_t)
|
||||
domain_interactive_fd(crond_t)
|
||||
domain_cron_exemption_source(crond_t)
|
||||
|
||||
type crond_tmp_t;
|
||||
@ -110,7 +110,7 @@ corecmd_exec_shell(crond_t)
|
||||
corecmd_list_sbin(crond_t)
|
||||
corecmd_read_sbin_symlinks(crond_t)
|
||||
|
||||
domain_use_wide_inherit_fd(crond_t)
|
||||
domain_use_interactive_fds(crond_t)
|
||||
|
||||
files_read_etc_files(crond_t)
|
||||
files_read_generic_spool(crond_t)
|
||||
@ -315,7 +315,7 @@ ifdef(`targeted_policy',`
|
||||
files_manage_generic_spool(system_crond_t)
|
||||
|
||||
init_use_fd(system_crond_t)
|
||||
init_use_script_fd(system_crond_t)
|
||||
init_use_script_fds(system_crond_t)
|
||||
init_use_script_ptys(system_crond_t)
|
||||
init_read_utmp(system_crond_t)
|
||||
init_dontaudit_rw_utmp(system_crond_t)
|
||||
|
||||
@ -158,7 +158,7 @@ corecmd_exec_shell(cupsd_t)
|
||||
corecmd_exec_bin(cupsd_t)
|
||||
corecmd_exec_sbin(cupsd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cupsd_t)
|
||||
domain_use_interactive_fds(cupsd_t)
|
||||
|
||||
files_read_etc_files(cupsd_t)
|
||||
files_read_etc_runtime_files(cupsd_t)
|
||||
@ -189,7 +189,7 @@ seutil_dontaudit_read_config(cupsd_t)
|
||||
|
||||
sysnet_read_config(cupsd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
|
||||
userdom_dontaudit_search_all_users_home(cupsd_t)
|
||||
|
||||
# Write to /var/spool/cups.
|
||||
@ -327,7 +327,7 @@ fs_search_auto_mountpoints(ptal_t)
|
||||
|
||||
term_dontaudit_use_console(ptal_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ptal_t)
|
||||
domain_use_interactive_fds(ptal_t)
|
||||
|
||||
files_read_etc_files(ptal_t)
|
||||
files_read_etc_runtime_files(ptal_t)
|
||||
@ -344,7 +344,7 @@ miscfiles_read_localization(ptal_t)
|
||||
|
||||
sysnet_read_config(ptal_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ptal_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
||||
userdom_dontaudit_search_all_users_home(ptal_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -423,7 +423,7 @@ term_dontaudit_use_console(hplip_t)
|
||||
corecmd_exec_bin(hplip_t)
|
||||
corecmd_search_sbin(hplip_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hplip_t)
|
||||
domain_use_interactive_fds(hplip_t)
|
||||
|
||||
files_read_etc_files(hplip_t)
|
||||
files_read_etc_runtime_files(hplip_t)
|
||||
@ -441,7 +441,7 @@ miscfiles_read_localization(hplip_t)
|
||||
|
||||
sysnet_read_config(hplip_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(hplip_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(hplip_t)
|
||||
|
||||
lpd_read_config(cupsd_t)
|
||||
@ -540,7 +540,7 @@ corecmd_exec_bin(cupsd_config_t)
|
||||
corecmd_exec_sbin(cupsd_config_t)
|
||||
corecmd_exec_shell(cupsd_config_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cupsd_config_t)
|
||||
domain_use_interactive_fds(cupsd_config_t)
|
||||
# killall causes the following
|
||||
domain_dontaudit_search_all_domains_state(cupsd_config_t)
|
||||
|
||||
@ -562,7 +562,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
|
||||
|
||||
sysnet_read_config(cupsd_config_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
|
||||
@ -85,7 +85,7 @@ term_dontaudit_use_console(cyrus_t)
|
||||
|
||||
corecmd_exec_bin(cyrus_t)
|
||||
|
||||
domain_use_wide_inherit_fd(cyrus_t)
|
||||
domain_use_interactive_fds(cyrus_t)
|
||||
|
||||
files_list_var_lib(cyrus_t)
|
||||
files_read_etc_files(cyrus_t)
|
||||
@ -105,7 +105,7 @@ miscfiles_read_certs(cyrus_t)
|
||||
|
||||
sysnet_read_config(cyrus_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(cyrus_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(cyrus_t)
|
||||
userdom_use_unpriv_users_fd(cyrus_t)
|
||||
userdom_use_sysadm_ptys(cyrus_t)
|
||||
|
||||
@ -87,7 +87,7 @@ corecmd_read_sbin_pipes(system_dbusd_t)
|
||||
corecmd_read_sbin_sockets(system_dbusd_t)
|
||||
corecmd_exec_sbin(system_dbusd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(system_dbusd_t)
|
||||
domain_use_interactive_fds(system_dbusd_t)
|
||||
|
||||
files_read_etc_files(system_dbusd_t)
|
||||
files_list_home(system_dbusd_t)
|
||||
@ -107,7 +107,7 @@ seutil_read_config(system_dbusd_t)
|
||||
seutil_read_default_contexts(system_dbusd_t)
|
||||
seutil_sigchld_newrole(system_dbusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(system_dbusd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(system_dbusd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -82,7 +82,7 @@ term_dontaudit_use_console(dhcpd_t)
|
||||
corecmd_exec_bin(dhcpd_t)
|
||||
corecmd_exec_sbin(dhcpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(dhcpd_t)
|
||||
domain_use_interactive_fds(dhcpd_t)
|
||||
|
||||
files_read_etc_files(dhcpd_t)
|
||||
files_read_usr_files(dhcpd_t)
|
||||
@ -102,7 +102,7 @@ miscfiles_read_localization(dhcpd_t)
|
||||
sysnet_read_config(dhcpd_t)
|
||||
sysnet_read_dhcp_config(dhcpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(dhcpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
|
||||
@ -58,7 +58,7 @@ fs_search_auto_mountpoints(dictd_t)
|
||||
|
||||
term_dontaudit_use_console(dictd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(dictd_t)
|
||||
domain_use_interactive_fds(dictd_t)
|
||||
|
||||
files_read_etc_files(dictd_t)
|
||||
files_read_etc_runtime_files(dictd_t)
|
||||
@ -79,7 +79,7 @@ miscfiles_read_localization(dictd_t)
|
||||
|
||||
sysnet_read_config(dictd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(dictd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(dictd_t)
|
||||
|
||||
@ -68,7 +68,7 @@ term_dontaudit_use_console(distccd_t)
|
||||
corecmd_exec_bin(distccd_t)
|
||||
corecmd_read_sbin_symlinks(distccd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(distccd_t)
|
||||
