make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames.
This commit is contained in:
parent
13a4943d30
commit
1c1ac67f93
@ -1,3 +1,6 @@
|
||||
- Make all interface parameters required.
|
||||
- Move boot_t, system_map_t, and modules_object_t to files module,
|
||||
and move bootloader to admin layer.
|
||||
- Add semanage policy for semodule from Dan Walsh.
|
||||
- Remove allow_execmem from targeted policy domain_base_type().
|
||||
- Add users_extra and seusers support.
|
||||
|
@ -57,7 +57,7 @@ files_list_usr(acct_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_pids(acct_t)
|
||||
|
||||
init_use_fd(acct_t)
|
||||
init_use_fds(acct_t)
|
||||
init_use_script_ptys(acct_t)
|
||||
init_exec_script_files(acct_t)
|
||||
|
||||
|
@ -36,7 +36,7 @@ allow consoletype_t self:sem create_sem_perms;
|
||||
allow consoletype_t self:msgq create_msgq_perms;
|
||||
allow consoletype_t self:msg { send receive };
|
||||
|
||||
kernel_use_fd(consoletype_t)
|
||||
kernel_use_fds(consoletype_t)
|
||||
kernel_dontaudit_read_system_state(consoletype_t)
|
||||
|
||||
fs_getattr_all_fs(consoletype_t)
|
||||
@ -46,7 +46,7 @@ fs_write_nfs_files(consoletype_t)
|
||||
term_use_console(consoletype_t)
|
||||
term_use_unallocated_ttys(consoletype_t)
|
||||
|
||||
init_use_fd(consoletype_t)
|
||||
init_use_fds(consoletype_t)
|
||||
init_use_script_ptys(consoletype_t)
|
||||
init_use_script_fds(consoletype_t)
|
||||
init_write_script_pipes(consoletype_t)
|
||||
@ -68,7 +68,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`apm',`
|
||||
apm_use_fd(consoletype_t)
|
||||
apm_use_fds(consoletype_t)
|
||||
apm_write_pipes(consoletype_t)
|
||||
')
|
||||
|
||||
@ -83,12 +83,12 @@ optional_policy(`cron',`
|
||||
|
||||
optional_policy(`firstboot',`
|
||||
files_read_etc_files(consoletype_t)
|
||||
firstboot_use_fd(consoletype_t)
|
||||
firstboot_use_fds(consoletype_t)
|
||||
firstboot_write_pipes(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate',`
|
||||
logrotate_dontaudit_use_fd(consoletype_t)
|
||||
logrotate_dontaudit_use_fds(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`lpd',`
|
||||
|
@ -24,7 +24,7 @@ kernel_read_system_state(ddcprobe_t)
|
||||
kernel_read_kernel_sysctls(ddcprobe_t)
|
||||
kernel_change_ring_buffer_level(ddcprobe_t)
|
||||
|
||||
bootloader_search_kernel_modules(ddcprobe_t)
|
||||
files_search_kernel_modules(ddcprobe_t)
|
||||
|
||||
corecmd_list_sbin(ddcprobe_t)
|
||||
corecmd_list_bin(ddcprobe_t)
|
||||
|
@ -50,7 +50,7 @@ ifdef(`strict_policy',`
|
||||
# for when /usr is not mounted:
|
||||
files_dontaudit_search_isid_type_dirs(dmesg_t)
|
||||
|
||||
init_use_fd(dmesg_t)
|
||||
init_use_fds(dmesg_t)
|
||||
init_use_script_ptys(dmesg_t)
|
||||
|
||||
libs_use_ld_so(dmesg_t)
|
||||
|
@ -30,7 +30,7 @@ files_list_usr(dmidecode_t)
|
||||
libs_use_ld_so(dmidecode_t)
|
||||
libs_use_shared_libs(dmidecode_t)
|
||||
|
||||
locallogin_use_fd(dmidecode_t)
|
||||
locallogin_use_fds(dmidecode_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_use_generic_ptys(dmidecode_t)
|
||||
|
@ -67,7 +67,7 @@ interface(`firstboot_run',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`firstboot_use_fd',`
|
||||
interface(`firstboot_use_fds',`
|
||||
gen_require(`
|
||||
type firstboot_t;
|
||||
')
|
||||
@ -86,7 +86,7 @@ interface(`firstboot_use_fd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`firstboot_dontaudit_use_fd',`
|
||||
interface(`firstboot_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type firstboot_t;
|
||||
')
|
||||
|
@ -88,7 +88,7 @@ libs_use_shared_libs(firstboot_t)
|
||||
libs_exec_ld_so(firstboot_t)
|
||||
libs_exec_lib_files(firstboot_t)
|
||||
|
||||
locallogin_use_fd(firstboot_t)
|
||||
locallogin_use_fds(firstboot_t)
|
||||
|
||||
logging_send_syslog_msg(firstboot_t)
|
||||
|
||||
|
@ -35,7 +35,7 @@ files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
|
||||
|
||||
allow kudzu_t kudzu_var_run_t:file create_file_perms;
|
||||
allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
|
||||
files_pid_filetrans(kudzu_t,kudzu_var_run_t)
|
||||
files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
|
||||
|
||||
kernel_change_ring_buffer_level(kudzu_t)
|
||||
kernel_list_proc(kudzu_t)
|
||||
@ -47,7 +47,7 @@ kernel_read_system_state(kudzu_t)
|
||||
kernel_rw_hotplug_sysctls(kudzu_t)
|
||||
kernel_rw_kernel_sysctl(kudzu_t)
|
||||
|
||||
bootloader_read_kernel_modules(kudzu_t)
|
||||
files_read_kernel_modules(kudzu_t)
|
||||
|
||||
dev_list_sysfs(kudzu_t)
|
||||
dev_read_usbfs(kudzu_t)
|
||||
@ -100,7 +100,7 @@ files_rw_etc_runtime_files(kudzu_t)
|
||||
# for file systems that are not yet mounted
|
||||
files_dontaudit_search_isid_type_dirs(kudzu_t)
|
||||
|
||||
init_use_fd(kudzu_t)
|
||||
init_use_fds(kudzu_t)
|
||||
init_use_script_ptys(kudzu_t)
|
||||
init_stream_connect_script(kudzu_t)
|
||||
|
||||
|
@ -82,7 +82,7 @@ interface(`logrotate_exec',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logrotate_use_fd',`
|
||||
interface(`logrotate_use_fds',`
|
||||
gen_require(`
|
||||
type logrotate_t;
|
||||
')
|
||||
@ -100,7 +100,7 @@ interface(`logrotate_use_fd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logrotate_dontaudit_use_fd',`
|
||||
interface(`logrotate_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type logrotate_t;
|
||||
')
|
||||
|
@ -51,7 +51,7 @@ allow logrotate_t self:msgq create_msgq_perms;
|
||||
allow logrotate_t self:msg { send receive };
|
||||
|
||||
allow logrotate_t logrotate_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(logrotate_t,logrotate_lock_t)
|
||||
files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
|
||||
|
||||
can_exec(logrotate_t, logrotate_tmp_t)
|
||||
|
||||
@ -62,7 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
|
||||
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||||
allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
|
||||
allow logrotate_t logrotate_var_lib_t:file create_file_perms;
|
||||
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t)
|
||||
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
|
||||
|
||||
kernel_read_system_state(logrotate_t)
|
||||
kernel_read_kernel_sysctls(logrotate_t)
|
||||
|
@ -97,7 +97,7 @@ fs_getattr_xattr_fs(mrtg_t)
|
||||
|
||||
term_dontaudit_use_console(mrtg_t)
|
||||
|
||||
init_use_fd(mrtg_t)
|
||||
init_use_fds(mrtg_t)
|
||||
init_use_script_ptys(mrtg_t)
|
||||
# for uptime
|
||||
init_read_utmp(mrtg_t)
|
||||
|
@ -64,7 +64,7 @@ files_read_etc_files(netutils_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var(netutils_t)
|
||||
|
||||
init_use_fd(netutils_t)
|
||||
init_use_fds(netutils_t)
|
||||
init_use_script_ptys(netutils_t)
|
||||
|
||||
libs_use_ld_so(netutils_t)
|
||||
@ -131,7 +131,7 @@ sysnet_dns_name_resolve(ping_t)
|
||||
logging_send_syslog_msg(ping_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
init_dontaudit_use_fd(ping_t)
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
@ -159,7 +159,7 @@ optional_policy(`pcmcia',`
|
||||
')
|
||||
|
||||
optional_policy(`hotplug',`
|
||||
hotplug_use_fd(ping_t)
|
||||
hotplug_use_fds(ping_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_fetch_t portage_t:process sigchld;
|
||||
|
||||
allow portage_t portage_log_t:file create_file_perms;
|
||||
logging_log_filetrans(portage_t,portage_log_t)
|
||||
logging_log_filetrans(portage_t,portage_log_t,file)
|
||||
|
||||
# transition to sandbox for compiling
|
||||
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
|
||||
|
@ -33,7 +33,7 @@ files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
|
||||
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
|
||||
allow prelink_t prelink_log_t:file { create ra_file_perms };
|
||||
allow prelink_t prelink_log_t:lnk_file read;
|
||||
logging_log_filetrans(prelink_t, prelink_log_t)
|
||||
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
|
@ -51,7 +51,7 @@ files_getattr_all_sockets(quota_t)
