most of patch from dan Mon, 15 May 2006 11:58:01 -0400
This commit is contained in:
parent
6c5614dca3
commit
165b42d230
@ -547,6 +547,13 @@ gen_tunable(xdm_sysadm_login,false)
|
||||
#
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow mount to mount any file
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_mount_anyfile,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow spammd to read/write user home directories.
|
||||
|
@ -186,6 +186,7 @@ corenet_udp_bind_all_nodes(traceroute_t)
|
||||
corenet_tcp_bind_all_nodes(traceroute_t)
|
||||
# traceroute needs this but not tracepath
|
||||
corenet_raw_bind_all_nodes(traceroute_t)
|
||||
corenet_udp_bind_traceroute_port(traceroute_t)
|
||||
corenet_tcp_connect_all_ports(traceroute_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs(traceroute_t)
|
||||
@ -195,6 +196,8 @@ domain_use_interactive_fds(traceroute_t)
|
||||
files_read_etc_files(traceroute_t)
|
||||
files_dontaudit_search_var(traceroute_t)
|
||||
|
||||
init_use_fds(traceroute_t)
|
||||
|
||||
libs_use_ld_so(traceroute_t)
|
||||
libs_use_shared_libs(traceroute_t)
|
||||
|
||||
|
@ -46,6 +46,7 @@ kernel_dontaudit_search_sysctl(prelink_t)
|
||||
corecmd_manage_all_executables(prelink_t)
|
||||
corecmd_relabel_all_executables(prelink_t)
|
||||
corecmd_mmap_all_executables(prelink_t)
|
||||
corecmd_read_sbin_symlinks(prelink_t)
|
||||
|
||||
dev_read_urand(prelink_t)
|
||||
|
||||
|
@ -35,4 +35,8 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(mono_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dbus_connect(mono_t)
|
||||
')
|
||||
')
|
||||
|
@ -76,6 +76,7 @@ ifdef(`targeted_policy',`
|
||||
#
|
||||
|
||||
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
@ -69,9 +69,9 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
||||
network_port(giftd, tcp,1213,s0)
|
||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0)
|
||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(i18n_input, tcp,9010,s0)
|
||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
@ -125,6 +125,7 @@ network_port(syslogd, udp,514,s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
|
||||
network_port(traceroute, udp,64000-64010,s0)
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
|
@ -109,6 +109,10 @@ tunable_policy(`global_ssp',`
|
||||
dev_read_urand(domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
setrans_translate_context(domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
|
@ -181,6 +181,10 @@ allow file_type self:filesystem associate;
|
||||
fs_associate(file_type)
|
||||
fs_associate_noxattr(file_type)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
fs_associate_tmpfs(file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules for all tmp file types
|
||||
|
@ -1409,7 +1409,7 @@ interface(`kernel_read_kernel_sysctls',`
|
||||
type proc_t, sysctl_t, sysctl_kernel_t;
|
||||
')
|
||||
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:dir search_dir_perms;
|
||||
allow $1 sysctl_t:dir r_dir_perms;
|
||||
allow $1 sysctl_kernel_t:dir r_dir_perms;
|
||||
allow $1 sysctl_kernel_t:file r_file_perms;
|
||||
|
@ -57,9 +57,11 @@ attribute mlsrangetrans;
|
||||
#
|
||||
|
||||
type lvm_exec_t;
|
||||
type setrans_exec_t;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
|
||||
range_transition initrc_t setrans_exec_t s15:c0.c255;
|
||||
')
|
||||
|
@ -427,11 +427,6 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_tcp_connect(web_client_domain, httpd_t)
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache helper local policy
|
||||
@ -667,6 +662,10 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
|
@ -222,6 +222,8 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
xserver_use_xdm_fds(bluetooth_helper_t)
|
||||
xserver_rw_xdm_pipes(bluetooth_helper_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,8 @@
|
||||
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
|
||||
|
||||
|
||||
/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
|
||||
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
|
||||
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
|
||||
|
||||
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
|
||||
|
@ -61,3 +61,26 @@ interface(`clamav_read_config',`
|
||||
files_search_etc($1)
|
||||
allow $1 clamd_etc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run clamscan.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`clamav_domtrans_clamscan',`
|
||||
gen_require(`
|
||||
type clamscan_t, clamscan_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,clamscan_exec_t,clamscan_t)
|
||||
|
||||
allow clamscan_t $1:fd use;
|
||||
allow clamscan_t $1:fifo_file rw_file_perms;
|
||||
allow clamscan_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