domain_use_interactive_fds(distccd_t)
|
||||
|
||||
files_read_etc_files(distccd_t)
|
||||
files_read_etc_runtime_files(distccd_t)
|
||||
@ -86,7 +86,7 @@ miscfiles_read_localization(distccd_t)
|
||||
|
||||
sysnet_read_config(distccd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(distccd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(distccd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -90,7 +90,7 @@ term_dontaudit_use_console(dovecot_t)
|
||||
|
||||
corecmd_exec_bin(dovecot_t)
|
||||
|
||||
domain_use_wide_inherit_fd(dovecot_t)
|
||||
domain_use_interactive_fds(dovecot_t)
|
||||
|
||||
files_read_etc_files(dovecot_t)
|
||||
files_search_spool(dovecot_t)
|
||||
@ -112,7 +112,7 @@ miscfiles_read_localization(dovecot_t)
|
||||
sysnet_read_config(dovecot_t)
|
||||
sysnet_use_ldap(dovecot_auth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(dovecot_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(dovecot_t)
|
||||
userdom_priveleged_home_dir_manager(dovecot_t)
|
||||
|
||||
|
||||
@ -74,7 +74,7 @@ fs_search_auto_mountpoints(fetchmail_t)
|
||||
|
||||
term_dontaudit_use_console(fetchmail_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fetchmail_t)
|
||||
domain_use_interactive_fds(fetchmail_t)
|
||||
|
||||
init_use_fd(fetchmail_t)
|
||||
init_use_script_ptys(fetchmail_t)
|
||||
@ -89,7 +89,7 @@ miscfiles_read_certs(fetchmail_t)
|
||||
|
||||
sysnet_read_config(fetchmail_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(fetchmail_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fetchmail_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -75,7 +75,7 @@ corecmd_exec_bin(fingerd_t)
|
||||
corecmd_exec_sbin(fingerd_t)
|
||||
corecmd_exec_shell(fingerd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fingerd_t)
|
||||
domain_use_interactive_fds(fingerd_t)
|
||||
|
||||
files_search_home(fingerd_t)
|
||||
files_read_etc_files(fingerd_t)
|
||||
@ -97,12 +97,12 @@ sysnet_read_config(fingerd_t)
|
||||
|
||||
miscfiles_read_localization(fingerd_t)
|
||||
|
||||
userdom_read_unpriv_user_home_files(fingerd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
|
||||
userdom_read_unpriv_users_home_files(fingerd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
userdom_dontaudit_search_user_home_dirs(fingerd_t)
|
||||
userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(fingerd_t)
|
||||
|
||||
@ -92,7 +92,7 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
|
||||
corenet_tcp_bind_generic_port(ftpd_t)
|
||||
corenet_tcp_connect_all_ports(ftpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ftpd_t)
|
||||
domain_use_interactive_fds(ftpd_t)
|
||||
|
||||
files_search_etc(ftpd_t)
|
||||
files_read_etc_files(ftpd_t)
|
||||
@ -127,7 +127,7 @@ seutil_dontaudit_search_config(ftpd_t)
|
||||
sysnet_read_config(ftpd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(ftpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(ftpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(ftpd_t)
|
||||
@ -153,10 +153,10 @@ tunable_policy(`allow_ftpd_anon_write',`
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
# allow access to /home
|
||||
files_list_home(ftpd_t)
|
||||
userdom_read_all_user_files(ftpd_t)
|
||||
userdom_manage_all_user_dirs(ftpd_t)
|
||||
userdom_manage_all_user_files(ftpd_t)
|
||||
userdom_manage_all_user_symlinks(ftpd_t)
|
||||
userdom_read_all_users_home_files(ftpd_t)
|
||||
userdom_manage_all_users_home_dirs(ftpd_t)
|
||||
userdom_manage_all_users_home_files(ftpd_t)
|
||||
userdom_manage_all_users_home_symlinks(ftpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
@ -63,7 +63,7 @@ fs_search_auto_mountpoints(gpm_t)
|
||||
term_use_unallocated_ttys(gpm_t)
|
||||
term_dontaudit_use_console(gpm_t)
|
||||
|
||||
domain_use_wide_inherit_fd(gpm_t)
|
||||
domain_use_interactive_fds(gpm_t)
|
||||
|
||||
init_use_fd(gpm_t)
|
||||
init_use_script_ptys(gpm_t)
|
||||
@ -75,7 +75,7 @@ logging_send_syslog_msg(gpm_t)
|
||||
|
||||
miscfiles_read_localization(gpm_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(gpm_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(gpm_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -78,7 +78,7 @@ dev_manage_generic_chr_files(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
dev_rw_sysfs(hald_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hald_t)
|
||||
domain_use_interactive_fds(hald_t)
|
||||
domain_exec_all_entry_files(hald_t)
|
||||
|
||||
files_exec_etc_files(hald_t)
|
||||
@ -140,7 +140,7 @@ seutil_read_default_contexts(hald_t)
|
||||
|
||||
sysnet_read_config(hald_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(hald_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(hald_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(hald_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -56,7 +56,7 @@ fs_search_auto_mountpoints(howl_t)
|
||||
|
||||
term_dontaudit_use_console(howl_t)
|
||||
|
||||
domain_use_wide_inherit_fd(howl_t)
|
||||
domain_use_interactive_fds(howl_t)
|
||||
|
||||
files_read_etc_files(howl_t)
|
||||
|
||||
@ -73,7 +73,7 @@ miscfiles_read_localization(howl_t)
|
||||
|
||||
sysnet_read_config(howl_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(howl_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(howl_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(howl_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -63,7 +63,7 @@ corecmd_search_sbin(i18n_input_t)
|
||||
corecmd_search_bin(i18n_input_t)
|
||||
corecmd_exec_bin(i18n_input_t)
|
||||
|
||||
domain_use_wide_inherit_fd(i18n_input_t)
|
||||
domain_use_interactive_fds(i18n_input_t)
|
||||
|
||||
files_read_etc_files(i18n_input_t)
|
||||
files_read_etc_runtime_files(i18n_input_t)
