more fixes
This commit is contained in:
parent
43989f82f8
commit
19b5555f77
@ -46,9 +46,10 @@ network_port(amavisd_recv, tcp,10024,s0)
|
|||||||
network_port(amavisd_send, tcp,10025,s0)
|
network_port(amavisd_send, tcp,10025,s0)
|
||||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||||
network_port(auth, tcp,113,s0)
|
network_port(auth, tcp,113,s0)
|
||||||
dnl network_port(biff) # no defined portcon in current strict
|
type biff_port_t, port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||||
network_port(clamd, tcp,3310,s0)
|
network_port(clamd, tcp,3310,s0)
|
||||||
network_port(clockspeed, udp,4041,s0)
|
network_port(clockspeed, udp,4041,s0)
|
||||||
|
network_port(comsat, udp,512,s0)
|
||||||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||||
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
||||||
network_port(dbskkd, tcp,1178,s0)
|
network_port(dbskkd, tcp,1178,s0)
|
||||||
@ -66,7 +67,7 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8
|
|||||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
|
||||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||||
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
|
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
|
||||||
dnl network_port(i18n_input) # no defined portcon in current strict
|
type i18n_input_t, port_type; dnl network_port(i18n_input) # no defined portcon in current strict
|
||||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||||
network_port(innd, tcp,119,s0)
|
network_port(innd, tcp,119,s0)
|
||||||
@ -109,7 +110,7 @@ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
|||||||
network_port(spamd, tcp,783,s0)
|
network_port(spamd, tcp,783,s0)
|
||||||
network_port(ssh, tcp,22,s0)
|
network_port(ssh, tcp,22,s0)
|
||||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
||||||
dnl network_port(stunnel) # no defined portcon in current strict
|
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||||
network_port(swat, tcp,901,s0)
|
network_port(swat, tcp,901,s0)
|
||||||
network_port(syslogd, udp,514,s0)
|
network_port(syslogd, udp,514,s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
|
@ -48,6 +48,10 @@ type capifs_t, filesystem_type;
|
|||||||
allow capifs_t self:filesystem associate;
|
allow capifs_t self:filesystem associate;
|
||||||
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
||||||
|
|
||||||
|
type configfs_t, filesystem_type;
|
||||||
|
allow configfs_t self:filesystem associate;
|
||||||
|
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
|
||||||
|
|
||||||
type eventpollfs_t, filesystem_type;
|
type eventpollfs_t, filesystem_type;
|
||||||
genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
|
genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
|
||||||
|
|
||||||
|
@ -254,9 +254,9 @@ optional_policy(`rpc.te',`
|
|||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
auth_read_all_dirs_except_shadow(kernel_t)
|
# auth_read_all_dirs_except_shadow(kernel_t)
|
||||||
auth_read_all_files_except_shadow(kernel_t)
|
# auth_read_all_files_except_shadow(kernel_t)
|
||||||
auth_read_all_symlinks_except_shadow(kernel_t)
|
# auth_read_all_symlinks_except_shadow(kernel_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_rw',`
|
tunable_policy(`nfs_export_all_rw',`
|
||||||
@ -264,7 +264,7 @@ optional_policy(`rpc.te',`
|
|||||||
fs_read_noxattr_fs_files(kernel_t)
|
fs_read_noxattr_fs_files(kernel_t)
|
||||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||||
|
|
||||||
auth_manage_all_files_except_shadow(kernel_t)
|
# auth_manage_all_files_except_shadow(kernel_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -21,6 +21,9 @@ domain_type(bluetooth_helper_t)
|
|||||||
domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
|
domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
|
||||||
role system_r types bluetooth_helper_t;
|
role system_r types bluetooth_helper_t;
|
||||||
|
|
||||||
|
type bluetooth_helper_tmp_t;
|
||||||
|
files_tmp_file(bluetooth_helper_tmp_t)
|
||||||
|
|
||||||
type bluetooth_lock_t;
|
type bluetooth_lock_t;
|
||||||
files_lock_file(bluetooth_lock_t)
|
files_lock_file(bluetooth_lock_t)
|
||||||
|
|
||||||
@ -168,9 +171,15 @@ allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms co
|
|||||||
|
|
||||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||||
|
|