|
||||
# Read /etc/mtab.
|
||||
files_read_etc_runtime_files(quota_t)
|
||||
|
||||
init_use_fd(quota_t)
|
||||
init_use_fds(quota_t)
|
||||
init_use_script_ptys(quota_t)
|
||||
|
||||
libs_use_ld_so(quota_t)
|
||||
|
@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms;
|
||||
|
||||
allow readahead_t readahead_var_run_t:file create_file_perms;
|
||||
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(readahead_t,readahead_var_run_t)
|
||||
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(readahead_t)
|
||||
kernel_read_system_state(readahead_t)
|
||||
@ -56,7 +56,7 @@ term_dontaudit_use_console(readahead_t)
|
||||
|
||||
auth_dontaudit_read_shadow(readahead_t)
|
||||
|
||||
init_use_fd(readahead_t)
|
||||
init_use_fds(readahead_t)
|
||||
init_use_script_ptys(readahead_t)
|
||||
init_getattr_initctl(readahead_t)
|
||||
|
||||
|
@ -91,7 +91,7 @@ interface(`rpm_run',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_use_fd',`
|
||||
interface(`rpm_use_fds',`
|
||||
gen_require(`
|
||||
type rpm_t;
|
||||
')
|
||||
|
@ -184,7 +184,7 @@ ifdef(`targeted_policy',`
|
||||
# conflicts since rpm_t is an alias of
|
||||
# unconfined in the targeted policy
|
||||
allow rpm_t rpm_log_t:file create_file_perms;
|
||||
logging_log_filetrans(rpm_t,rpm_log_t)
|
||||
logging_log_filetrans(rpm_t,rpm_log_t,file)
|
||||
')
|
||||
|
||||
optional_policy(`cron',`
|
||||
|
@ -49,7 +49,7 @@ template(`su_restricted_domain_template', `
|
||||
|
||||
domain_use_interactive_fds($1_su_t)
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
init_dontaudit_use_fds($1_su_t)
|
||||
init_dontaudit_use_script_ptys($1_su_t)
|
||||
# Write to utmp.
|
||||
init_rw_utmp($1_su_t)
|
||||
@ -168,7 +168,7 @@ template(`su_per_userdomain_template',`
|
||||
files_search_var_lib($1_su_t)
|
||||
files_dontaudit_getattr_tmp_dirs($1_su_t)
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
init_dontaudit_use_fds($1_su_t)
|
||||
# Write to utmp.
|
||||
init_rw_utmp($1_su_t)
|
||||
|
||||
|
@ -20,7 +20,7 @@ dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
|
||||
allow updfstab_t self:process signal_perms;
|
||||
allow updfstab_t self:fifo_file { getattr read write ioctl };
|
||||
|
||||
kernel_use_fd(updfstab_t)
|
||||
kernel_use_fds(updfstab_t)
|
||||
kernel_read_kernel_sysctls(updfstab_t)
|
||||
kernel_dontaudit_write_kernel_sysctl(updfstab_t)
|
||||
# for /proc/partitions
|
||||
@ -66,7 +66,7 @@ files_dontaudit_search_home(updfstab_t)
|
||||
# for /etc/mtab
|
||||
files_read_etc_runtime_files(updfstab_t)
|
||||
|
||||
init_use_fd(updfstab_t)
|
||||
init_use_fds(updfstab_t)
|
||||
init_use_script_ptys(updfstab_t)
|
||||
|
||||
libs_use_ld_so(updfstab_t)
|
||||
|
@ -19,7 +19,7 @@ role system_r types usbmodules_t;
|
||||
|
||||
kernel_list_proc(usbmodules_t)
|
||||
|
||||
bootloader_list_kernel_modules(usbmodules_t)
|
||||
files_list_kernel_modules(usbmodules_t)
|
||||
|
||||
dev_list_usbfs(usbmodules_t)
|
||||
# allow usb device access
|
||||
@ -32,7 +32,7 @@ files_read_etc_files(usbmodules_t)
|
||||
term_read_console(usbmodules_t)
|
||||
term_write_console(usbmodules_t)
|
||||
|
||||
init_use_fd(usbmodules_t)
|
||||
init_use_fds(usbmodules_t)
|
||||
|
||||
libs_use_ld_so(usbmodules_t)
|
||||
libs_use_shared_libs(usbmodules_t)
|
||||
|
@ -217,7 +217,7 @@ selinux_compute_user_contexts(groupadd_t)
|
||||
term_use_all_user_ttys(groupadd_t)
|
||||
term_use_all_user_ptys(groupadd_t)
|
||||
|
||||
init_use_fd(groupadd_t)
|
||||
init_use_fds(groupadd_t)
|
||||
init_read_utmp(groupadd_t)
|
||||
init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
@ -257,7 +257,7 @@ optional_policy(`nscd',`
|
||||
')
|
||||
|
||||
optional_policy(`rpm',`
|
||||
rpm_use_fd(groupadd_t)
|
||||
rpm_use_fds(groupadd_t)
|
||||
rpm_rw_pipes(groupadd_t)
|
||||
')
|
||||
|
||||
@ -488,7 +488,7 @@ files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
|
||||
init_use_fd(useradd_t)
|
||||
init_use_fds(useradd_t)
|
||||
init_rw_utmp(useradd_t)
|
||||
|
||||
libs_use_ld_so(useradd_t)
|
||||
@ -520,6 +520,6 @@ optional_policy(`nscd',`
|
||||
')
|
||||
|
||||
optional_policy(`rpm',`
|
||||
rpm_use_fd(useradd_t)
|
||||
rpm_use_fds(useradd_t)
|
||||
rpm_rw_pipes(useradd_t)
|
||||
')
|
||||
|
@ -42,7 +42,7 @@ files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
|
||||
|
||||
allow vpnc_t vpnc_var_run_t:file create_file_perms;
|
||||
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(vpnc_t,vpnc_var_run_t)
|
||||
files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(vpnc_t)
|
||||
kernel_read_network_state(vpnc_t)
|
||||
@ -91,7 +91,7 @@ libs_exec_lib_files(vpnc_t)
|
||||
libs_use_ld_so(vpnc_t)
|
||||
libs_use_shared_libs(vpnc_t)
|
||||
|
||||
locallogin_use_fd(vpnc_t)
|
||||
locallogin_use_fds(vpnc_t)
|
||||
|
||||
logging_send_syslog_msg(vpnc_t)
|
||||
|
||||
|
@ -42,7 +42,7 @@ ifdef(`targeted_policy',`
|
||||
libs_use_ld_so(loadkeys_t)
|
||||
libs_use_shared_libs(loadkeys_t)
|
||||
|
||||
locallogin_use_fd(loadkeys_t)
|
||||
locallogin_use_fds(loadkeys_t)
|
||||
|
||||
miscfiles_read_localization(loadkeys_t)
|
||||
')
|
||||
|
@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',`
|
||||
allow $1_lockdev_t $2:process sigchld;
|
||||
|
||||
allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
|
||||
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t)
|
||||
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
|
||||
|
||||
files_read_all_locks($1_lockdev_t)
|
||||
|
||||
|
@ -47,7 +47,7 @@ fs_search_auto_mountpoints(uml_switch_t)
|
||||
|
||||
term_dontaudit_use_console(uml_switch_t)
|
||||
|
||||
init_use_fd(uml_switch_t)
|
||||
init_use_fds(uml_switch_t)
|
||||
init_use_script_ptys(uml_switch_t)
|
||||
|
||||
libs_use_ld_so(uml_switch_t)
|
||||
|
@ -41,6 +41,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_userhelper_t;
|
||||
domain_type($1_userhelper_t)
|
||||
domain_entry_file($1_userhelper_t,userhelper_exec_t)
|
||||
@ -105,7 +106,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
|
||||
files_list_var_lib($1_userhelper_t)
|
||||
# Write to utmp.
|
||||
files_pid_filetrans($1_userhelper_t,initrc_var_run_t)
|
||||
files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
|
||||
# Read the /etc/security/default_type file
|
||||
files_read_etc_files($1_userhelper_t)
|
||||
# Read /var.
|
||||
@ -141,7 +142,7 @@ template(`userhelper_per_userdomain_template',`
|
||||
auth_search_pam_console_data($1_userhelper_t)
|
||||
|
||||
# Inherit descriptors from the current session.
|
||||
init_use_fd($1_userhelper_t)
|
||||
init_use_fds($1_userhelper_t)
|
||||
# Write to utmp.
|
||||
init_manage_utmp($1_userhelper_t)
|
||||
|
||||
|
@ -54,7 +54,7 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
|
||||
|
||||
allow webalizer_t webalizer_var_lib_t:file create_file_perms;
|
||||
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
|
||||
files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t)
|
||||
files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(webalizer_t)
|
||||
kernel_read_system_state(webalizer_t)
|
||||
|
@ -1,17 +1,9 @@
|
||||
|
||||
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
|
||||
/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
||||
|
||||
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
|
||||
|
||||
/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
|
||||
|
||||
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
||||
/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
|
||||
|
@ -55,198 +55,6 @@ interface(`bootloader_run',`
|
||||
allow bootloader_t $3:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get attributes of the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_getattr_boot_dirs',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attributes
|
||||
## of the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_dontaudit_getattr_boot_dirs',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_dontaudit_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write symbolic links
|
||||
## in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_rw_boot_symlinks',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
allow $1 boot_t:lnk_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Install a kernel into the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_create_kernel_img',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
allow $1 boot_t:file { getattr read write create };
|
||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Install a system.map into the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_create_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
allow $1 system_map_t:file { rw_file_perms create };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read system.map in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_read_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
allow $1 system_map_t:file r_file_perms;
|
||||
|
||||
# cjp: this should be dropped:
|
||||
allow $1 boot_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete a kernel from /boot.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_delete_kernel',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
allow $1 boot_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete a system.map in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_delete_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
allow $1 system_map_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the bootloader configuration file.