|
||||
@ -82,9 +82,9 @@ miscfiles_read_localization(i18n_input_t)
|
||||
|
||||
sysnet_read_config(i18n_input_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(i18n_input_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(i18n_input_t)
|
||||
userdom_read_unpriv_user_home_files(i18n_input_t)
|
||||
userdom_read_unpriv_users_home_files(i18n_input_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(i18n_input_t)
|
||||
|
||||
@ -102,7 +102,7 @@ term_dontaudit_use_console(inetd_t)
|
||||
corecmd_search_bin(inetd_t)
|
||||
corecmd_read_sbin_symlinks(inetd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(inetd_t)
|
||||
domain_use_interactive_fds(inetd_t)
|
||||
|
||||
files_read_etc_files(inetd_t)
|
||||
|
||||
@ -118,7 +118,7 @@ miscfiles_read_localization(inetd_t)
|
||||
|
||||
sysnet_read_config(inetd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(inetd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(inetd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -90,7 +90,7 @@ corecmd_exec_shell(innd_t)
|
||||
corecmd_search_sbin(innd_t)
|
||||
corecmd_read_sbin_symlinks(innd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(innd_t)
|
||||
domain_use_interactive_fds(innd_t)
|
||||
|
||||
files_list_spool(innd_t)
|
||||
files_read_etc_files(innd_t)
|
||||
@ -111,7 +111,7 @@ seutil_dontaudit_search_config(innd_t)
|
||||
|
||||
sysnet_read_config(innd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(innd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(innd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(innd_t)
|
||||
|
||||
mta_send_mail(innd_t)
|
||||
|
||||
@ -39,7 +39,7 @@ fs_search_auto_mountpoints(irqbalance_t)
|
||||
|
||||
term_dontaudit_use_console(irqbalance_t)
|
||||
|
||||
domain_use_wide_inherit_fd(irqbalance_t)
|
||||
domain_use_interactive_fds(irqbalance_t)
|
||||
|
||||
init_use_fd(irqbalance_t)
|
||||
init_use_script_ptys(irqbalance_t)
|
||||
@ -51,7 +51,7 @@ logging_send_syslog_msg(irqbalance_t)
|
||||
|
||||
miscfiles_read_localization(irqbalance_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(irqbalance_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(irqbalance_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -112,7 +112,7 @@ fs_search_auto_mountpoints(kadmind_t)
|
||||
|
||||
term_dontaudit_use_console(kadmind_t)
|
||||
|
||||
domain_use_wide_inherit_fd(kadmind_t)
|
||||
domain_use_interactive_fds(kadmind_t)
|
||||
|
||||
files_read_etc_files(kadmind_t)
|
||||
|
||||
@ -128,7 +128,7 @@ miscfiles_read_localization(kadmind_t)
|
||||
|
||||
sysnet_read_config(kadmind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(kadmind_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(kadmind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -212,7 +212,7 @@ fs_search_auto_mountpoints(krb5kdc_t)
|
||||
|
||||
term_dontaudit_use_console(krb5kdc_t)
|
||||
|
||||
domain_use_wide_inherit_fd(krb5kdc_t)
|
||||
domain_use_interactive_fds(krb5kdc_t)
|
||||
|
||||
files_read_etc_files(krb5kdc_t)
|
||||
|
||||
@ -228,7 +228,7 @@ miscfiles_read_localization(krb5kdc_t)
|
||||
|
||||
sysnet_read_config(krb5kdc_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(krb5kdc_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -100,7 +100,7 @@ fs_search_auto_mountpoints(slapd_t)
|
||||
|
||||
term_dontaudit_use_console(slapd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(slapd_t)
|
||||
domain_use_interactive_fds(slapd_t)
|
||||
|
||||
files_read_etc_files(slapd_t)
|
||||
files_read_etc_runtime_files(slapd_t)
|
||||
@ -120,7 +120,7 @@ miscfiles_read_localization(slapd_t)
|
||||
|
||||
sysnet_read_config(slapd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(slapd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(slapd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -125,7 +125,7 @@ template(`lpd_per_userdomain_template',`
|
||||
# for /dev/null
|
||||
dev_list_all_dev_nodes($1_lpr_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_lpr_t)
|
||||
domain_use_interactive_fds($1_lpr_t)
|
||||
|
||||
files_search_spool($1_lpr_t)
|
||||
# for lpd config files (should have a new type)
|
||||
@ -234,7 +234,7 @@ template(`lpr_admin_template',`
|
||||
type $1_lpr_t;
|
||||
')
|
||||
|
||||
userdom_read_all_user_files($1_lpr_t)
|
||||
userdom_read_all_users_home_files($1_lpr_t)
|
||||
|
||||
# Allow per user lpr domain read acces for specific user.
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
|
||||
@ -85,7 +85,7 @@ corecmd_exec_shell(checkpc_t)
|
||||
corecmd_exec_bin(checkpc_t)
|
||||
corecmd_search_sbin(checkpc_t)
|
||||
|
||||
domain_use_wide_inherit_fd(checkpc_t)
|
||||
domain_use_interactive_fds(checkpc_t)
|
||||
|
||||
files_read_etc_files(checkpc_t)
|
||||
files_read_etc_runtime_files(checkpc_t)
|
||||
@ -187,7 +187,7 @@ corecmd_exec_bin(lpd_t)
|
||||
corecmd_exec_sbin(lpd_t)
|
||||
corecmd_exec_shell(lpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(lpd_t)
|
||||
domain_use_interactive_fds(lpd_t)
|
||||
|
||||
files_read_etc_runtime_files(lpd_t)
|
||||
files_read_usr_files(lpd_t)
|
||||
@ -214,7 +214,7 @@ miscfiles_read_localization(lpd_t)
|
||||
|
||||
sysnet_read_config(lpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(lpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(lpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -208,7 +208,7 @@ template(`mta_per_userdomain_template',`
|
||||
allow $2 mailserver_domain:tcp_socket { connectto recvfrom };
|
||||
allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom };
|
||||
|
||||
domain_use_wide_inherit_fd($1_mail_t)
|
||||
domain_use_interactive_fds($1_mail_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_mail_t)