||||||
|
allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
|
||||||
|
allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
|
||||||
|
files_create_tmp_files(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(bluetooth_helper_t)
|
kernel_read_system_state(bluetooth_helper_t)
|
||||||
kernel_read_kernel_sysctl(bluetooth_helper_t)
|
kernel_read_kernel_sysctl(bluetooth_helper_t)
|
||||||
|
|
||||||
|
dev_read_urand(bluetooth_helper_t)
|
||||||
|
|
||||||
term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
|
term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
|
||||||
|
|
||||||
corecmd_exec_bin(bluetooth_helper_t)
|
corecmd_exec_bin(bluetooth_helper_t)
|
||||||
|
@ -204,214 +204,215 @@ allow crond_t user_home_dir_type:dir r_dir_perms;
|
|||||||
#
|
#
|
||||||
# System cron process domain
|
# System cron process domain
|
||||||
#
|
#
|
||||||
|
ifdef(`targeted_policy',`',`
|
||||||
|
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
||||||
|
allow system_crond_t self:process { signal_perms setsched };
|
||||||
|
allow system_crond_t self:fifo_file rw_file_perms;
|
||||||
|
allow system_crond_t self:passwd rootok;
|
||||||
|
|
||||||
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
# The entrypoint interface is not used as this is not
|
||||||
allow system_crond_t self:process { signal_perms setsched };
|
# a regular entrypoint. Since crontab files are
|
||||||
allow system_crond_t self:fifo_file rw_file_perms;
|
# not directly executed, crond must ensure that
|
||||||
allow system_crond_t self:passwd rootok;
|
# the crontab file has a type that is appropriate
|
||||||
|
# for the domain of the user cron job. It
|
||||||
|
# performs an entrypoint permission check
|
||||||
|
# for this purpose.
|
||||||
|
allow system_crond_t system_cron_spool_t:file entrypoint;
|
||||||
|
|
||||||
# The entrypoint interface is not used as this is not
|
allow system_crond_t system_cron_spool_t:file r_file_perms;
|
||||||
# a regular entrypoint. Since crontab files are
|
|
||||||
# not directly executed, crond must ensure that
|
|
||||||
# the crontab file has a type that is appropriate
|
|
||||||
# for the domain of the user cron job. It
|
|
||||||
# performs an entrypoint permission check
|
|
||||||
# for this purpose.
|
|
||||||
allow system_crond_t system_cron_spool_t:file entrypoint;
|
|
||||||
|
|
||||||
allow system_crond_t system_cron_spool_t:file r_file_perms;
|
# Permit a transition from the crond_t domain to this domain.
|
||||||
|
# The transition is requested explicitly by the modified crond
|
||||||
|
# via setexeccon. There is no way to set up an automatic
|
||||||
|
# transition, since crontabs are configuration files, not executables.
|
||||||
|
allow crond_t system_crond_t:process transition;
|
||||||
|
dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
|
||||||
|
allow crond_t system_crond_t:fd use;
|
||||||
|
allow system_crond_t crond_t:fd use;
|
||||||
|
allow system_crond_t crond_t:fifo_file rw_file_perms;
|
||||||
|
allow system_crond_t crond_t:process sigchld;
|
||||||
|
|
||||||
# Permit a transition from the crond_t domain to this domain.
|
# Write /var/lock/makewhatis.lock.
|
||||||
# The transition is requested explicitly by the modified crond
|
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||||
# via setexeccon. There is no way to set up an automatic
|
files_create_lock(system_crond_t,system_crond_lock_t)
|
||||||
# transition, since crontabs are configuration files, not executables.
|
|
||||||
allow crond_t system_crond_t:process transition;
|
|
||||||
dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
|
|
||||||
allow crond_t system_crond_t:fd use;
|
|
||||||
allow system_crond_t crond_t:fd use;
|
|
||||||
allow system_crond_t crond_t:fifo_file rw_file_perms;
|
|
||||||
allow system_crond_t crond_t:process sigchld;
|
|
||||||
|
|
||||||
# Write /var/lock/makewhatis.lock.
|
# write temporary files
|
||||||
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||||
files_create_lock(system_crond_t,system_crond_lock_t)
|
files_create_tmp_files(system_crond_t,system_crond_tmp_t)
|
||||||
|
|
||||||
# write temporary files
|
# write temporary files in crond tmp dir:
|
||||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
||||||
files_create_tmp_files(system_crond_t,system_crond_tmp_t)