|
||||
@ -324,142 +132,3 @@ interface(`bootloader_create_runtime_file',`
|
||||
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
|
||||
type_transition $1 boot_t:file boot_runtime_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of the kernel module directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_search_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of the kernel module directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_list_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_getattr_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
allow $1 modules_object_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_read_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
allow $1 modules_object_t:lnk_file r_file_perms;
|
||||
allow $1 modules_object_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_write_kernel_modules',`
|
||||
gen_require(`
|
||||
attribute rw_kern_modules;
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
allow $1 modules_object_t:file { write append };
|
||||
|
||||
typeattribute $1 rw_kern_modules;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_manage_kernel_modules',`
|
||||
gen_require(`
|
||||
# attribute rw_kern_modules;
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
|
||||
# typeattribute $1 rw_kern_modules;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# bootloader_modules_filetrans(domain,privatetype,[class(es)])
|
||||
#
|
||||
interface(`bootloader_modules_filetrans',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
|
||||
# if a class is specified use it, else use file as default
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 modules_object_t:file $2;
|
||||
',`
|
||||
type_transition $1 modules_object_t:$3 $2;
|
||||
')
|
||||
')
|
||||
|
@ -1,20 +1,11 @@
|
||||
|
||||
policy_module(bootloader,1.1.3)
|
||||
policy_module(bootloader,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute rw_kern_modules;
|
||||
|
||||
#
|
||||
# boot_t is the type for files in /boot
|
||||
#
|
||||
type boot_t;
|
||||
files_type(boot_t)
|
||||
files_mountpoint(boot_t)
|
||||
|
||||
#
|
||||
# boot_runtime_t is the type for /boot/kernel.h,
|
||||
# which is automatically generated at boot time.
|
||||
@ -45,18 +36,6 @@ type bootloader_tmp_t;
|
||||
files_tmp_file(bootloader_tmp_t)
|
||||
dev_node(bootloader_tmp_t)
|
||||
|
||||
# kernel modules
|
||||
type modules_object_t;
|
||||
files_type(modules_object_t)
|
||||
|
||||
#neverallow ~rw_kern_modules modules_object_t:file { create append write };
|
||||
|
||||
#
|
||||
# system_map_t is for the system.map files in /boot
|
||||
#
|
||||
type system_map_t;
|
||||
files_type(system_map_t)
|
||||
|
||||
#
|
||||
# /var/log/ksyms
|
||||
# cjp: this probably can be removed, I do not
|
||||
@ -73,14 +52,10 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
|
||||
allow bootloader_t self:process { sigkill sigstop signull signal };
|
||||
allow bootloader_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow bootloader_t boot_t:dir { create rw_dir_perms };
|
||||
allow bootloader_t boot_t:file create_file_perms;
|
||||
allow bootloader_t boot_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow bootloader_t bootloader_etc_t:file r_file_perms;
|
||||
# uncomment the following lines if you use "lilo -p"
|
||||
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
#files_etc_filetrans(bootloader_t,bootloader_etc_t)
|
||||
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
|
||||
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
|
||||
|
||||
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
|
||||
allow bootloader_t bootloader_tmp_t:file create_file_perms;
|
||||
@ -89,11 +64,7 @@ allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
|
||||
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
|
||||
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
|
||||
# for tune2fs (cjp: ?)
|
||||
files_root_filetrans(bootloader_t,bootloader_tmp_t)
|
||||
|
||||
allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||
allow bootloader_t modules_object_t:file r_file_perms;
|
||||
allow bootloader_t modules_object_t:lnk_file r_file_perms;
|
||||
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
|
||||
|
||||
kernel_getattr_core_if(bootloader_t)
|
||||
kernel_read_system_state(bootloader_t)
|
||||
@ -127,12 +98,16 @@ corecmd_exec_shell(bootloader_t)
|
||||
domain_exec_all_entry_files(bootloader_t)
|
||||
domain_use_interactive_fds(bootloader_t)
|
||||
|
||||
files_create_boot_dirs(bootloader_t)
|
||||
files_manage_boot_files(bootloader_t)
|
||||
files_manage_boot_symlinks(bootloader_t)
|
||||
files_read_etc_files(bootloader_t)
|
||||
files_exec_etc_files(bootloader_t)
|
||||
files_read_etc_runtime_files(bootloader_t)
|
||||
files_read_usr_src_files(bootloader_t)
|
||||
files_read_usr_files(bootloader_t)
|
||||
files_read_var_files(bootloader_t)
|
||||
files_read_kernel_modules(bootloader_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_pids(bootloader_t)
|
||||
|
||||
@ -157,11 +132,11 @@ seutil_dontaudit_search_config(bootloader_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||
allow bootloader_t boot_t:file relabelfrom;
|
||||
|
||||
fs_list_tmpfs(bootloader_t)
|
||||
|
||||
files_relabel_kernel_modules(bootloader_t)
|
||||
files_relabelfrom_boot_files(bootloader_t)
|
||||
files_delete_kernel_modules(bootloader_t)
|
||||
files_relabelto_usr_files(bootloader_t)
|
||||
files_search_var_lib(bootloader_t)
|
||||
# for /usr/share/initrd-tools/scripts
|
||||
|
@ -77,7 +77,7 @@ interface(`domain_type',`
|
||||
init_signull($1)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_use_fd($1)
|
||||
unconfined_use_fds($1)
|
||||
unconfined_sigchld($1)
|
||||
')
|
||||
|
||||
@ -88,7 +88,7 @@ interface(`domain_type',`
|
||||
|
||||
# these 3 seem highly questionable:
|
||||
optional_policy(`rpm',`
|
||||
rpm_use_fd($1)
|
||||
rpm_use_fds($1)
|
||||
rpm_read_pipes($1)
|
||||
')
|
||||
|
||||
|
@ -5,6 +5,8 @@
|
||||
/.* gen_context(system_u:object_r:default_t,s0)
|
||||
/ -d gen_context(system_u:object_r:root_t,s0)
|
||||
/\.journal <<none>>
|
||||
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
@ -23,9 +25,11 @@ ifdef(`distro_suse',`
|
||||
#
|
||||
# /boot
|
||||
#
|
||||
/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
|
||||
/boot/\.journal <<none>>
|
||||
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
|
||||
/boot/lost\+found/.* <<none>>
|
||||
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
||||
|
||||
#
|
||||
# /emul
|
||||
@ -100,6 +104,11 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
# initrd mount point, only used during boot
|
||||
/initrd -d gen_context(system_u:object_r:root_t,s0)
|
||||
|
||||
#
|
||||
# /lib(64)?
|
||||
#
|
||||
/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
|
||||
|
||||
#
|
||||
# /lost+found
|
||||
#
|
||||
|
@ -845,7 +845,7 @@ interface(`files_manage_all_files',`
|
||||
|
||||
# satisfy the assertions:
|
||||
seutil_create_bin_policy($1)
|
||||
bootloader_manage_kernel_modules($1)
|
||||
files_manage_kernel_modules($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -953,7 +953,7 @@ interface(`files_list_root',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="private type">
|
||||
@ -961,10 +961,9 @@ interface(`files_list_root',`
|
||||
## The type of the object to be created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -974,12 +973,7 @@ interface(`files_root_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 root_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 root_t:file $2;
|
||||
',`
|
||||
type_transition $1 root_t:$3 $2;
|
||||
')
|
||||
type_transition $1 root_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1042,6 +1036,244 @@ interface(`files_unmount_rootfs',`
|
||||
allow $1 root_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get attributes of the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_boot_dirs',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attributes
|
||||
## of the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_boot_dirs',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_search_boot',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in /boot
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_boot_dirs',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { create rw_dir_perms };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a private type object in boot
|
||||
## with an automatic type transition
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="private_type">
|
||||
## <summary>
|
||||
## The type of the object to be created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_boot_filetrans',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir rw_dir_perms;
|
||||
type_transition $1 boot_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
## in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_boot_files',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir rw_dir_perms;
|
||||
allow $1 boot_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from files in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelfrom_boot_files',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:file relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write symbolic links
|
||||
## in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_rw_boot_symlinks',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
allow $1 boot_t:lnk_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete symbolic links
|
||||
## in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_boot_symlinks',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir rw_dir_perms;
|
||||
allow $1 boot_t:lnk_file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Install a kernel into the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_kernel_img',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
allow $1 boot_t:file { getattr read write create };
|
||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete a kernel from /boot.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_kernel',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
allow $1 boot_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr of directories with the default file type.
|
||||
@ -1352,7 +1584,7 @@ interface(`files_manage_etc_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1500,7 +1732,7 @@ interface(`files_manage_etc_runtime_files',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_etc_filetrans(domain,privatetype,[class(es)])
|
||||
# files_etc_filetrans(domain,privatetype,class(es))
|
||||
#
|
||||
interface(`files_etc_filetrans',`
|
||||
gen_require(`
|
||||
@ -1508,11 +1740,7 @@ interface(`files_etc_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir rw_dir_perms;
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 etc_t:file $2;
|
||||
',`
|
||||
type_transition $1 etc_t:$3 $2;
|
||||
')
|
||||
type_transition $1 etc_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1522,7 +1750,7 @@ interface(`files_etc_filetrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1541,7 +1769,7 @@ interface(`files_getattr_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1560,7 +1788,7 @@ interface(`files_dontaudit_search_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1579,7 +1807,7 @@ interface(`files_list_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1598,7 +1826,7 @@ interface(`files_rw_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1617,7 +1845,7 @@ interface(`files_manage_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1636,7 +1864,7 @@ interface(`files_mounton_isid_type_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1656,7 +1884,7 @@ interface(`files_read_isid_type_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1676,7 +1904,7 @@ interface(`files_manage_isid_type_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1696,7 +1924,7 @@ interface(`files_manage_isid_type_symlinks',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1716,7 +1944,7 @@ interface(`files_rw_isid_type_blk_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1736,7 +1964,7 @@ interface(`files_manage_isid_type_blk_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1756,7 +1984,7 @@ interface(`files_manage_isid_type_chr_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1794,7 +2022,7 @@ interface(`files_dontaudit_getattr_home_dir',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1850,7 +2078,7 @@ interface(`files_dontaudit_list_home',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1868,7 +2096,7 @@ interface(`files_list_home',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="home_type">
|
||||
@ -1876,10 +2104,9 @@ interface(`files_list_home',`
|
||||
## The private type.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, dir will be used.
|
||||
## The class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -1889,13 +2116,7 @@ interface(`files_home_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 home_root_t:dir $2;
|
||||
',`
|
||||
type_transition $1 home_root_t:$3 $2;
|
||||
')
|
||||
|
||||
type_transition $1 home_root_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1905,7 +2126,7 @@ interface(`files_home_filetrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2019,6 +2240,188 @@ interface(`files_manage_mnt_symlinks',`
|
||||
allow $1 mnt_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of the kernel module directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of the kernel module directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir search;
|
||||
allow $1 modules_object_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
allow $1 modules_object_t:lnk_file r_file_perms;
|
||||
allow $1 modules_object_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_write_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir r_dir_perms;
|
||||
allow $1 modules_object_t:file { write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir { list_dir_perms write remove_name };
|
||||
allow $1 modules_object_t:file unlink;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from and to kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:file { relabelfrom relabelto };
|
||||
allow $1 modules_object_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in the kernel module directories
|
||||
## with a private type via an automatic type transition.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="private_type">
|
||||
## <summary>
|
||||
## The type of the object to be created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_kernel_modules_filetrans',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
type_transition $1 modules_object_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List world-readable directories.