|
||||
# Write to the user domain tty. cjp: why?
|
||||
@ -279,7 +279,7 @@ template(`mta_admin_template',`
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
# allow the sysadmin to do "mail someone < /home/user/whatever"
|
||||
userdom_read_unpriv_user_home_files($1_mail_t)
|
||||
userdom_read_unpriv_users_home_files($1_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`postfix',`
|
||||
|
||||
@ -142,7 +142,7 @@ optional_policy(`postfix',`
|
||||
allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
|
||||
files_filetrans_etc(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_use_wide_inherit_fd(system_mail_t)
|
||||
domain_use_interactive_fds(system_mail_t)
|
||||
|
||||
# postfix needs this for newaliases
|
||||
files_getattr_tmp_dirs(system_mail_t)
|
||||
|
||||
@ -86,7 +86,7 @@ fs_search_auto_mountpoints(mysqld_t)
|
||||
|
||||
term_dontaudit_use_console(mysqld_t)
|
||||
|
||||
domain_use_wide_inherit_fd(mysqld_t)
|
||||
domain_use_interactive_fds(mysqld_t)
|
||||
|
||||
files_getattr_var_lib_dirs(mysqld_t)
|
||||
files_read_etc_runtime_files(mysqld_t)
|
||||
@ -106,7 +106,7 @@ miscfiles_read_localization(mysqld_t)
|
||||
|
||||
sysnet_read_config(mysqld_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(mysqld_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
||||
# for /root/.my.cnf - should not be needed:
|
||||
userdom_read_sysadm_home_files(mysqld_t)
|
||||
|
||||
|
||||
@ -72,7 +72,7 @@ corecmd_exec_bin(NetworkManager_t)
|
||||
corecmd_exec_sbin(NetworkManager_t)
|
||||
corecmd_exec_ls(NetworkManager_t)
|
||||
|
||||
domain_use_wide_inherit_fd(NetworkManager_t)
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
|
||||
files_read_etc_files(NetworkManager_t)
|
||||
@ -105,7 +105,7 @@ sysnet_search_dhcp_state(NetworkManager_t)
|
||||
sysnet_manage_config(NetworkManager_t)
|
||||
sysnet_filetrans_config(NetworkManager_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t)
|
||||
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ fs_search_auto_mountpoints(ypbind_t)
|
||||
|
||||
term_dontaudit_use_console(ypbind_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ypbind_t)
|
||||
domain_use_interactive_fds(ypbind_t)
|
||||
|
||||
files_read_etc_files(ypbind_t)
|
||||
files_list_var(ypbind_t)
|
||||
@ -112,7 +112,7 @@ miscfiles_read_localization(ypbind_t)
|
||||
|
||||
sysnet_read_config(ypbind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ypbind_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypbind_t)
|
||||
|
||||
portmap_udp_send(ypbind_t)
|
||||
@ -194,7 +194,7 @@ corecmd_exec_bin(yppasswdd_t)
|
||||
corecmd_exec_shell(yppasswdd_t)
|
||||
corecmd_search_sbin(yppasswdd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(yppasswdd_t)
|
||||
domain_use_interactive_fds(yppasswdd_t)
|
||||
|
||||
files_read_etc_files(yppasswdd_t)
|
||||
files_read_etc_runtime_files(yppasswdd_t)
|
||||
@ -213,7 +213,7 @@ miscfiles_read_localization(yppasswdd_t)
|
||||
|
||||
sysnet_read_config(yppasswdd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(yppasswdd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(yppasswdd_t)
|
||||
|
||||
portmap_udp_send(yppasswdd_t)
|
||||
@ -291,7 +291,7 @@ term_dontaudit_use_console(ypserv_t)
|
||||
|
||||
corecmd_exec_bin(ypserv_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ypserv_t)
|
||||
domain_use_interactive_fds(ypserv_t)
|
||||
|
||||
files_read_var_files(ypserv_t)
|
||||
|
||||
@ -308,7 +308,7 @@ miscfiles_read_localization(ypserv_t)
|
||||
|
||||
sysnet_read_config(ypserv_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ypserv_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(ypserv_t)
|
||||
|
||||
portmap_udp_send(ypserv_t)
|
||||
|
||||
@ -88,7 +88,7 @@ selinux_compute_access_vector(nscd_t)
|
||||
selinux_compute_create_context(nscd_t)
|
||||
selinux_compute_relabel_context(nscd_t)
|
||||
selinux_compute_user_contexts(nscd_t)
|
||||
domain_use_wide_inherit_fd(nscd_t)
|
||||
domain_use_interactive_fds(nscd_t)
|
||||
|
||||
files_read_etc_files(nscd_t)
|
||||
files_read_generic_tmp_symlinks(nscd_t)
|
||||
@ -110,7 +110,7 @@ seutil_sigchld_newrole(nscd_t)
|
||||
|
||||
sysnet_read_config(nscd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(nscd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(nscd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -91,7 +91,7 @@ corecmd_exec_sbin(ntpd_t)
|
||||
corecmd_exec_ls(ntpd_t)
|
||||
corecmd_exec_shell(ntpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ntpd_t)
|
||||
domain_use_interactive_fds(ntpd_t)
|
||||
domain_dontaudit_list_all_domains_state(ntpd_t)
|
||||
|
||||
files_read_etc_files(ntpd_t)
|
||||
@ -112,7 +112,7 @@ miscfiles_read_localization(ntpd_t)
|
||||
|
||||
sysnet_read_config(ntpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(ntpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
|
||||
userdom_list_sysadm_home_dir(ntpd_t)
|
||||
userdom_dontaudit_list_sysadm_home_dir(ntpd_t)
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ dev_read_sysfs(openct_t)
|
||||
# openct asks for this
|
||||
dev_rw_usbfs(openct_t)
|
||||
|
||||
domain_use_wide_inherit_fd(openct_t)
|
||||
domain_use_interactive_fds(openct_t)
|
||||
|
||||
# openct asks for this
|
||||
files_read_etc_files(openct_t)
|
||||
@ -53,7 +53,7 @@ logging_send_syslog_msg(openct_t)
|
||||
|
||||
miscfiles_read_localization(openct_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(openct_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(openct_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(openct_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -89,7 +89,7 @@ term_dontaudit_use_console(pegasus_t)