@ -35,6 +35,10 @@ files_type(clamd_var_lib_t)
|
||||
type clamd_var_run_t;
|
||||
files_pid_file(clamd_var_run_t)
|
||||
|
||||
type clamscan_t;
|
||||
type clamscan_exec_t;
|
||||
init_daemon_domain(clamscan_t, clamscan_exec_t)
|
||||
|
||||
type freshclam_t;
|
||||
type freshclam_exec_t;
|
||||
init_daemon_domain(freshclam_t, freshclam_exec_t)
|
||||
@ -193,3 +197,42 @@ clamav_stream_connect(freshclam_t)
|
||||
cron_use_fds(freshclam_t)
|
||||
cron_use_system_job_fds(freshclam_t)
|
||||
cron_rw_pipes(freshclam_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# clamscam local policy
|
||||
#
|
||||
|
||||
allow clamscan_t self:capability { setgid setuid dac_override };
|
||||
allow clamscan_t self:fifo_file rw_file_perms;
|
||||
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow clamscan_t self:unix_dgram_socket create_socket_perms;
|
||||
allow clamscan_t self:tcp_socket { listen accept };
|
||||
|
||||
# configuration files
|
||||
allow clamscan_t clamd_etc_t:dir r_dir_perms;
|
||||
allow clamscan_t clamd_etc_t:file r_file_perms;
|
||||
allow clamscan_t clamd_etc_t:lnk_file { getattr read };
|
||||
|
||||
# var/lib files together with clamd
|
||||
allow clamscan_t clamd_var_lib_t:file r_file_perms;
|
||||
allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
|
||||
allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(clamscan_t)
|
||||
|
||||
files_read_etc_files(clamscan_t)
|
||||
files_read_etc_runtime_files(clamscan_t)
|
||||
files_search_var_lib(clamscan_t)
|
||||
|
||||
libs_use_ld_so(clamscan_t)
|
||||
libs_use_shared_libs(clamscan_t)
|
||||
|
||||
miscfiles_read_localization(clamscan_t)
|
||||
miscfiles_read_public_files(clamscan_t)
|
||||
|
||||
clamav_stream_connect(clamscan_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_read_sys_content(clamscan_t)
|
||||
')
|
||||
|
@ -17,3 +17,23 @@ interface(`cvs_read_data',`
|
||||
|
||||
allow $1 cvs_data_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to execute cvs
|
||||
## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cvs_exec',`
|
||||
gen_require(`
|
||||
type cvs_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,cvs_exec_t)
|
||||
')
|
||||
|
||||
|
@ -98,6 +98,9 @@ files_read_etc_files(dovecot_t)
|
||||
files_search_spool(dovecot_t)
|
||||
files_search_tmp(dovecot_t)
|
||||
files_dontaudit_list_default(dovecot_t)
|
||||
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
|
||||
files_read_etc_runtime_files(dovecot_t)
|
||||
files_getattr_all_mountpoints(dovecot_t)
|
||||
|
||||
init_use_fds(dovecot_t)
|
||||
init_use_script_ptys(dovecot_t)
|
||||
|
@ -143,6 +143,8 @@ tunable_policy(`allow_ftpd_anon_write',`
|
||||
')
|
||||
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
allow ftpd_t self:capability { dac_override dac_read_search };
|
||||
|
||||
# allow access to /home
|
||||
files_list_home(ftpd_t)
|
||||
userdom_read_all_users_home_content_files(ftpd_t)
|
||||
|
@ -51,9 +51,6 @@ kernel_read_fs_sysctls(hald_t)
|
||||
kernel_rw_vm_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
files_search_boot(hald_t)
|
||||
files_getattr_home_dir(hald_t)
|
||||
|
||||
auth_read_pam_console_data(hald_t)
|
||||
|
||||
corecmd_exec_all_executables(hald_t)
|
||||
@ -95,7 +92,7 @@ files_search_var_lib(hald_t)
|
||||
files_read_usr_files(hald_t)
|
||||
# hal is now execing pm-suspend
|
||||
files_create_boot_flag(hald_t)
|
||||
files_getattr_default_dirs(hald_t)
|
||||
files_getattr_all_dirs(hald_t)
|
||||
|
||||
fs_getattr_all_fs(hald_t)
|
||||
fs_search_all(hald_t)
|
||||
@ -154,7 +151,6 @@ ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
files_dontaudit_read_root_files(hald_t)
|
||||
files_dontaudit_getattr_home_dir(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -163,10 +159,6 @@ optional_policy(`
|
||||
apm_stream_connect(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
automount_dontaudit_getattr_tmp_dirs(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bind_search_cache(hald_t)
|
||||
')
|
||||
|
@ -16,7 +16,7 @@ interface(`inn_exec',`
|
||||
type innd_t;
|
||||
')
|
||||
|
||||
can_exec($1,innd_t)
|
||||
can_exec($1,innd_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -156,3 +156,28 @@ interface(`inn_dgram_send',`
|
||||
|
||||
allow $1 innd_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute inn in the inn domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`inn_domtrans',`
|
||||
gen_require(`
|
||||
type innd_t, innd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,innd_exec_t,innd_t)
|
||||
|
||||
allow innd_t $1:fd use;
|
||||
allow innd_t $1:fifo_file rw_file_perms;
|
||||
allow innd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