|
||||
@ -2154,7 +2557,7 @@ interface(`files_getattr_tmp_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2172,7 +2575,7 @@ interface(`files_dontaudit_getattr_tmp_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2190,7 +2593,7 @@ interface(`files_search_tmp',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2226,7 +2629,7 @@ interface(`files_dontaudit_list_tmp',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2245,7 +2648,7 @@ interface(`files_read_generic_tmp_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2264,7 +2667,7 @@ interface(`files_read_generic_tmp_symlinks',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2283,7 +2686,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2297,7 +2700,7 @@ interface(`files_setattr_all_tmp_dirs',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_tmp_filetrans(domain,private_type,[object class(es)])
|
||||
# files_tmp_filetrans(domain,private_type,object class(es))
|
||||
#
|
||||
interface(`files_tmp_filetrans',`
|
||||
gen_require(`
|
||||
@ -2305,12 +2708,7 @@ interface(`files_tmp_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmp_t:file $2;
|
||||
',`
|
||||
type_transition $1 tmp_t:$3 $2;
|
||||
')
|
||||
type_transition $1 tmp_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2395,7 +2793,7 @@ interface(`files_read_usr_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2461,9 +2859,9 @@ interface(`files_read_usr_symlinks',`
|
||||
## The type of the object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class" optional="true">
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class. If not specified, file is used.
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2473,12 +2871,7 @@ interface(`files_usr_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 usr_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 usr_t:file $2;
|
||||
',`
|
||||
type_transition $1 usr_t:$3 $2;
|
||||
')
|
||||
type_transition $1 usr_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2487,7 +2880,7 @@ interface(`files_usr_filetrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2528,6 +2921,66 @@ interface(`files_read_usr_src_files',`
|
||||
allow $1 src_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Install a system.map into the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir ra_dir_perms;
|
||||
allow $1 system_map_t:file { rw_file_perms create };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read system.map in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_read_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir r_dir_perms;
|
||||
allow $1 system_map_t:file r_file_perms;
|
||||
|
||||
# cjp: this should be dropped:
|
||||
allow $1 boot_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete a system.map in the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
type boot_t, system_map_t;
|
||||
')
|
||||
|
||||
allow $1 boot_t:dir { r_dir_perms write remove_name };
|
||||
allow $1 system_map_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of /var.
|
||||
@ -2626,7 +3079,7 @@ interface(`files_manage_var_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2711,9 +3164,9 @@ interface(`files_manage_var_symlinks',`
|
||||
## The type of the object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class" optional="true">
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class. If not specified, file is used.
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2723,12 +3176,7 @@ interface(`files_var_filetrans',`
|
||||
')
|
||||
|
||||
allow $1 var_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 var_t:file $2;
|
||||
',`
|
||||
type_transition $1 var_t:$3 $2;
|
||||
')
|
||||
type_transition $1 var_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -2737,7 +3185,7 @@ interface(`files_var_filetrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2756,7 +3204,7 @@ interface(`files_getattr_var_lib_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2801,9 +3249,9 @@ interface(`files_list_var_lib',`
|
||||
## The type of the object to be created
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object_class" optional="true">
|
||||
## <param name="object_class">
|
||||
## <summary>
|
||||
## The object class. If not specified, file is used.
|
||||
## The object class.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -2814,12 +3262,7 @@ interface(`files_var_lib_filetrans',`
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_lib_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 var_lib_t:file $2;
|
||||
',`
|
||||
type_transition $1 var_lib_t:$3 $2;
|
||||
')
|
||||
type_transition $1 var_lib_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -3028,12 +3471,7 @@ interface(`files_lock_filetrans',`
|
||||
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lock_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 var_lock_t:file $2;
|
||||
',`
|
||||
type_transition $1 var_lock_t:$3 $2;
|
||||
')
|
||||
type_transition $1 var_lock_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -3111,12 +3549,7 @@ interface(`files_pid_filetrans',`
|
||||
|
||||
allow $1 var_t:dir search_dir_perms;
|
||||
allow $1 var_run_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 var_run_t:file $2;
|
||||
',`
|
||||
type_transition $1 var_run_t:$3 $2;
|
||||
')
|
||||
type_transition $1 var_run_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -3139,7 +3572,7 @@ interface(`files_rw_generic_pids',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -3157,7 +3590,7 @@ interface(`files_dontaudit_write_all_pids',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.1.2)
|
||||
policy_module(files,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -36,6 +36,13 @@ attribute security_file_type;
|
||||
attribute tmpfile;
|
||||
attribute tmpfsfile;
|
||||
|
||||
#
|
||||
# boot_t is the type for files in /boot
|
||||
#
|
||||
type boot_t;
|
||||
files_type(boot_t)
|
||||
files_mountpoint(boot_t)
|
||||
|
||||
# default_t is the default type for files that do not
|
||||
# match any specification in the file_contexts configuration
|
||||
# other than the generic /.* specification.
|
||||
@ -93,6 +100,12 @@ type mnt_t, file_type, mountpoint;
|
||||
fs_associate(mnt_t)
|
||||
fs_associate_noxattr(mnt_t)
|
||||
|
||||
#
|
||||
# modules_object_t is the type for kernel modules
|
||||
#
|
||||
type modules_object_t;
|
||||
files_type(modules_object_t)
|
||||
|
||||
type no_access_t, file_type;
|
||||
fs_associate(no_access_t)
|
||||
fs_associate_noxattr(no_access_t)
|
||||
@ -122,6 +135,12 @@ type src_t, file_type, mountpoint;
|
||||
fs_associate(src_t)
|
||||
fs_associate_noxattr(src_t)
|
||||
|
||||
#
|
||||
# system_map_t is for the system.map files in /boot
|
||||
#
|
||||
type system_map_t;
|
||||
files_type(system_map_t)
|
||||
|
||||
#
|
||||
# tmp_t is the type of the temporary directories
|
||||
#
|
||||
|
@ -2425,7 +2425,7 @@ interface(`fs_manage_tmpfs_dirs',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# fs_tmpfs_filetrans(domain,derivedtype,[class])
|
||||
# fs_tmpfs_filetrans(domain,derivedtype,class)
|
||||
#
|
||||
interface(`fs_tmpfs_filetrans',`
|
||||
gen_require(`
|
||||
@ -2434,12 +2434,7 @@ interface(`fs_tmpfs_filetrans',`
|
||||
|
||||
allow $2 tmpfs_t:filesystem associate;
|
||||
allow $1 tmpfs_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmpfs_t:file $2;
|
||||
',`
|
||||
type_transition $1 tmpfs_t:$3 $2;
|
||||
')
|
||||
type_transition $1 tmpfs_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -141,7 +141,7 @@ interface(`kernel_share_state',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_use_fd',`
|
||||
interface(`kernel_use_fds',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
@ -160,7 +160,7 @@ interface(`kernel_use_fd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_use_fd',`
|
||||
interface(`kernel_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
@ -250,7 +250,7 @@ interface(`kernel_tcp_recvfrom',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_udp_sendto',`
|
||||
interface(`kernel_udp_send',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
@ -166,27 +166,6 @@ interface(`storage_dontaudit_write_fixed_disk',`
|
||||
dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create block devices in /dev with the fixed disk type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_create_fixed_disk',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
dev_filetrans($1,fixed_disk_device_t,blk_file)
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete fixed disk device nodes.