|
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
|
||||||
|
|
||||||
# write temporary files in crond tmp dir:
|
# Read from /var/spool/cron.
|
||||||
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
allow system_crond_t cron_spool_t:dir r_dir_perms;
|
||||||
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
|
allow system_crond_t cron_spool_t:file r_file_perms;
|
||||||
|
|
||||||
# Read from /var/spool/cron.
|
kernel_read_kernel_sysctl(system_crond_t)
|
||||||
allow system_crond_t cron_spool_t:dir r_dir_perms;
|
kernel_read_system_state(system_crond_t)
|
||||||
allow system_crond_t cron_spool_t:file r_file_perms;
|
kernel_read_software_raid_state(system_crond_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctl(system_crond_t)
|
# ps does not need to access /boot when run from cron
|
||||||
kernel_read_system_state(system_crond_t)
|
bootloader_dontaudit_search_boot(system_crond_t)
|
||||||
kernel_read_software_raid_state(system_crond_t)
|
|
||||||
|
|
||||||
# ps does not need to access /boot when run from cron
|
corenet_tcp_sendrecv_all_if(system_crond_t)
|
||||||
bootloader_dontaudit_search_boot(system_crond_t)
|
corenet_raw_sendrecv_all_if(system_crond_t)
|
||||||
|
corenet_udp_sendrecv_all_if(system_crond_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(system_crond_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(system_crond_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(system_crond_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(system_crond_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(system_crond_t)
|
||||||
|
corenet_tcp_bind_all_nodes(system_crond_t)
|
||||||
|
corenet_udp_bind_all_nodes(system_crond_t)
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(system_crond_t)
|
dev_getattr_all_blk_files(system_crond_t)
|
||||||
corenet_raw_sendrecv_all_if(system_crond_t)
|
dev_getattr_all_chr_files(system_crond_t)
|
||||||
corenet_udp_sendrecv_all_if(system_crond_t)
|
dev_read_urand(system_crond_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(system_crond_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes(system_crond_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(system_crond_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(system_crond_t)
|
|
||||||
corenet_udp_sendrecv_all_ports(system_crond_t)
|
|
||||||
corenet_tcp_bind_all_nodes(system_crond_t)
|
|
||||||
corenet_udp_bind_all_nodes(system_crond_t)
|
|
||||||
|
|
||||||
dev_getattr_all_blk_files(system_crond_t)
|
fs_getattr_all_fs(system_crond_t)
|
||||||
dev_getattr_all_chr_files(system_crond_t)
|
fs_getattr_all_files(system_crond_t)
|
||||||
dev_read_urand(system_crond_t)
|
fs_getattr_all_symlinks(system_crond_t)
|
||||||
|
fs_getattr_all_pipes(system_crond_t)
|
||||||
|
fs_getattr_all_sockets(system_crond_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(system_crond_t)
|
corecmd_exec_bin(system_crond_t)
|
||||||
fs_getattr_all_files(system_crond_t)
|
corecmd_exec_sbin(system_crond_t)
|
||||||
fs_getattr_all_symlinks(system_crond_t)
|
|
||||||
fs_getattr_all_pipes(system_crond_t)
|
|
||||||
fs_getattr_all_sockets(system_crond_t)
|
|
||||||
|
|
||||||
corecmd_exec_bin(system_crond_t)
|
domain_exec_all_entry_files(system_crond_t)
|
||||||
corecmd_exec_sbin(system_crond_t)
|
# quiet other ps operations
|
||||||
|
domain_dontaudit_read_all_domains_state(system_crond_t)
|
||||||
|
|
||||||
domain_exec_all_entry_files(system_crond_t)
|
files_exec_etc_files(system_crond_t)
|
||||||
# quiet other ps operations
|
files_read_etc_files(system_crond_t)
|
||||||
domain_dontaudit_read_all_domains_state(system_crond_t)
|
files_read_etc_runtime_files(system_crond_t)
|
||||||
|
files_list_all_dirs(system_crond_t)
|
||||||
|
files_getattr_all_dirs(system_crond_t)
|
||||||
|
files_getattr_all_files(system_crond_t)
|
||||||
|
files_getattr_all_symlinks(system_crond_t)
|
||||||
|
files_getattr_all_pipes(system_crond_t)
|
||||||
|
files_getattr_all_sockets(system_crond_t)
|
||||||
|
files_read_usr_files(system_crond_t)
|
||||||
|
files_read_var_files(system_crond_t)
|
||||||
|
# for nscd:
|
||||||
|
files_dontaudit_search_pids(system_crond_t)