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pegasus_t)
|
||||
domain_use_interactive_fds(pegasus_t)
|
||||
domain_read_all_domains_state(pegasus_t)
|
||||
|
||||
files_read_etc_files(pegasus_t)
|
||||
@ -108,7 +108,7 @@ miscfiles_read_localization(pegasus_t)
|
||||
|
||||
sysnet_read_config(pegasus_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(pegasus_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pegasus_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -76,7 +76,7 @@ fs_search_auto_mountpoints(portmap_t)
|
||||
|
||||
term_dontaudit_use_console(portmap_t)
|
||||
|
||||
domain_use_wide_inherit_fd(portmap_t)
|
||||
domain_use_interactive_fds(portmap_t)
|
||||
|
||||
files_read_etc_files(portmap_t)
|
||||
|
||||
@ -94,7 +94,7 @@ miscfiles_read_localization(portmap_t)
|
||||
|
||||
sysnet_read_config(portmap_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(portmap_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(portmap_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -181,7 +181,7 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
|
||||
corenet_tcp_connect_all_ports(portmap_helper_t)
|
||||
|
||||
domain_dontaudit_use_wide_inherit_fd(portmap_helper_t)
|
||||
domain_dontaudit_use_interactive_fds(portmap_helper_t)
|
||||
|
||||
files_read_etc_files(portmap_helper_t)
|
||||
files_rw_generic_pids(portmap_helper_t)
|
||||
@ -195,7 +195,7 @@ logging_send_syslog_msg(portmap_helper_t)
|
||||
|
||||
sysnet_read_config(portmap_helper_t)
|
||||
|
||||
userdom_dontaudit_use_all_user_fd(portmap_helper_t)
|
||||
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(portmap_helper_t)
|
||||
|
||||
@ -83,7 +83,7 @@ template(`postfix_domain_template',`
|
||||
miscfiles_read_localization(postfix_$1_t)
|
||||
miscfiles_read_certs(postfix_$1_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(postfix_$1_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(postfix_$1_t)
|
||||
@ -151,7 +151,7 @@ template(`postfix_user_domain_template',`
|
||||
allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
|
||||
allow postfix_$1_t postfix_user_domtrans:process sigchld;
|
||||
|
||||
domain_use_wide_inherit_fd(postfix_$1_t)
|
||||
domain_use_interactive_fds(postfix_$1_t)
|
||||
')
|
||||
|
||||
template(`postfix_per_userdomain_template',`
|
||||
|
||||
@ -157,7 +157,7 @@ corecmd_exec_sbin(postfix_master_t)
|
||||
corecmd_exec_shell(postfix_master_t)
|
||||
corecmd_exec_bin(postfix_master_t)
|
||||
|
||||
domain_use_wide_inherit_fd(postfix_master_t)
|
||||
domain_use_interactive_fds(postfix_master_t)
|
||||
|
||||
files_read_usr_files(postfix_master_t)
|
||||
|
||||
@ -440,7 +440,7 @@ ifdef(`targeted_policy', `
|
||||
optional_policy(`crond',`
|
||||
cron_use_fd(postfix_postdrop_t)
|
||||
cron_rw_pipes(postfix_postdrop_t)
|
||||
cron_use_system_job_fd(postfix_postdrop_t)
|
||||
cron_use_system_job_fds(postfix_postdrop_t)
|
||||
cron_rw_system_job_pipes(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
@ -482,7 +482,7 @@ term_use_all_user_ptys(postfix_postqueue_t)
|
||||
term_use_all_user_ttys(postfix_postqueue_t)
|
||||
|
||||
init_sigchld_script(postfix_postqueue_t)
|
||||
init_use_script_fd(postfix_postqueue_t)
|
||||
init_use_script_fds(postfix_postqueue_t)
|
||||
|
||||
sysnet_dontaudit_read_config(postfix_postqueue_t)
|
||||
|
||||
|
||||
@ -113,7 +113,7 @@ corecmd_exec_sbin(postgresql_t)
|
||||
corecmd_exec_shell(postgresql_t)
|
||||
|
||||
domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
domain_use_wide_inherit_fd(postgresql_t)
|
||||
domain_use_interactive_fds(postgresql_t)
|
||||
|
||||
files_dontaudit_search_home(postgresql_t)
|
||||
files_manage_etc_files(postgresql_t)
|
||||
@ -138,7 +138,7 @@ sysnet_read_config(postgresql_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
|
||||
|
||||
mta_getattr_spool(postgresql_t)
|
||||
|
||||
|
||||
@ -146,7 +146,7 @@ corecmd_exec_bin(pppd_t)
|
||||
corecmd_exec_sbin(pppd_t)
|
||||
corecmd_exec_shell(pppd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pppd_t)
|
||||
domain_use_interactive_fds(pppd_t)
|
||||
|
||||
files_exec_etc_files(pppd_t)
|
||||
files_read_etc_runtime_files(pppd_t)
|
||||
@ -169,12 +169,12 @@ sysnet_read_config(pppd_t)
|
||||
sysnet_exec_ifconfig(pppd_t)
|
||||
sysnet_manage_config(pppd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(pppd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pppd_t)
|
||||
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
||||
#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
|
||||
userdom_search_sysadm_home_dir(pppd_t)
|
||||
userdom_search_unpriv_user_home_dirs(pppd_t)
|
||||
userdom_search_unpriv_users_home_dirs(pppd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(pppd_t)
|
||||
@ -279,7 +279,7 @@ term_ioctl_generic_ptys(pptp_t)
|
||||
term_search_ptys(pptp_t)
|
||||
term_use_ptmx(pptp_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pptp_t)
|
||||
domain_use_interactive_fds(pptp_t)
|
||||
|
||||
init_use_fd(pptp_t)
|
||||
init_use_script_ptys(pptp_t)
|
||||
@ -293,7 +293,7 @@ miscfiles_read_localization(pptp_t)
|
||||
|
||||
sysnet_read_config(pptp_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(pptp_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(pptp_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -59,7 +59,7 @@ fs_search_auto_mountpoints(privoxy_t)
|
||||
|
||||
term_dontaudit_use_console(privoxy_t)
|
||||
|
||||
domain_use_wide_inherit_fd(privoxy_t)
|
||||