|
||||
@ -208,28 +187,6 @@ interface(`storage_manage_fixed_disk',`
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create fixed disk device nodes on a tmpfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_create_fixed_disk_tmpfs',`
|
||||
gen_require(`
|
||||
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
type fixed_disk_device_t;
|
||||
')
|
||||
|
||||
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
||||
fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
|
||||
|
||||
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create block devices in /dev with the fixed disk type
|
||||
|
@ -401,7 +401,7 @@ interface(`apache_sigchld',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apache_use_fd',`
|
||||
interface(`apache_use_fds',`
|
||||
gen_require(`
|
||||
type httpd_t;
|
||||
')
|
||||
|
@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read };
|
||||
can_exec(httpd_t, httpd_exec_t)
|
||||
|
||||
allow httpd_t httpd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(httpd_t,httpd_lock_t)
|
||||
files_lock_filetrans(httpd_t,httpd_lock_t,file)
|
||||
|
||||
allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
|
||||
allow httpd_t httpd_log_t:file { create ra_file_perms };
|
||||
allow httpd_t httpd_log_t:lnk_file read;
|
||||
# cjp: need to refine create interfaces to
|
||||
# cut this back to add_name only
|
||||
logging_log_filetrans(httpd_t,httpd_log_t)
|
||||
logging_log_filetrans(httpd_t,httpd_log_t,file)
|
||||
|
||||
allow httpd_t httpd_modules_t:file rx_file_perms;
|
||||
allow httpd_t httpd_modules_t:dir r_dir_perms;
|
||||
@ -201,7 +201,7 @@ fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file
|
||||
|
||||
allow httpd_t httpd_var_lib_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
|
||||
files_var_lib_filetrans(httpd_t,httpd_var_lib_t)
|
||||
files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
|
||||
|
||||
allow httpd_t httpd_var_run_t:file create_file_perms;
|
||||
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
|
||||
@ -262,7 +262,7 @@ files_read_etc_files(httpd_t)
|
||||
# for tomcat
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
init_use_fd(httpd_t)
|
||||
init_use_fds(httpd_t)
|
||||
init_use_script_ptys(httpd_t)
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
|
@ -34,7 +34,7 @@ interface(`apm_domtrans_client',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`apm_use_fd',`
|
||||
interface(`apm_use_fds',`
|
||||
gen_require(`
|
||||
type apmd_t;
|
||||
')
|
||||
|
@ -72,7 +72,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow apmd_t apmd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(apmd_t,apmd_log_t)
|
||||
logging_log_filetrans(apmd_t,apmd_log_t,file)
|
||||
|
||||
allow apmd_t apmd_tmp_t:dir create_dir_perms;
|
||||
allow apmd_t apmd_tmp_t:file create_file_perms;
|
||||
@ -125,7 +125,7 @@ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
|
||||
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
|
||||
|
||||
init_domtrans_script(apmd_t)
|
||||
init_use_fd(apmd_t)
|
||||
init_use_fds(apmd_t)
|
||||
init_use_script_ptys(apmd_t)
|
||||
init_rw_utmp(apmd_t)
|
||||
init_write_initctl(apmd_t)
|
||||
@ -151,7 +151,7 @@ userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
allow apmd_t apmd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(apmd_t,apmd_lock_t)
|
||||
files_lock_filetrans(apmd_t,apmd_lock_t,file)
|
||||
|
||||
can_exec(apmd_t, apmd_var_run_t)
|
||||
|
||||
@ -176,7 +176,7 @@ ifdef(`distro_redhat',`
|
||||
ifdef(`distro_suse',`
|
||||
allow apmd_t apmd_var_lib_t:file create_file_perms;
|
||||
allow apmd_t apmd_var_lib_t:dir create_dir_perms;
|
||||
files_var_lib_filetrans(apmd_t,apmd_var_lib_t)
|
||||
files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
@ -209,7 +209,7 @@ optional_policy(`dbus',`
|
||||
')
|
||||
|
||||
optional_policy(`logrotate',`
|
||||
logrotate_use_fd(apmd_t)
|
||||
logrotate_use_fds(apmd_t)
|
||||
')
|
||||
|
||||
optional_policy(`mta',`
|
||||
|
@ -43,7 +43,7 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
|
||||
|
||||
allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
|
||||
allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(arpwatch_t,arpwatch_var_run_t)
|
||||
files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(arpwatch_t)
|
||||
kernel_list_proc(arpwatch_t)
|
||||
@ -76,7 +76,7 @@ files_read_etc_files(arpwatch_t)
|
||||
files_read_usr_files(arpwatch_t)
|
||||
files_search_var_lib(arpwatch_t)
|
||||
|
||||
init_use_fd(arpwatch_t)
|
||||
init_use_fds(arpwatch_t)
|
||||
init_use_script_ptys(arpwatch_t)
|
||||
|
||||
libs_use_ld_so(arpwatch_t)
|
||||
|
@ -42,7 +42,7 @@ allow automount_t automount_etc_t:file { getattr read };
|
||||
can_exec(automount_t, automount_etc_t)
|
||||
|
||||
allow automount_t automount_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(automount_t,automount_lock_t)
|
||||
files_lock_filetrans(automount_t,automount_lock_t,file)
|
||||
|
||||
allow automount_t automount_tmp_t:dir create_dir_perms;
|
||||
allow automount_t automount_tmp_t:file create_file_perms;
|
||||
@ -50,12 +50,12 @@ files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
|
||||
|
||||
# Allow automount to create and delete directories in / and /home
|
||||
allow automount_t automount_tmp_t:dir create_dir_perms;
|
||||
files_home_filetrans(automount_t,automount_tmp_t)
|
||||
files_home_filetrans(automount_t,automount_tmp_t,dir)
|
||||
files_root_filetrans(automount_t,automount_tmp_t,dir)
|
||||
|
||||
allow automount_t automount_var_run_t:file create_file_perms;
|
||||
allow automount_t automount_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(automount_t,automount_var_run_t)
|
||||
files_pid_filetrans(automount_t,automount_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(automount_t)
|
||||
kernel_read_fs_sysctls(automount_t)
|
||||
@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t)
|
||||
kernel_read_system_state(automount_t)
|
||||
kernel_list_proc(automount_t)
|
||||
|
||||
bootloader_search_boot(automount_t)
|
||||
files_search_boot(automount_t)
|
||||
|
||||
corecmd_exec_sbin(automount_t)
|
||||
corecmd_exec_bin(automount_t)
|
||||
@ -113,7 +113,7 @@ fs_manage_auto_mountpoints(automount_t)
|
||||
term_dontaudit_use_console(automount_t)
|
||||
term_dontaudit_getattr_pty_dirs(automount_t)
|
||||
|
||||
init_use_fd(automount_t)
|
||||
init_use_fds(automount_t)
|
||||
init_use_script_ptys(automount_t)
|
||||
|
||||
libs_use_ld_so(automount_t)
|
||||
|
@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms;
|
||||
allow avahi_t avahi_var_run_t:sock_file create_file_perms;
|
||||
allow avahi_t avahi_var_run_t:file create_file_perms;
|
||||
allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
|
||||
files_pid_filetrans(avahi_t,avahi_var_run_t)
|
||||
files_pid_filetrans(avahi_t,avahi_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(avahi_t)
|
||||
kernel_list_proc(avahi_t)
|
||||
@ -65,7 +65,7 @@ domain_use_interactive_fds(avahi_t)
|
||||
files_read_etc_files(avahi_t)
|
||||
files_read_etc_runtime_files(avahi_t)
|
||||
|
||||
init_use_fd(avahi_t)
|
||||
init_use_fds(avahi_t)
|
||||
init_use_script_ptys(avahi_t)
|
||||
init_signal_script(avahi_t)
|
||||
init_signull_script(avahi_t)
|
||||
|
@ -130,7 +130,7 @@ domain_use_interactive_fds(named_t)
|
||||
files_read_etc_files(named_t)
|
||||
files_read_etc_runtime_files(named_t)
|
||||
|
||||
init_use_fd(named_t)
|
||||
init_use_fds(named_t)
|
||||
init_use_script_ptys(named_t)
|
||||
|
||||
libs_use_ld_so(named_t)
|
||||
@ -255,7 +255,7 @@ domain_use_interactive_fds(ndc_t)
|
||||
files_read_etc_files(ndc_t)
|
||||
files_search_pids(ndc_t)
|
||||
|
||||
init_use_fd(ndc_t)
|
||||
init_use_fds(ndc_t)
|
||||
init_use_script_ptys(ndc_t)
|
||||
|
||||
libs_use_ld_so(ndc_t)
|
||||
@ -289,5 +289,5 @@ optional_policy(`nscd',`
|
||||
')
|
||||
|
||||
optional_policy(`ppp',`
|
||||
ppp_dontaudit_use_fd(ndc_t)
|
||||
ppp_dontaudit_use_fds(ndc_t)
|
||||
')
|
||||
|
@ -69,7 +69,7 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t bluetooth_t:process sigchld;
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(bluetooth_t,bluetooth_lock_t)
|
||||
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
|
||||
|
||||
allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
|
||||
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
|
||||
@ -77,7 +77,7 @@ files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||
|
||||
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
|
||||
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t)
|
||||
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
|
||||
|
||||
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||
@ -120,7 +120,7 @@ files_read_etc_files(bluetooth_t)
|
||||
files_read_etc_runtime_files(bluetooth_t)
|
||||
files_read_usr_files(bluetooth_t)
|
||||
|
||||
init_use_fd(bluetooth_t)
|
||||
init_use_fds(bluetooth_t)
|
||||
init_use_script_ptys(bluetooth_t)
|
||||
|
||||
libs_use_ld_so(bluetooth_t)
|
||||
|
@ -38,7 +38,7 @@ logging_log_filetrans(canna_t,canna_log_t,{ file dir })
|
||||
allow canna_t canna_var_lib_t:dir create_dir_perms;
|
||||
allow canna_t canna_var_lib_t:file create_file_perms;
|
||||
allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
|
||||
files_var_lib_filetrans(canna_t,canna_var_lib_t)
|
||||
files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
|
||||
|
||||
allow canna_t canna_var_run_t:dir rw_dir_perms;
|
||||
allow canna_t canna_var_run_t:file create_file_perms;
|
||||
@ -72,7 +72,7 @@ files_read_usr_files(canna_t)
|
||||
files_search_tmp(canna_t)
|
||||
files_dontaudit_read_root_files(canna_t)
|
||||
|
||||
init_use_fd(canna_t)
|
||||
init_use_fds(canna_t)
|
||||
init_use_script_ptys(canna_t)
|
||||
|
||||
libs_use_ld_so(canna_t)
|
||||
|
@ -37,7 +37,7 @@ files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
|
||||
|
||||
allow comsat_t comsat_var_run_t:file create_file_perms;
|
||||
allow comsat_t comsat_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(comsat_t,comsat_var_run_t)
|
||||
files_pid_filetrans(comsat_t,comsat_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(comsat_t)
|
||||
kernel_read_network_state(comsat_t)
|
||||
|
@ -45,7 +45,7 @@ domain_use_interactive_fds(cpucontrol_t)
|
||||
|
||||
files_list_usr(cpucontrol_t)
|
||||
|
||||
init_use_fd(cpucontrol_t)
|
||||
init_use_fds(cpucontrol_t)
|
||||
init_use_script_ptys(cpucontrol_t)
|
||||
|
||||
libs_use_ld_so(cpucontrol_t)
|
||||
@ -97,7 +97,7 @@ files_read_etc_files(cpuspeed_t)
|
||||
files_read_etc_runtime_files(cpuspeed_t)
|
||||
files_list_usr(cpuspeed_t)
|
||||
|
||||
init_use_fd(cpuspeed_t)
|
||||
init_use_fds(cpuspeed_t)
|
||||
init_use_script_ptys(cpuspeed_t)
|
||||
|
||||
libs_use_ld_so(cpuspeed_t)
|
||||
|
@ -89,7 +89,7 @@ template(`cron_per_userdomain_template',`
|
||||
kernel_read_kernel_sysctls($1_crond_t)
|
||||
|
||||
# ps does not need to access /boot when run from cron
|
||||
bootloader_dontaudit_search_boot($1_crond_t)
|
||||
files_dontaudit_search_boot($1_crond_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1_crond_t)
|
||||
corenet_raw_sendrecv_all_if($1_crond_t)
|
||||
@ -352,7 +352,7 @@ interface(`cron_system_entry',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_use_fd',`
|
||||
interface(`cron_use_fds',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
')
|
||||
|
@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms;
|
||||
allow crond_t self:msg { send receive };
|
||||
|
||||
allow crond_t crond_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(crond_t,crond_var_run_t)
|
||||
files_pid_filetrans(crond_t,crond_var_run_t,file)
|
||||
|
||||
allow crond_t cron_spool_t:dir rw_dir_perms;
|
||||
allow crond_t cron_spool_t:file r_file_perms;
|
||||
@ -119,7 +119,7 @@ files_list_usr(crond_t)
|
||||
files_search_var_lib(crond_t)
|
||||
files_search_default(crond_t)
|
||||
|
||||
init_use_fd(crond_t)
|
||||
init_use_fds(crond_t)
|
||||
init_use_script_ptys(crond_t)
|
||||
init_rw_utmp(crond_t)
|
||||
|
||||
@ -247,11 +247,11 @@ ifdef(`targeted_policy',`
|
||||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
allow system_crond_t system_crond_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(system_crond_t,system_crond_lock_t)
|
||||
files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
|
||||
|
||||
# write temporary files
|
||||
allow system_crond_t system_crond_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t)
|
||||
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
|
||||
|
||||
# write temporary files in crond tmp dir:
|
||||
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
|
||||
@ -266,7 +266,7 @@ ifdef(`targeted_policy',`
|
||||
kernel_read_software_raid_state(system_crond_t)
|
||||
|
||||
# ps does not need to access /boot when run from cron
|
||||
bootloader_dontaudit_search_boot(system_crond_t)
|
||||
files_dontaudit_search_boot(system_crond_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(system_crond_t)
|
||||
corenet_raw_sendrecv_all_if(system_crond_t)