|
||||||
|
# Access other spool directories like
|
||||||
|
# /var/spool/anacron and /var/spool/slrnpull.
|
||||||
|
files_manage_generic_spools(system_crond_t)
|
||||||
|
|
||||||
files_exec_etc_files(system_crond_t)
|
init_use_fd(system_crond_t)
|
||||||
files_read_etc_files(system_crond_t)
|
init_use_script_fd(system_crond_t)
|
||||||
files_read_etc_runtime_files(system_crond_t)
|
init_use_script_pty(system_crond_t)
|
||||||
files_list_all_dirs(system_crond_t)
|
init_read_script_pid(system_crond_t)
|
||||||
files_getattr_all_dirs(system_crond_t)
|
init_dontaudit_rw_script_pid(system_crond_t)
|
||||||
files_getattr_all_files(system_crond_t)
|
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||||
files_getattr_all_symlinks(system_crond_t)
|
init_write_initctl(system_crond_t)
|
||||||
files_getattr_all_pipes(system_crond_t)
|
|
||||||
files_getattr_all_sockets(system_crond_t)
|
|
||||||
files_read_usr_files(system_crond_t)
|
|
||||||
files_read_var_files(system_crond_t)
|
|
||||||
# for nscd:
|
|
||||||
files_dontaudit_search_pids(system_crond_t)
|
|
||||||
# Access other spool directories like
|
|
||||||
# /var/spool/anacron and /var/spool/slrnpull.
|
|
||||||
files_manage_generic_spools(system_crond_t)
|
|
||||||
|
|
||||||
init_use_fd(system_crond_t)
|
libs_use_ld_so(system_crond_t)
|
||||||
init_use_script_fd(system_crond_t)
|
libs_use_shared_libs(system_crond_t)
|
||||||
init_use_script_pty(system_crond_t)
|
libs_exec_lib_files(system_crond_t)
|
||||||
init_read_script_pid(system_crond_t)
|
libs_exec_ld_so(system_crond_t)
|
||||||
init_dontaudit_rw_script_pid(system_crond_t)
|
|
||||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
|
||||||
init_write_initctl(system_crond_t)
|
|
||||||
|
|
||||||
libs_use_ld_so(system_crond_t)
|
logging_read_generic_logs(system_crond_t)
|
||||||
libs_use_shared_libs(system_crond_t)
|
logging_send_syslog_msg(system_crond_t)
|
||||||
libs_exec_lib_files(system_crond_t)
|
|
||||||
libs_exec_ld_so(system_crond_t)
|
|
||||||
|
|
||||||
logging_read_generic_logs(system_crond_t)
|
miscfiles_read_localization(system_crond_t)
|
||||||
logging_send_syslog_msg(system_crond_t)
|
miscfiles_manage_man_pages(system_crond_t)
|
||||||
|
|
||||||
miscfiles_read_localization(system_crond_t)
|
seutil_read_config(system_crond_t)
|
||||||
miscfiles_manage_man_pages(system_crond_t)
|
|
||||||
|
|
||||||
seutil_read_config(system_crond_t)
|
mta_send_mail(system_crond_t)
|
||||||
|
|
||||||
mta_send_mail(system_crond_t)
|
ifdef(`distro_redhat', `
|
||||||
|
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||||
ifdef(`distro_redhat', `
|
# via redirection of standard out.
|
||||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
optional_policy(`rpm.te', `
|
||||||
# via redirection of standard out.
|
rpm_manage_log(system_crond_t)
|
||||||
optional_policy(`rpm.te', `
|
')
|
||||||
rpm_manage_log(system_crond_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`cron_can_relabel',`
|
||||||
|
seutil_domtrans_setfiles(system_crond_t)
|
||||||
|
',`
|
||||||
|
selinux_get_fs_mount(system_crond_t)
|
||||||
|
selinux_validate_context(system_crond_t)
|
||||||
|
selinux_compute_access_vector(system_crond_t)
|
||||||
|
selinux_compute_create_context(system_crond_t)
|
||||||
|
selinux_compute_relabel_context(system_crond_t)
|
||||||
|
selinux_compute_user_contexts(system_crond_t)
|
||||||
|
seutil_read_file_contexts(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`ftp.te',`
|
||||||
|
ftp_read_log(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`mysql.te',`
|
||||||
|
mysql_read_config(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`samba.te',`
|
||||||
|
samba_read_config(system_crond_t)
|
||||||
|
samba_read_log(system_crond_t)
|
||||||
|
#samba_read_secrets(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`squid.te',`