@ -87,6 +87,7 @@ corenet_tcp_bind_generic_port(ypbind_t)
|
||||
corenet_udp_bind_generic_port(ypbind_t)
|
||||
corenet_tcp_bind_reserved_port(ypbind_t)
|
||||
corenet_udp_bind_reserved_port(ypbind_t)
|
||||
corenet_tcp_bind_all_rpc_ports(ypbind_t)
|
||||
corenet_tcp_connect_all_ports(ypbind_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
|
||||
|
@ -32,6 +32,7 @@ files_pid_file(postgresql_var_run_t)
|
||||
# postgresql Local policy
|
||||
#
|
||||
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
|
||||
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
||||
allow postgresql_t self:process signal_perms;
|
||||
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
||||
allow postgresql_t self:file { getattr read };
|
||||
@ -41,7 +42,7 @@ allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:udp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
||||
allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow postgresql_t postgresql_db_t:dir create_dir_perms;
|
||||
allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
|
||||
|
@ -44,3 +44,37 @@ interface(`pyzor_exec',`
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1,pyzor_exec_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the pyzor module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template allows pyzor to manage files in
|
||||
## a user home directory, creating files with the
|
||||
## correct type.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`pyzor_per_userdomain_template',`
|
||||
type $1_pyzor_home_t;
|
||||
userdom_user_home_content($1,$1_pyzor_home_t)
|
||||
|
||||
allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
|
||||
allow pyzord_t $1_pyzor_home_t:file create_file_perms;
|
||||
allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
|
||||
userdom_search_user_home_dirs($1,pyzord_t)
|
||||
userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
|
||||
')
|
||||
|
@ -99,8 +99,6 @@ libs_use_shared_libs(pyzord_t)
|
||||
|
||||
miscfiles_read_localization(pyzord_t)
|
||||
|
||||
# only works until we define a different type for maildir
|
||||
userdom_priveleged_home_dir_manager(pyzord_t)
|
||||
# Do not audit attempts to access /root.
|
||||
userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
|
||||
userdom_dontaudit_search_staff_home_dirs(pyzord_t)
|
||||
|
@ -83,7 +83,7 @@ optional_policy(`
|
||||
# NFSD local policy
|
||||
#
|
||||
|
||||
allow nfsd_t self:capability { sys_admin sys_resource };
|
||||
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
||||
|
||||
allow nfsd_t exports_t:file { getattr read };
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
|
||||
|
@ -73,6 +73,7 @@ ifdef(`targeted_policy',`
|
||||
ifdef(`strict_policy',`
|
||||
# so a tunnel can point to another ssh tunnel
|
||||
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
|
||||
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow sshd_t sshd_tmp_t:dir create_dir_perms;
|
||||
allow sshd_t sshd_tmp_t:file create_file_perms;
|
||||
|
@ -747,6 +747,42 @@ interface(`xserver_rw_console',`
|
||||
allow $1 xconsole_device_t:fifo_file { getattr read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use file descriptors for xdm.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_use_xdm_fds',`
|
||||
gen_require(`
|
||||
type xdm_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write XDM unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xserver_rw_xdm_pipes',`
|
||||
gen_require(`
|
||||
type xdm_t;
|
||||
')
|
||||
|
||||
allow $1 xdm_t:fifo_file { getattr read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to XDM over a unix domain
|
||||
|
@ -770,6 +770,25 @@ interface(`init_stream_connect_script',`
|
||||
allow $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read/write to
|
||||
## init scripts with a unix domain stream sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_rw_script_stream_sockets',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
allow $1 initrc_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dont audit the specified domain connecting to
|
||||
|
@ -40,6 +40,8 @@ ifdef(`distro_redhat',`
|
||||
/opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -55,6 +57,7 @@ ifdef(`distro_gentoo',`
|
||||
# /usr
|
||||
#
|
||||
/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?/RealPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
@ -73,6 +76,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
|
||||
/usr/lib(64)?/xulrunner-[^/]*/libxul.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -81,9 +85,9 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
|
||||
/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -121,6 +125,7 @@ ifdef(`distro_redhat',`