|
||||
@ -314,7 +314,7 @@ ifdef(`targeted_policy',`
|
||||
# /var/spool/anacron and /var/spool/slrnpull.
|
||||
files_manage_generic_spool(system_crond_t)
|
||||
|
||||
init_use_fd(system_crond_t)
|
||||
init_use_fds(system_crond_t)
|
||||
init_use_script_fds(system_crond_t)
|
||||
init_use_script_ptys(system_crond_t)
|
||||
init_read_utmp(system_crond_t)
|
||||
|
@ -110,7 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
|
||||
|
||||
allow cupsd_t cupsd_var_run_t:file create_file_perms;
|
||||
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(cupsd_t,cupsd_var_run_t)
|
||||
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
|
||||
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
|
||||
@ -170,7 +170,7 @@ files_list_world_readable(cupsd_t)
|
||||
files_read_world_readable_files(cupsd_t)
|
||||
files_read_world_readable_symlinks(cupsd_t)
|
||||
|
||||
init_use_fd(cupsd_t)
|
||||
init_use_fds(cupsd_t)
|
||||
init_use_script_ptys(cupsd_t)
|
||||
init_exec_script_files(cupsd_t)
|
||||
|
||||
@ -303,7 +303,7 @@ files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_fil
|
||||
|
||||
allow ptal_t ptal_var_run_t:file create_file_perms;
|
||||
allow ptal_t ptal_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(ptal_t,ptal_var_run_t)
|
||||
files_pid_filetrans(ptal_t,ptal_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ptal_t)
|
||||
kernel_list_proc(ptal_t)
|
||||
@ -332,7 +332,7 @@ domain_use_interactive_fds(ptal_t)
|
||||
files_read_etc_files(ptal_t)
|
||||
files_read_etc_runtime_files(ptal_t)
|
||||
|
||||
init_use_fd(ptal_t)
|
||||
init_use_fds(ptal_t)
|
||||
init_use_script_ptys(ptal_t)
|
||||
|
||||
libs_use_ld_so(ptal_t)
|
||||
@ -390,7 +390,7 @@ files_search_etc(hplip_t)
|
||||
|
||||
allow hplip_t hplip_var_run_t:file create_file_perms;
|
||||
allow hplip_t hplip_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(hplip_t,hplip_var_run_t)
|
||||
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(hplip_t)
|
||||
kernel_read_kernel_sysctls(hplip_t)
|
||||
@ -429,7 +429,7 @@ files_read_etc_files(hplip_t)
|
||||
files_read_etc_runtime_files(hplip_t)
|
||||
files_read_usr_files(hplip_t)
|
||||
|
||||
init_use_fd(hplip_t)
|
||||
init_use_fds(hplip_t)
|
||||
init_use_script_ptys(hplip_t)
|
||||
|
||||
libs_use_ld_so(hplip_t)
|
||||
@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace;
|
||||
|
||||
allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
|
||||
allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t)
|
||||
files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
|
||||
|
||||
can_exec(cupsd_config_t, cupsd_config_exec_t)
|
||||
|
||||
@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
|
||||
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
|
||||
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t)
|
||||
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
|
||||
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
|
||||
@ -548,7 +548,7 @@ files_read_usr_files(cupsd_config_t)
|
||||
files_read_etc_files(cupsd_config_t)
|
||||
files_read_etc_runtime_files(cupsd_config_t)
|
||||
|
||||
init_use_fd(cupsd_config_t)
|
||||
init_use_fds(cupsd_config_t)
|
||||
init_use_script_ptys(cupsd_config_t)
|
||||
|
||||
libs_use_ld_so(cupsd_config_t)
|
||||
@ -602,7 +602,7 @@ optional_policy(`hostname',`
|
||||
')
|
||||
|
||||
optional_policy(`logrotate',`
|
||||
logrotate_use_fd(cupsd_config_t)
|
||||
logrotate_use_fds(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
@ -682,7 +682,7 @@ files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
|
||||
|
||||
allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
|
||||
allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t)
|
||||
files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
|
||||
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
|
||||
allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
|
||||
|
@ -42,7 +42,7 @@ files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
|
||||
|
||||
allow cvs_t cvs_var_run_t:file create_file_perms;
|
||||
allow cvs_t cvs_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(cvs_t,cvs_var_run_t)
|
||||
files_pid_filetrans(cvs_t,cvs_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(cvs_t)
|
||||
kernel_read_system_state(cvs_t)
|
||||
|
@ -48,7 +48,7 @@ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
|
||||
|
||||
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
|
||||
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
|
||||
files_pid_filetrans(cyrus_t,cyrus_var_run_t)
|
||||
files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
|
||||
|
||||
allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
|
||||
allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
|
||||
@ -91,7 +91,7 @@ files_list_var_lib(cyrus_t)
|
||||
files_read_etc_files(cyrus_t)
|
||||
files_read_etc_runtime_files(cyrus_t)
|
||||
|
||||
init_use_fd(cyrus_t)
|
||||
init_use_fds(cyrus_t)
|
||||
init_use_script_ptys(cyrus_t)
|
||||
|
||||
libs_use_ld_so(cyrus_t)
|
||||
|
@ -43,7 +43,7 @@ files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
|
||||
|
||||
allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
|
||||
allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(dbskkd_t,dbskkd_var_run_t)
|
||||
files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(dbskkd_t)
|
||||
kernel_read_system_state(dbskkd_t)
|
||||
|
@ -52,7 +52,7 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
||||
allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
|
||||
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
|
||||
allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t)
|
||||
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(system_dbusd_t)
|
||||
kernel_read_kernel_sysctls(system_dbusd_t)
|
||||
@ -93,7 +93,7 @@ files_read_etc_files(system_dbusd_t)
|
||||
files_list_home(system_dbusd_t)
|
||||
files_read_usr_files(system_dbusd_t)
|
||||
|
||||
init_use_fd(system_dbusd_t)
|
||||
init_use_fds(system_dbusd_t)
|
||||
init_use_script_ptys(system_dbusd_t)
|
||||
|
||||
libs_use_ld_so(system_dbusd_t)
|
||||
|
@ -41,7 +41,7 @@ can_exec(dhcpd_t,dhcpd_exec_t)
|
||||
|
||||
allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
|
||||
allow dhcpd_t dhcpd_state_t:file create_file_perms;
|
||||
sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t)
|
||||
sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
|
||||
|
||||
allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
|
||||
allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
|
||||
@ -49,7 +49,7 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
|
||||
|
||||
allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
|
||||
allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(dhcpd_t,dhcpd_var_run_t)
|
||||
files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(dhcpd_t)
|
||||
kernel_read_kernel_sysctls(dhcpd_t)
|
||||
@ -89,7 +89,7 @@ files_read_usr_files(dhcpd_t)
|
||||
files_read_etc_runtime_files(dhcpd_t)
|
||||
files_search_var_lib(dhcpd_t)
|
||||
|
||||
init_use_fd(dhcpd_t)
|
||||
init_use_fds(dhcpd_t)
|
||||
init_use_script_ptys(dhcpd_t)
|
||||
|
||||
libs_use_ld_so(dhcpd_t)
|
||||
|
@ -67,7 +67,7 @@ files_search_var_lib(dictd_t)
|
||||
# for checking for nscd
|
||||
files_dontaudit_search_pids(dictd_t)
|
||||
|
||||
init_use_fd(dictd_t)
|
||||
init_use_fds(dictd_t)
|
||||
init_use_script_ptys(dictd_t)
|
||||
|
||||
libs_use_ld_so(dictd_t)
|
||||
|
@ -32,7 +32,7 @@ allow distccd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow distccd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow distccd_t distccd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(distccd_t,distccd_log_t)
|
||||
logging_log_filetrans(distccd_t,distccd_log_t,file)
|
||||
|
||||
allow distccd_t distccd_tmp_t:dir create_dir_perms;
|
||||
allow distccd_t distccd_tmp_t:file create_file_perms;
|
||||
@ -40,7 +40,7 @@ files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
|
||||
|
||||
allow distccd_t distccd_var_run_t:file create_file_perms;
|
||||
allow distccd_t distccd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(distccd_t,distccd_var_run_t)
|
||||
files_pid_filetrans(distccd_t,distccd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(distccd_t)
|
||||
kernel_read_kernel_sysctls(distccd_t)
|
||||
@ -73,7 +73,7 @@ domain_use_interactive_fds(distccd_t)
|
||||
files_read_etc_files(distccd_t)
|
||||
files_read_etc_runtime_files(distccd_t)
|
||||
|
||||
init_use_fd(distccd_t)
|
||||
init_use_fds(distccd_t)
|
||||
init_use_script_ptys(distccd_t)
|
||||
|
||||
libs_use_ld_so(distccd_t)
|
||||
|
@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
|
||||