domain_use_interactive_fds(privoxy_t)
|
||||
|
||||
files_read_etc_files(privoxy_t)
|
||||
|
||||
@ -75,7 +75,7 @@ miscfiles_read_localization(privoxy_t)
|
||||
|
||||
sysnet_dns_name_resolve(privoxy_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(privoxy_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(privoxy_t)
|
||||
# cjp: this should really not be needed
|
||||
userdom_use_sysadm_terms(privoxy_t)
|
||||
|
||||
@ -80,7 +80,7 @@ corecmd_exec_bin(radiusd_t)
|
||||
corecmd_exec_shell(radiusd_t)
|
||||
corecmd_search_sbin(radiusd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(radiusd_t)
|
||||
domain_use_interactive_fds(radiusd_t)
|
||||
|
||||
files_read_usr_files(radiusd_t)
|
||||
files_read_etc_files(radiusd_t)
|
||||
@ -99,7 +99,7 @@ miscfiles_read_localization(radiusd_t)
|
||||
|
||||
sysnet_read_config(radiusd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(radiusd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(radiusd_t)
|
||||
userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
|
||||
|
||||
|
||||
@ -58,7 +58,7 @@ fs_search_auto_mountpoints(radvd_t)
|
||||
|
||||
term_dontaudit_use_console(radvd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(radvd_t)
|
||||
domain_use_interactive_fds(radvd_t)
|
||||
|
||||
files_read_etc_files(radvd_t)
|
||||
files_list_usr(radvd_t)
|
||||
@ -75,7 +75,7 @@ miscfiles_read_localization(radvd_t)
|
||||
|
||||
sysnet_read_config(radvd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(radvd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(radvd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -40,7 +40,7 @@ fs_search_auto_mountpoints(rdisc_t)
|
||||
|
||||
term_dontaudit_use_console(rdisc_t)
|
||||
|
||||
domain_use_wide_inherit_fd(rdisc_t)
|
||||
domain_use_interactive_fds(rdisc_t)
|
||||
|
||||
files_read_etc_files(rdisc_t)
|
||||
|
||||
@ -54,7 +54,7 @@ logging_send_syslog_msg(rdisc_t)
|
||||
|
||||
sysnet_read_config(rdisc_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(rdisc_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys(rdisc_t)
|
||||
|
||||
@ -11,7 +11,7 @@ domain_obj_id_change_exemption(remote_login_t)
|
||||
domain_subj_id_change_exemption(remote_login_t)
|
||||
domain_role_change_exemption(remote_login_t)
|
||||
domain_type(remote_login_t)
|
||||
domain_wide_inherit_fd(remote_login_t)
|
||||
domain_interactive_fd(remote_login_t)
|
||||
auth_login_entry_type(remote_login_t)
|
||||
role system_r types remote_login_t;
|
||||
|
||||
|
||||
@ -88,9 +88,9 @@ seutil_dontaudit_search_config(rlogind_t)
|
||||
|
||||
sysnet_read_config(rlogind_t)
|
||||
|
||||
userdom_setattr_unpriv_user_pty(rlogind_t)
|
||||
userdom_setattr_unpriv_users_ptys(rlogind_t)
|
||||
# cjp: this is egregious
|
||||
userdom_read_all_user_files(rlogind_t)
|
||||
userdom_read_all_users_home_files(rlogind_t)
|
||||
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
|
||||
|
||||
@ -62,7 +62,7 @@ corenet_tcp_connect_smtp_port(roundup_t)
|
||||
# /usr/share/mysql/charsets/Index.xml
|
||||
dev_read_urand(roundup_t)
|
||||
|
||||
domain_use_wide_inherit_fd(roundup_t)
|
||||
domain_use_interactive_fds(roundup_t)
|
||||
|
||||
# /usr/share/mysql/charsets/Index.xml
|
||||
files_read_usr_files(roundup_t)
|
||||
@ -85,7 +85,7 @@ miscfiles_read_localization(roundup_t)
|
||||
|
||||
sysnet_read_config(roundup_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(roundup_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(roundup_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -25,7 +25,7 @@ template(`rpc_domain_template', `
|
||||
type $1_t;
|
||||
type $1_exec_t;
|
||||
init_daemon_domain($1_t,$1_exec_t)
|
||||
domain_use_wide_inherit_fd($1_t)
|
||||
domain_use_interactive_fds($1_t)
|
||||
|
||||
####################################
|
||||
#
|
||||
@ -93,7 +93,7 @@ template(`rpc_domain_template', `
|
||||
|
||||
sysnet_read_config($1_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd($1_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds($1_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_ttys($1_t)
|
||||
|
||||
@ -143,9 +143,9 @@ files_read_generic_tmp_files(gssd_t)
|
||||
files_read_generic_tmp_symlinks(gssd_t)
|
||||
|
||||
tunable_policy(`allow_gssd_read_tmp',`
|
||||
userdom_list_unpriv_user_tmp(gssd_t)
|
||||
userdom_read_unpriv_user_tmp_files(gssd_t)
|
||||
userdom_read_unpriv_user_tmp_symlinks(gssd_t)
|
||||
userdom_list_unpriv_users_tmp(gssd_t)
|
||||
userdom_read_unpriv_users_tmp_files(gssd_t)
|
||||
userdom_read_unpriv_users_tmp_symlinks(gssd_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos',`
|
||||
|
||||
@ -126,7 +126,7 @@ corenet_tcp_connect_smbd_port(samba_net_t)
|
||||
|
||||
dev_read_urand(samba_net_t)
|
||||
|
||||
domain_use_wide_inherit_fd(samba_net_t)
|
||||
domain_use_interactive_fds(samba_net_t)
|
||||
|
||||
files_read_etc_files(samba_net_t)
|
||||
|
||||
@ -258,7 +258,7 @@ term_dontaudit_use_console(smbd_t)
|
||||
auth_use_nsswitch(smbd_t)
|
||||
auth_domtrans_chk_passwd(smbd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(smbd_t)
|
||||
domain_use_interactive_fds(smbd_t)
|
||||
|
||||
files_list_var_lib(smbd_t)
|
||||
files_read_etc_files(smbd_t)
|
||||
@ -285,7 +285,7 @@ mount_send_nfs_client_request(smbd_t)
|
||||
sysnet_read_config(smbd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(smbd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(smbd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
|
||||
userdom_use_unpriv_users_fd(smbd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -397,7 +397,7 @@ fs_search_auto_mountpoints(nmbd_t)