|
||||
/usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xorg/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -172,9 +177,9 @@ ifdef(`distro_redhat',`
|
||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -183,6 +188,7 @@ ifdef(`distro_redhat',`
|
||||
# Flash plugin, Macromedia
|
||||
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Jai, Sun Microsystems (Jpackage SPRM)
|
||||
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -197,8 +203,11 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textre
|
||||
# Java, Sun Microsystems (JPackage SRPM)
|
||||
/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
@ -96,6 +96,98 @@ interface(`logging_run_auditctl',`
|
||||
allow auditctl_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute auditd in the auditd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_domtrans_auditd',`
|
||||
gen_require(`
|
||||
type auditd_t, auditd_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,auditd_exec_t,auditd_t)
|
||||
|
||||
allow auditd_t $1:fd use;
|
||||
allow auditd_t $1:fifo_file rw_file_perms;
|
||||
allow auditd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute auditd in the auditd domain, and
|
||||
## allow the specified role the auditd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the auditd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the auditd domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_run_auditd',`
|
||||
gen_require(`
|
||||
type auditd_t;
|
||||
')
|
||||
|
||||
logging_domtrans_auditd($1)
|
||||
role $2 types auditd_t;
|
||||
allow auditd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the auditd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_manage_audit_config',`
|
||||
gen_require(`
|
||||
type auditd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 auditd_etc_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the audit log.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_manage_audit_log',`
|
||||
gen_require(`
|
||||
type auditd_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 auditd_log_t:dir create_dir_perms;
|
||||
allow $1 auditd_log_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute syslogd in the syslog domain.
|
||||
|
@ -72,6 +72,10 @@ allow auditctl_t etc_t:file { getattr read };
|
||||
|
||||
allow auditctl_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
# Needed for adding watches
|
||||
files_getattr_all_dirs(auditctl_t)
|
||||
files_read_etc_files(auditctl_t)
|
||||
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
kernel_read_proc_symlinks(auditctl_t)
|
||||
|
||||
|
@ -110,6 +110,13 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`allow_mount_anyfile',`
|
||||
auth_read_all_dirs_except_shadow(mount_t)
|
||||
auth_read_all_files_except_shadow(mount_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for nfs
|
||||
corenet_non_ipsec_sendrecv(mount_t)
|
||||
|
@ -551,6 +551,8 @@ libs_use_ld_so(semanage_t)
|
||||
libs_use_shared_libs(semanage_t)
|
||||
libs_use_lib_files(semanage_t)
|
||||
|
||||
miscfiles_read_localization(semanage_t)
|
||||
|
||||
seutil_search_default_contexts(semanage_t)
|
||||
seutil_manage_file_contexts(semanage_t)
|
||||
seutil_manage_selinux_config(semanage_t)
|
||||
@ -563,6 +565,12 @@ seutil_manage_module_store(semanage_t)
|
||||
seutil_get_semanage_trans_lock(semanage_t)
|
||||
seutil_get_semanage_read_lock(semanage_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# Handle pp files created in homedir and /tmp
|
||||
files_read_generic_tmp_files(semanage_t)
|
||||
userdom_read_generic_user_home_content_files(semanage_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(semanage_t)
|
||||
')
|
||||
|
3
refpolicy/policy/modules/system/setrans.fc
Normal file
3
refpolicy/policy/modules/system/setrans.fc
Normal file
@ -0,0 +1,3 @@
|
||||
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
|
||||
|
||||
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
|
25
refpolicy/policy/modules/system/setrans.if
Normal file
25
refpolicy/policy/modules/system/setrans.if
Normal file
@ -0,0 +1,25 @@
|
||||
## <summary>SELinux MLS/MCS label translation service.</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow a domain to translate contexts.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`setrans_translate_context',`
|
||||
gen_require(`
|
||||
type setrans_t, setrans_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow $1 setrans_t:unix_stream_socket connectto;
|
||||
allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
|
||||
allow $1 setrans_var_run_t:sock_file rw_file_perms;
|
||||
allow $1 setrans_var_run_t:dir search_dir_perms;
|
||||
files_list_pids($1)
|
||||
')
|
68
refpolicy/policy/modules/system/setrans.te