allow dovecot_t dovecot_var_run_t:file create_file_perms;
|
||||
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
|
||||
allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(dovecot_t,dovecot_var_run_t)
|
||||
files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(dovecot_t)
|
||||
kernel_read_system_state(dovecot_t)
|
||||
@ -97,7 +97,7 @@ files_search_spool(dovecot_t)
|
||||
files_search_tmp(dovecot_t)
|
||||
files_dontaudit_list_default(dovecot_t)
|
||||
|
||||
init_use_fd(dovecot_t)
|
||||
init_use_fds(dovecot_t)
|
||||
init_use_script_ptys(dovecot_t)
|
||||
init_getattr_utmp(dovecot_t)
|
||||
|
||||
|
@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
|
||||
|
||||
allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
|
||||
mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t)
|
||||
mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
|
||||
|
||||
allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
|
||||
allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(fetchmail_t,fetchmail_var_run_t)
|
||||
files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(fetchmail_t)
|
||||
kernel_list_proc(fetchmail_t)
|
||||
@ -76,7 +76,7 @@ term_dontaudit_use_console(fetchmail_t)
|
||||
|
||||
domain_use_interactive_fds(fetchmail_t)
|
||||
|
||||
init_use_fd(fetchmail_t)
|
||||
init_use_fds(fetchmail_t)
|
||||
init_use_script_ptys(fetchmail_t)
|
||||
|
||||
libs_use_ld_so(fetchmail_t)
|
||||
|
@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow fingerd_t fingerd_var_run_t:file create_file_perms;
|
||||
allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(fingerd_t,fingerd_var_run_t)
|
||||
files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
|
||||
|
||||
allow fingerd_t fingerd_etc_t:file r_file_perms;
|
||||
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
|
||||
allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow fingerd_t fingerd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(fingerd_t,fingerd_log_t)
|
||||
logging_log_filetrans(fingerd_t,fingerd_log_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
@ -83,7 +83,7 @@ files_read_etc_runtime_files(fingerd_t)
|
||||
|
||||
init_read_utmp(fingerd_t)
|
||||
init_dontaudit_write_utmp(fingerd_t)
|
||||
init_use_fd(fingerd_t)
|
||||
init_use_fds(fingerd_t)
|
||||
init_use_script_ptys(fingerd_t)
|
||||
|
||||
libs_use_ld_so(fingerd_t)
|
||||
|
@ -59,11 +59,11 @@ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
|
||||
|
||||
allow ftpd_t ftpd_var_run_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(ftpd_t,ftpd_var_run_t)
|
||||
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
allow ftpd_t xferlog_t:file create_file_perms;
|
||||
logging_log_filetrans(ftpd_t,xferlog_t)
|
||||
logging_log_filetrans(ftpd_t,xferlog_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ftpd_t)
|
||||
kernel_read_system_state(ftpd_t)
|
||||
@ -111,7 +111,7 @@ auth_append_login_records(ftpd_t)
|
||||
#kerberized ftp requires the following
|
||||
auth_write_login_records(ftpd_t)
|
||||
|
||||
init_use_fd(ftpd_t)
|
||||
init_use_fds(ftpd_t)
|
||||
init_use_script_ptys(ftpd_t)
|
||||
|
||||
libs_use_ld_so(ftpd_t)
|
||||
@ -165,7 +165,7 @@ tunable_policy(`ftp_home_dir',`
|
||||
|
||||
tunable_policy(`ftpd_is_daemon',`
|
||||
allow ftpd_t ftpd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(ftpd_t,ftpd_lock_t)
|
||||
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
|
||||
|
||||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
')
|
||||
|
@ -39,7 +39,7 @@ allow gpm_t gpm_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
|
||||
|
||||
allow gpm_t gpm_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(gpm_t,gpm_var_run_t)
|
||||
files_pid_filetrans(gpm_t,gpm_var_run_t,file)
|
||||
|
||||
allow gpm_t gpmctl_t:sock_file create_file_perms;
|
||||
allow gpm_t gpmctl_t:fifo_file create_file_perms;
|
||||
@ -65,7 +65,7 @@ term_dontaudit_use_console(gpm_t)
|
||||
|
||||
domain_use_interactive_fds(gpm_t)
|
||||
|
||||
init_use_fd(gpm_t)
|
||||
init_use_fds(gpm_t)
|
||||
init_use_script_ptys(gpm_t)
|
||||
|
||||
libs_use_ld_so(gpm_t)
|
||||
|
@ -34,7 +34,7 @@ interface(`hal_domtrans',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_dgram_sendto',`
|
||||
interface(`hal_dgram_send',`
|
||||
gen_require(`
|
||||
type hald_t;
|
||||
')
|
||||
|
@ -42,7 +42,7 @@ files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
|
||||
|
||||
allow hald_t hald_var_run_t:file create_file_perms;
|
||||
allow hald_t hald_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(hald_t,hald_var_run_t)
|
||||
files_pid_filetrans(hald_t,hald_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(hald_t)
|
||||
kernel_read_network_state(hald_t)
|
||||
@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t)
|
||||
kernel_read_fs_sysctls(hald_t)
|
||||
kernel_write_proc_files(hald_t)
|
||||
|
||||
bootloader_search_boot(hald_t)
|
||||
files_search_boot(hald_t)
|
||||
|
||||
corecmd_exec_bin(hald_t)
|
||||
corecmd_exec_sbin(hald_t)
|
||||
@ -114,7 +114,7 @@ term_dontaudit_ioctl_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_unallocated_ttys(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
|
||||
init_use_fd(hald_t)
|
||||
init_use_fds(hald_t)
|
||||
init_use_script_ptys(hald_t)
|
||||
init_domtrans_script(hald_t)
|
||||
init_write_initctl(hald_t)
|
||||
|
@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow howl_t howl_var_run_t:file create_file_perms;
|
||||
allow howl_t howl_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(howl_t,howl_var_run_t)
|
||||
files_pid_filetrans(howl_t,howl_var_run_t,file)
|
||||
|
||||
kernel_read_network_state(howl_t)
|
||||
kernel_read_kernel_sysctls(howl_t)
|
||||
@ -60,7 +60,7 @@ domain_use_interactive_fds(howl_t)
|
||||
|
||||
files_read_etc_files(howl_t)
|
||||
|
||||
init_use_fd(howl_t)
|
||||
init_use_fds(howl_t)
|
||||
init_use_script_ptys(howl_t)
|
||||
init_rw_utmp(howl_t)
|
||||
|
||||
|
@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(i18n_input_t,i18n_input_var_run_t)
|
||||
files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
|
||||
|
||||
can_exec(i18n_input_t, i18n_input_exec_t)
|
||||
|
||||
@ -69,7 +69,7 @@ files_read_etc_files(i18n_input_t)
|
||||
files_read_etc_runtime_files(i18n_input_t)
|
||||
files_read_usr_files(i18n_input_t)
|
||||
|
||||
init_use_fd(i18n_input_t)
|
||||
init_use_fds(i18n_input_t)
|
||||
init_use_script_ptys(i18n_input_t)
|
||||
init_stream_connect_script(i18n_input_t)
|
||||
|
||||
|
@ -165,7 +165,7 @@ interface(`inetd_service_domain',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_use_fd',`
|
||||
interface(`inetd_use_fds',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
')
|
||||
@ -227,7 +227,7 @@ interface(`inetd_domtrans_child',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`inetd_udp_sendto',`
|
||||
interface(`inetd_udp_send',`
|
||||
gen_require(`
|
||||
type inetd_t;
|
||||
')
|
||||
|
@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow inetd_t self:udp_socket { connect connected_socket_perms };
|
||||
|
||||
allow inetd_t inetd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(inetd_t,inetd_log_t)
|
||||
logging_log_filetrans(inetd_t,inetd_log_t,file)
|
||||
|
||||
allow inetd_t inetd_tmp_t:dir create_dir_perms;
|
||||
allow inetd_t inetd_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
|
||||
|
||||
allow inetd_t inetd_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(inetd_t,inetd_var_run_t)
|
||||
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(inetd_t)
|
||||
kernel_list_proc(inetd_t)
|
||||
@ -106,7 +106,7 @@ domain_use_interactive_fds(inetd_t)
|
||||
|
||||
files_read_etc_files(inetd_t)
|
||||
|
||||
init_use_fd(inetd_t)
|
||||
init_use_fds(inetd_t)
|
||||
init_use_script_ptys(inetd_t)
|
||||
|
||||
libs_use_ld_so(inetd_t)
|
||||
@ -179,7 +179,7 @@ files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
|
||||
|
||||
allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
|
||||
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(inetd_child_t,inetd_child_var_run_t)
|
||||
files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(inetd_child_t)
|
||||
kernel_read_system_state(inetd_child_t)
|
||||
|
@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t)
|
||||
|
||||
allow innd_t innd_log_t:file manage_file_perms;
|
||||
allow innd_t innd_log_t:dir { setattr rw_dir_perms };
|
||||
logging_log_filetrans(innd_t,innd_log_t)
|
||||
logging_log_filetrans(innd_t,innd_log_t,file)
|
||||
|
||||
allow innd_t innd_var_lib_t:dir create_dir_perms;
|
||||
allow innd_t innd_var_lib_t:file create_file_perms;
|
||||
files_var_lib_filetrans(innd_t,innd_var_lib_t)
|
||||