|
||||||
|
# cjp: why?
|
||||||
|
squid_domtrans(system_crond_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
dontaudit userdomain system_crond_t:fd use;
|
||||||
|
|
||||||
|
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
||||||
|
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
||||||
|
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
||||||
|
|
||||||
|
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||||
|
|
||||||
|
# Write to /var/lib/slocate.db.
|
||||||
|
allow system_crond_t var_lib_t:dir rw_dir_perms;
|
||||||
|
allow system_crond_t var_lib_t:file create_file_perms;
|
||||||
|
|
||||||
|
# for if /var/mail is a symlink
|
||||||
|
allow system_crond_t mail_spool_t:lnk_file read;
|
||||||
|
|
||||||
|
#
|
||||||
|
# These rules are here to allow system cron jobs to su
|
||||||
|
#
|
||||||
|
ifdef(`su.te', `
|
||||||
|
su_restricted_domain(system_crond,system)
|
||||||
|
role system_r types system_crond_su_t;
|
||||||
|
allow system_crond_su_t crond_t:fifo_file ioctl;
|
||||||
|
')
|
||||||
|
|
||||||
|
#
|
||||||
|
# Required for webalizer
|
||||||
|
#
|
||||||
|
ifdef(`apache.te', `
|
||||||
|
allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`mta.te', `
|
||||||
|
mta_send_mail_transition(system_crond_t)
|
||||||
|
|
||||||
|
# system_mail_t should only be reading from the cron fifo not needing to write
|
||||||
|
dontaudit system_mail_t crond_t:fifo_file write;
|
||||||
|
allow mta_user_agent system_crond_t:fd use;
|
||||||
|
r_dir_file(system_mail_t, crond_tmp_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
# for daemon re-start
|
||||||
|
allow system_crond_t syslogd_t:lnk_file read;
|
||||||
|
|
||||||
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`cron_can_relabel',`
|
|
||||||
seutil_domtrans_setfiles(system_crond_t)
|
|
||||||
',`
|
|
||||||
selinux_get_fs_mount(system_crond_t)
|
|
||||||
selinux_validate_context(system_crond_t)
|
|
||||||
selinux_compute_access_vector(system_crond_t)
|
|
||||||
selinux_compute_create_context(system_crond_t)
|
|
||||||
selinux_compute_relabel_context(system_crond_t)
|
|
||||||
selinux_compute_user_contexts(system_crond_t)
|
|
||||||
seutil_read_file_contexts(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`ftp.te',`
|
|
||||||
ftp_read_log(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`mysql.te',`
|
|
||||||
mysql_read_config(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
|
||||||
nis_use_ypbind(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
|
||||||
nscd_use_socket(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`samba.te',`
|
|
||||||
samba_read_config(system_crond_t)
|
|
||||||
samba_read_log(system_crond_t)
|
|
||||||
#samba_read_secrets(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`squid.te',`
|
|
||||||
# cjp: why?
|
|
||||||
squid_domtrans(system_crond_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
dontaudit userdomain system_crond_t:fd use;