Normal file
68
refpolicy/policy/modules/system/setrans.te
Normal file
@ -0,0 +1,68 @@
|
||||
|
||||
policy_module(setrans,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type setrans_t;
|
||||
# real declaration moved to mls until
|
||||
# range_transition works in loadable modules
|
||||
gen_require(`
|
||||
type setrans_exec_t;
|
||||
')
|
||||
init_daemon_domain(setrans_t, setrans_exec_t)
|
||||
|
||||
type setrans_var_run_t;
|
||||
files_pid_file(setrans_var_run_t)
|
||||
mls_trusted_object(setrans_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# setrans local policy
|
||||
#
|
||||
|
||||
allow setrans_t self:process { setcap signal_perms };
|
||||
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow setrans_t self:unix_dgram_socket create_socket_perms;
|
||||
allow setrans_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
can_exec(setrans_t, setrans_exec_t)
|
||||
corecmd_search_sbin(setrans_t)
|
||||
|
||||
# create unix domain socket in /var
|
||||
allow setrans_t setrans_var_run_t:sock_file manage_file_perms;
|
||||
allow setrans_t setrans_var_run_t:file manage_file_perms;
|
||||
allow setrans_t setrans_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(setrans_t,setrans_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(setrans_t)
|
||||
kernel_read_proc_symlinks(setrans_t)
|
||||
|
||||
# allow performing getpidcon() on all processes
|
||||
domain_read_all_domains_state(setrans_t)
|
||||
domain_getattr_all_domains(setrans_t)
|
||||
domain_getsession_all_domains(setrans_t)
|
||||
|
||||
files_read_etc_runtime_files(setrans_t)
|
||||
|
||||
mls_file_read_up(setrans_t)
|
||||
mls_file_write_down(setrans_t)
|
||||
mls_net_receive_all_levels(setrans_t)
|
||||
mls_rangetrans_target(setrans_t)
|
||||
|
||||
selinux_compute_access_vector(setrans_t)
|
||||
|
||||
term_dontaudit_use_generic_ptys(setrans_t)
|
||||
|
||||
init_use_fds(setrans_t)
|
||||
|
||||
libs_use_ld_so(setrans_t)
|
||||
libs_use_shared_libs(setrans_t)
|
||||
|
||||
logging_send_syslog_msg(setrans_t)
|
||||
|
||||
miscfiles_read_localization(setrans_t)
|
||||
|
||||
seutil_read_config(setrans_t)
|
@ -291,6 +291,8 @@ kernel_rw_net_sysctls(ifconfig_t)
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
dev_read_sysfs(ifconfig_t)
|
||||
# for IPSEC setup:
|
||||
dev_read_urand(ifconfig_t)
|
||||
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
@ -431,3 +431,23 @@ interface(`unconfined_alias_domain',`
|
||||
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to the the unconfined DBUS
|
||||
## for service (acquire_svc).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_dbus_connect',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
class dbus acquire_svc;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:dbus acquire_svc;
|
||||
')
|
||||
|
@ -98,6 +98,10 @@ ifdef(`targeted_policy',`
|
||||
firstboot_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
inn_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans(unconfined_t)
|
||||
')
|
||||
@ -114,6 +118,10 @@ ifdef(`targeted_policy',`
|
||||
mono_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
prelink_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
portmap_domtrans_helper(unconfined_t)
|
||||
')
|
||||
|
@ -4262,6 +4262,27 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
|
||||
allow $1 user_home_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in generic user home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_generic_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_t, user_home_dir_t;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
allow $1 user_home_t:dir r_dir_perms;
|
||||
allow $1 user_home_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
|
@ -106,7 +106,6 @@ ifdef(`targeted_policy',`
|
||||
ifdef(`enable_mls',`
|
||||
allow secadm_r system_r;
|
||||
allow secadm_r user_r;
|
||||
allow user_r secadm_r;
|
||||
allow staff_r secadm_r;
|
||||
')
|
||||
|
||||
@ -130,6 +129,7 @@ ifdef(`targeted_policy',`
|
||||
admin_user_template(secadm)
|
||||
role_change(staff,secadm)
|
||||
role_change(sysadm,secadm)
|
||||
role_change(secadm,sysadm)
|
||||
')
|
||||
|
||||
# this should be tunable_policy, but
|
||||
@ -239,6 +239,10 @@ ifdef(`targeted_policy',`
|
||||
certwatach_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cvs_exec(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(sysadm_t)
|
||||
|
||||
@ -384,6 +388,10 @@ ifdef(`targeted_policy',`
|
||||
rpm_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rsync_exec(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
|
||||
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||
|
Loading…
Reference in New Issue
Block a user