|
||||
|
||||
term_dontaudit_use_console(nmbd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(nmbd_t)
|
||||
domain_use_interactive_fds(nmbd_t)
|
||||
|
||||
files_read_usr_files(nmbd_t)
|
||||
files_read_etc_files(nmbd_t)
|
||||
@ -416,7 +416,7 @@ miscfiles_read_localization(nmbd_t)
|
||||
sysnet_read_config(nmbd_t)
|
||||
|
||||
userdom_dontaudit_search_sysadm_home_dir(nmbd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(nmbd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
|
||||
userdom_use_unpriv_users_fd(nmbd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -512,7 +512,7 @@ logging_search_logs(smbmount_t)
|
||||
|
||||
sysnet_read_config(smbmount_t)
|
||||
|
||||
userdom_use_all_users_fd(smbmount_t)
|
||||
userdom_use_all_users_fds(smbmount_t)
|
||||
userdom_use_sysadm_ttys(smbmount_t)
|
||||
|
||||
optional_policy(`nis',`
|
||||
@ -690,7 +690,7 @@ term_dontaudit_use_console(winbind_t)
|
||||
|
||||
auth_domtrans_chk_passwd(winbind_t)
|
||||
|
||||
domain_use_wide_inherit_fd(winbind_t)
|
||||
domain_use_interactive_fds(winbind_t)
|
||||
|
||||
files_read_etc_files(winbind_t)
|
||||
|
||||
@ -707,7 +707,7 @@ miscfiles_read_localization(winbind_t)
|
||||
sysnet_read_config(winbind_t)
|
||||
sysnet_dns_name_resolve(winbind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(winbind_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(winbind_t)
|
||||
userdom_priveleged_home_dir_manager(winbind_t)
|
||||
|
||||
@ -757,7 +757,7 @@ allow winbind_helper_t winbind_t:unix_stream_socket connectto;
|
||||
|
||||
term_list_ptys(winbind_helper_t)
|
||||
|
||||
domain_use_wide_inherit_fd(winbind_helper_t)
|
||||
domain_use_interactive_fds(winbind_helper_t)
|
||||
|
||||
libs_use_ld_so(winbind_helper_t)
|
||||
libs_use_shared_libs(winbind_helper_t)
|
||||
|
||||
@ -54,7 +54,7 @@ term_dontaudit_use_console(saslauthd_t)
|
||||
auth_domtrans_chk_passwd(saslauthd_t)
|
||||
auth_use_nsswitch(saslauthd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(saslauthd_t)
|
||||
domain_use_interactive_fds(saslauthd_t)
|
||||
|
||||
files_read_etc_files(saslauthd_t)
|
||||
files_dontaudit_read_etc_runtime_files(saslauthd_t)
|
||||
@ -78,7 +78,7 @@ seutil_dontaudit_read_config(saslauthd_t)
|
||||
|
||||
sysnet_read_config(saslauthd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(saslauthd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(saslauthd_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -67,7 +67,7 @@ term_dontaudit_use_console(sendmail_t)
|
||||
corecmd_exec_shell(sendmail_t)
|
||||
corecmd_search_sbin(sendmail_t)
|
||||
|
||||
domain_use_wide_inherit_fd(sendmail_t)
|
||||
domain_use_interactive_fds(sendmail_t)
|
||||
|
||||
files_read_etc_files(sendmail_t)
|
||||
files_search_spool(sendmail_t)
|
||||
@ -91,7 +91,7 @@ miscfiles_read_localization(sendmail_t)
|
||||
|
||||
sysnet_read_config(sendmail_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
|
||||
|
||||
mta_read_config(sendmail_t)
|
||||
|
||||
@ -46,7 +46,7 @@ kernel_read_proc_symlinks(slrnpull_t)
|
||||
|
||||
dev_read_sysfs(slrnpull_t)
|
||||
|
||||
domain_use_wide_inherit_fd(slrnpull_t)
|
||||
domain_use_interactive_fds(slrnpull_t)
|
||||
|
||||
files_read_etc_files(slrnpull_t)
|
||||
|
||||
@ -65,7 +65,7 @@ logging_send_syslog_msg(slrnpull_t)
|
||||
|
||||
miscfiles_read_localization(slrnpull_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(slrnpull_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(slrnpull_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -55,7 +55,7 @@ corenet_udp_bind_all_nodes(fsdaemon_t)
|
||||
dev_read_sysfs(fsdaemon_t)
|
||||
|
||||
domain_exec_all_entry_files(fsdaemon_t)
|
||||
domain_use_wide_inherit_fd(fsdaemon_t)
|
||||
domain_use_interactive_fds(fsdaemon_t)
|
||||
|
||||
files_exec_etc_files(fsdaemon_t)
|
||||
files_read_etc_runtime_files(fsdaemon_t)
|
||||
@ -85,7 +85,7 @@ miscfiles_read_localization(fsdaemon_t)
|
||||
|
||||
sysnet_read_config(fsdaemon_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(fsdaemon_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fsdaemon_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -79,7 +79,7 @@ dev_read_sysfs(snmpd_t)
|
||||
dev_read_urand(snmpd_t)
|
||||
dev_read_rand(snmpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(snmpd_t)
|
||||
domain_use_interactive_fds(snmpd_t)
|
||||
domain_signull_all_domains(snmpd_t)
|
||||
domain_read_all_domains_state(snmpd_t)
|
||||
|
||||
@ -113,7 +113,7 @@ seutil_dontaudit_search_config(snmpd_t)
|
||||
|
||||
sysnet_read_config(snmpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(snmpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(snmpd_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
|
||||
@ -54,7 +54,7 @@ template(`spamassassin_per_userdomain_template',`
|
||||
role $3 types $1_spamassassin_t;
|
||||
|
||||
type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
|
||||
userdom_home_file($1,$1_spamassassin_home_t)
|
||||
userdom_user_home_file($1,$1_spamassassin_home_t)
|
||||
files_poly_member($1_spamassassin_home_t)
|
||||
|
||||
type $1_spamassassin_tmp_t;
|
||||
@ -126,7 +126,7 @@ template(`spamassassin_per_userdomain_template',`
|
||||
corecmd_read_sbin_pipes($1_spamc_t)
|
||||
corecmd_read_sbin_sockets($1_spamc_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_spamc_t)
|
||||
domain_use_interactive_fds($1_spamc_t)
|
||||
|
||||
files_read_etc_files($1_spamc_t)
|
||||
files_read_etc_runtime_files($1_spamc_t)
|
||||
@ -242,7 +242,7 @@ template(`spamassassin_per_userdomain_template',`
|