|
|
||||||
|
|
||||||
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
|
||||||
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
|
||||||
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
|
||||||
|
|
||||||
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
|
||||||
|
|
||||||
# Write to /var/lib/slocate.db.
|
|
||||||
allow system_crond_t var_lib_t:dir rw_dir_perms;
|
|
||||||
allow system_crond_t var_lib_t:file create_file_perms;
|
|
||||||
|
|
||||||
# for if /var/mail is a symlink
|
|
||||||
allow system_crond_t mail_spool_t:lnk_file read;
|
|
||||||
|
|
||||||
#
|
|
||||||
# These rules are here to allow system cron jobs to su
|
|
||||||
#
|
|
||||||
ifdef(`su.te', `
|
|
||||||
su_restricted_domain(system_crond,system)
|
|
||||||
role system_r types system_crond_su_t;
|
|
||||||
allow system_crond_su_t crond_t:fifo_file ioctl;
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
|
||||||
# Required for webalizer
|
|
||||||
#
|
|
||||||
ifdef(`apache.te', `
|
|
||||||
allow system_crond_t { httpd_log_t httpd_config_t }:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`mta.te', `
|
|
||||||
mta_send_mail_transition(system_crond_t)
|
|
||||||
|
|
||||||
# system_mail_t should only be reading from the cron fifo not needing to write
|
|
||||||
dontaudit system_mail_t crond_t:fifo_file write;
|
|
||||||
allow mta_user_agent system_crond_t:fd use;
|
|
||||||
r_dir_file(system_mail_t, crond_tmp_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
# for daemon re-start
|
|
||||||
allow system_crond_t syslogd_t:lnk_file read;
|
|
||||||
|
|
||||||
') dnl end TODO
|
|
||||||
|
@ -6,13 +6,13 @@
|
|||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
#
|
#
|
||||||
/sbin/rpc\..* -- gen_context(system_u:object_r:rpc_exec_t,s0)
|
/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpc_exec_t,s0)
|
/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
@ -21,5 +21,5 @@
|
|||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpc_var_run_t,s0)
|
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||||
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpc_var_run_t,s0)
|
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||||
|
@ -14,12 +14,12 @@ rpc_domain_template(gssd)
|
|||||||
type gssd_tmp_t;
|
type gssd_tmp_t;
|
||||||
files_tmp_file(gssd_tmp_t)
|
files_tmp_file(gssd_tmp_t)
|
||||||
|
|
||||||
type rpc_var_run_t;
|
type rpcd_var_run_t;
|
||||||
files_pid_file(rpc_var_run_t)
|
files_pid_file(rpcd_var_run_t)
|
||||||
|
|
||||||
# rpc_t is the domain of rpc daemons.
|
# rpcd_t is the domain of rpc daemons.
|
||||||
# rpc_exec_t is the type of rpc daemon programs.
|
# rpc_exec_t is the type of rpc daemon programs.
|
||||||
rpc_domain_template(rpc)
|
rpc_domain_template(rpcd)
|
||||||
|
|
||||||
rpc_domain_template(nfsd)
|
rpc_domain_template(nfsd)
|
||||||
|
|
||||||
@ -37,32 +37,32 @@ files_type(var_lib_nfs_t)
|
|||||||
# RPC local policy
|
# RPC local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow rpc_t self:fifo_file rw_file_perms;
|
allow rpcd_t self:fifo_file rw_file_perms;
|
||||||
allow rpc_t self:file { getattr read };
|
allow rpcd_t self:file { getattr read };
|
||||||
|
|
||||||
dontaudit userdomain exports_t:file getattr;
|
dontaudit userdomain exports_t:file getattr;
|
||||||
allow rpc_t rpc_var_run_t:file create_file_perms;
|
allow rpcd_t rpcd_var_run_t:file create_file_perms;
|
||||||
allow rpc_t rpc_var_run_t:dir create_dir_perms;
|
allow rpcd_t rpcd_var_run_t:dir create_dir_perms;
|
||||||
allow rpc_t rpc_var_run_t:dir setattr;
|
allow rpcd_t rpcd_var_run_t:dir setattr;
|
||||||
files_create_pid(rpc_t,rpc_var_run_t)
|
files_create_pid(rpcd_t,rpcd_var_run_t)
|
||||||
|
|
||||||
kernel_search_network_state(rpc_t)
|
kernel_search_network_state(rpcd_t)
|
||||||
# for rpc.rquotad
|
# for rpc.rquotad
|
||||||
kernel_read_sysctl(rpc_t)
|
kernel_read_sysctl(rpcd_t)
|
||||||
|
|
||||||
fs_read_rpc_dirs(rpc_t)
|
fs_read_rpc_dirs(rpcd_t)
|
||||||
fs_read_rpc_files(rpc_t)
|
fs_read_rpc_files(rpcd_t)
|
||||||
fs_read_rpc_symlinks(rpc_t)
|
fs_read_rpc_symlinks(rpcd_t)
|
||||||
fs_read_rpc_sockets(rpc_t)
|
fs_read_rpc_sockets(rpcd_t)
|
||||||
term_use_controlling_term(rpc_t)
|
term_use_controlling_term(rpcd_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config(rpc_t)
|
seutil_dontaudit_search_config(rpcd_t)
|
||||||
|
|
||||||
# rpc_t needs to talk to the portmap_t domain
|
# rpcd_t needs to talk to the portmap_t domain
|
||||||
portmap_udp_sendrecv(rpc_t)
|
portmap_udp_sendrecv(rpcd_t)
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
allow rpc_t self:capability { chown dac_override setgid setuid };
|
allow rpcd_t self:capability { chown dac_override setgid setuid };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
Loading…
Reference in New Issue
Block a user