||||
corecmd_read_sbin_pipes($1_spamassassin_t)
|
||||
corecmd_read_sbin_sockets($1_spamassassin_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_spamassassin_t)
|
||||
domain_use_interactive_fds($1_spamassassin_t)
|
||||
|
||||
files_read_etc_files($1_spamassassin_t)
|
||||
files_read_etc_runtime_files($1_spamassassin_t)
|
||||
|
||||
@ -93,7 +93,7 @@ auth_dontaudit_read_shadow(spamd_t)
|
||||
corecmd_exec_bin(spamd_t)
|
||||
corecmd_search_sbin(spamd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(spamd_t)
|
||||
domain_use_interactive_fds(spamd_t)
|
||||
|
||||
files_read_usr_files(spamd_t)
|
||||
files_read_etc_files(spamd_t)
|
||||
@ -116,7 +116,7 @@ sysnet_read_config(spamd_t)
|
||||
sysnet_use_ldap(spamd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(spamd_t)
|
||||
userdom_search_unpriv_user_home_dirs(spamd_t)
|
||||
userdom_search_unpriv_users_home_dirs(spamd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(spamd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
|
||||
@ -107,7 +107,7 @@ corecmd_exec_bin(squid_t)
|
||||
corecmd_exec_sbin(squid_t)
|
||||
corecmd_exec_shell(squid_t)
|
||||
|
||||
domain_use_wide_inherit_fd(squid_t)
|
||||
domain_use_interactive_fds(squid_t)
|
||||
|
||||
files_read_etc_files(squid_t)
|
||||
files_read_etc_runtime_files(squid_t)
|
||||
@ -132,7 +132,7 @@ miscfiles_read_localization(squid_t)
|
||||
sysnet_read_config(squid_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(squid_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(squid_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(squid_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(squid_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
@ -148,7 +148,7 @@ tunable_policy(`squid_connect_any',`
|
||||
optional_policy(`logrotate',`
|
||||
allow squid_t self:capability kill;
|
||||
cron_use_fd(squid_t)
|
||||
cron_use_system_job_fd(squid_t)
|
||||
cron_use_system_job_fds(squid_t)
|
||||
cron_rw_pipes(squid_t)
|
||||
cron_write_system_job_pipes(squid_t)
|
||||
')
|
||||
|
||||
@ -47,7 +47,7 @@ template(`ssh_per_userdomain_template',`
|
||||
#
|
||||
|
||||
type $1_home_ssh_t;
|
||||
userdom_home_file($1,$1_home_ssh_t)
|
||||
userdom_user_home_file($1,$1_home_ssh_t)
|
||||
role $3 types $1_ssh_t;
|
||||
|
||||
type $1_ssh_t;
|
||||
@ -160,7 +160,7 @@ template(`ssh_per_userdomain_template',`
|
||||
corecmd_read_sbin_pipes($1_ssh_t)
|
||||
corecmd_read_sbin_sockets($1_ssh_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_ssh_t)
|
||||
domain_use_interactive_fds($1_ssh_t)
|
||||
|
||||
files_list_home($1_ssh_t)
|
||||
files_read_usr_files($1_ssh_t)
|
||||
@ -313,7 +313,7 @@ template(`ssh_per_userdomain_template',`
|
||||
corecmd_shell_domtrans($1_ssh_agent_t,$1_t)
|
||||
corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_ssh_agent_t)
|
||||
domain_use_interactive_fds($1_ssh_agent_t)
|
||||
|
||||
files_read_etc_files($1_ssh_agent_t)
|
||||
files_read_etc_runtime_files($1_ssh_agent_t)
|
||||
@ -484,7 +484,7 @@ template(`ssh_server_template', `
|
||||
# for sshd subsystems, such as sftp-server.
|
||||
corecmd_getattr_bin_files($1_t)
|
||||
|
||||
domain_wide_inherit_fd($1_t)
|
||||
domain_interactive_fd($1_t)
|
||||
domain_subj_id_change_exemption($1_t)
|
||||
domain_role_change_exemption($1_t)
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
|
||||
@ -112,8 +112,8 @@ ifdef(`targeted_policy',`',`
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
userdom_setattr_unpriv_user_pty(sshd_t)
|
||||
userdom_relabelto_unpriv_user_pty(sshd_t)
|
||||
userdom_setattr_unpriv_users_ptys(sshd_t)
|
||||
userdom_relabelto_unpriv_users_ptys(sshd_t)
|
||||
userdom_use_unpriv_users_ptys(sshd_t)
|
||||
')
|
||||
|
||||
@ -122,7 +122,7 @@ ifdef(`targeted_policy',`',`
|
||||
')
|
||||
|
||||
optional_policy(`rpm',`
|
||||
rpm_use_script_fd(sshd_t)
|
||||
rpm_use_script_fds(sshd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -228,7 +228,7 @@ ifdef(`targeted_policy',`',`
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
|
||||
domain_use_wide_inherit_fd(ssh_keygen_t)
|
||||
domain_use_interactive_fds(ssh_keygen_t)
|
||||
|
||||
files_read_etc_files(ssh_keygen_t)
|
||||
|
||||
@ -244,7 +244,7 @@ ifdef(`targeted_policy',`',`
|
||||
allow ssh_keygen_t proc_t:lnk_file read;
|
||||
|
||||
userdom_use_sysadm_ttys(ssh_keygen_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
||||
|
||||
# cjp: with the old daemon_(base_)domain being broken up into
|
||||
# a daemon and system interface, this probably is not needed:
|
||||
|
||||
@ -89,12 +89,12 @@ ifdef(`distro_gentoo', `
|
||||
|
||||
term_dontaudit_use_console(stunnel_t)
|
||||
|
||||
domain_use_wide_inherit_fd(stunnel_t)
|
||||
domain_use_interactive_fds(stunnel_t)
|
||||
|
||||
init_use_fd(stunnel_t)
|
||||
init_use_script_ptys(stunnel_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(stunnel_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(stunnel_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
|
||||
@ -61,7 +61,7 @@ fs_search_auto_mountpoints(tftpd_t)
|
||||
|
||||
term_dontaudit_use_console(tftpd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(tftpd_t)
|
||||
domain_use_interactive_fds(tftpd_t)
|
||||
|
||||
files_read_etc_files(tftpd_t);
|
||||
files_read_var_files(tftpd_t)
|
||||
@ -80,7 +80,7 @@ miscfiles_read_localization(tftpd_t)
|
||||
|
||||
sysnet_read_config(tftpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(tftpd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(tftpd_t)
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user