files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
|
||||
|
||||
allow innd_t innd_var_run_t:dir create_dir_perms;
|
||||
allow innd_t innd_var_run_t:file create_file_perms;
|
||||
allow innd_t innd_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(innd_t,innd_var_run_t)
|
||||
files_pid_filetrans(innd_t,innd_var_run_t,file)
|
||||
|
||||
allow innd_t news_spool_t:dir create_dir_perms;
|
||||
allow innd_t news_spool_t:file create_file_perms;
|
||||
@ -97,7 +97,7 @@ files_read_etc_files(innd_t)
|
||||
files_read_etc_runtime_files(innd_t)
|
||||
files_read_usr_files(innd_t)
|
||||
|
||||
init_use_fd(innd_t)
|
||||
init_use_fds(innd_t)
|
||||
init_use_script_ptys(innd_t)
|
||||
|
||||
libs_use_ld_so(innd_t)
|
||||
|
@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms;
|
||||
|
||||
allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
|
||||
allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(irqbalance_t,irqbalance_var_run_t)
|
||||
files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(irqbalance_t)
|
||||
kernel_read_kernel_sysctls(irqbalance_t)
|
||||
@ -41,7 +41,7 @@ term_dontaudit_use_console(irqbalance_t)
|
||||
|
||||
domain_use_interactive_fds(irqbalance_t)
|
||||
|
||||
init_use_fd(irqbalance_t)
|
||||
init_use_fds(irqbalance_t)
|
||||
init_use_script_ptys(irqbalance_t)
|
||||
|
||||
libs_use_ld_so(irqbalance_t)
|
||||
|
@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow kadmind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow kadmind_t kadmind_log_t:file create_file_perms;
|
||||
logging_log_filetrans(kadmind_t,kadmind_log_t)
|
||||
logging_log_filetrans(kadmind_t,kadmind_log_t,file)
|
||||
|
||||
allow kadmind_t krb5_conf_t:file r_file_perms;
|
||||
dontaudit kadmind_t krb5_conf_t:file write;
|
||||
@ -81,7 +81,7 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
||||
|
||||
allow kadmind_t kadmind_var_run_t:file create_file_perms;
|
||||
allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(kadmind_t,kadmind_var_run_t)
|
||||
files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(kadmind_t)
|
||||
kernel_list_proc(kadmind_t)
|
||||
@ -116,7 +116,7 @@ domain_use_interactive_fds(kadmind_t)
|
||||
|
||||
files_read_etc_files(kadmind_t)
|
||||
|
||||
init_use_fd(kadmind_t)
|
||||
init_use_fds(kadmind_t)
|
||||
init_use_script_ptys(kadmind_t)
|
||||
|
||||
libs_use_ld_so(kadmind_t)
|
||||
@ -172,7 +172,7 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
|
||||
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
|
||||
allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
|
||||
logging_log_filetrans(krb5kdc_t,krb5kdc_log_t)
|
||||
logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
|
||||
|
||||
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
|
||||
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
||||
@ -183,7 +183,7 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
|
||||
allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t)
|
||||
files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
@ -216,7 +216,7 @@ domain_use_interactive_fds(krb5kdc_t)
|
||||
|
||||
files_read_etc_files(krb5kdc_t)
|
||||
|
||||
init_use_fd(krb5kdc_t)
|
||||
init_use_fds(krb5kdc_t)
|
||||
init_use_script_ptys(krb5kdc_t)
|
||||
|
||||
libs_use_ld_so(krb5kdc_t)
|
||||
|
@ -44,7 +44,7 @@ files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
|
||||
|
||||
allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
|
||||
allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t)
|
||||
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ktalkd_t)
|
||||
kernel_read_system_state(ktalkd_t)
|
||||
|
@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
|
||||
allow slapd_t slapd_etc_t:file { getattr read };
|
||||
|
||||
allow slapd_t slapd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(slapd_t,slapd_lock_t)
|
||||
files_lock_filetrans(slapd_t,slapd_lock_t,file)
|
||||
|
||||
# Allow access to write the replication log (should tighten this)
|
||||
allow slapd_t slapd_replog_t:dir create_dir_perms;
|
||||
@ -72,7 +72,7 @@ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
||||
|
||||
allow slapd_t slapd_var_run_t:file create_file_perms;
|
||||
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(slapd_t,slapd_var_run_t)
|
||||
files_pid_filetrans(slapd_t,slapd_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctls(slapd_t)
|
||||
@ -107,7 +107,7 @@ files_read_etc_runtime_files(slapd_t)
|
||||
files_read_usr_files(slapd_t)
|
||||
files_list_var_lib(slapd_t)
|
||||
|
||||
init_use_fd(slapd_t)
|
||||
init_use_fds(slapd_t)
|
||||
init_use_script_ptys(slapd_t)
|
||||
|
||||
libs_use_ld_so(slapd_t)
|
||||
|
@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms };
|
||||
allow checkpc_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow checkpc_t checkpc_log_t:file create_file_perms;
|
||||
logging_log_filetrans(checkpc_t,checkpc_log_t)
|
||||
logging_log_filetrans(checkpc_t,checkpc_log_t,file)
|
||||
|
||||
allow checkpc_t lpd_var_run_t:dir { search getattr };
|
||||
files_search_pids(checkpc_t)
|
||||
@ -92,7 +92,7 @@ files_read_etc_runtime_files(checkpc_t)
|
||||
|
||||
init_use_script_ptys(checkpc_t)
|
||||
# Allow access to /dev/console through the fd:
|
||||
init_use_fd(checkpc_t)
|
||||
init_use_fds(checkpc_t)
|
||||
|
||||
libs_use_ld_so(checkpc_t)
|
||||
libs_use_shared_libs(checkpc_t)
|
||||
@ -135,7 +135,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
|
||||
allow lpd_t lpd_var_run_t:dir rw_dir_perms;
|
||||
allow lpd_t lpd_var_run_t:file create_file_perms;
|
||||
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(lpd_t,lpd_var_run_t)
|
||||
files_pid_filetrans(lpd_t,lpd_var_run_t,file)
|
||||
|
||||
# Write to /var/spool/lpd.
|
||||
allow lpd_t print_spool_t:dir rw_dir_perms;
|
||||
@ -201,7 +201,7 @@ files_read_var_lib_symlinks(lpd_t)
|
||||
# config files for lpd are of type etc_t, probably should change this
|
||||
files_read_etc_files(lpd_t)
|
||||
|
||||
init_use_fd(lpd_t)
|
||||
init_use_fds(lpd_t)
|
||||
init_use_script_ptys(lpd_t)
|
||||
|
||||
libs_use_ld_so(lpd_t)
|
||||
|
@ -37,11 +37,11 @@ template(`mailman_domain_template', `
|
||||
|
||||
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
|
||||
allow mailman_$1_t mailman_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(mailman_$1_t,mailman_lock_t)
|
||||
files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
|
||||
|
||||
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
|
||||
allow mailman_$1_t mailman_log_t:file create_file_perms;
|
||||
logging_log_filetrans(mailman_$1_t,mailman_log_t)
|
||||
logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
|
||||
|
||||
allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
|
||||
allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
|
||||
|
@ -49,7 +49,7 @@ optional_policy(`apache',`
|
||||
mta_tcp_connect_all_mailservers(mailman_cgi_t)
|
||||
|
||||
apache_sigchld(mailman_cgi_t)
|
||||
apache_use_fd(mailman_cgi_t)
|
||||
apache_use_fds(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
apache_search_sys_script_state(mailman_cgi_t)
|
||||
')
|
||||
|
@ -654,10 +654,9 @@ interface(`mta_dontaudit_getattr_spool_files',`
|
||||
## The type of the object to be created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -668,12 +667,7 @@ interface(`mta_spool_filetrans',`
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 mail_spool_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 mail_spool_t:file $2;
|
||||
',`
|
||||
type_transition $1 mail_spool_t:$3 $2;
|
||||
')
|
||||
type_transition $1 mail_spool_t:$3 $2;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -49,7 +49,7 @@ allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
|
||||
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
||||
|
||||
allow mysqld_t mysqld_log_t:file create_file_perms;
|
||||
logging_log_filetrans(mysqld_t,mysqld_log_t)
|
||||
logging_log_filetrans(mysqld_t,mysqld_log_t,file)
|
||||
|
||||
allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
|
||||
allow mysqld_t mysqld_tmp_t:file create_file_perms;
|
||||
@ -58,7 +58,7 @@ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
|
||||
allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
|
||||
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
|
||||
allow mysqld_t mysqld_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(mysqld_t,mysqld_var_run_t)
|
||||
files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
|
||||
|
||||
kernel_list_proc(mysqld_t)
|
||||
kernel_read_kernel_sysctls(mysqld_t)
|
||||
@ -94,7 +94,7 @@ files_read_etc_files(mysqld_t)
|
||||
files_read_usr_files(mysqld_t)
|
||||
files_search_var_lib(mysqld_t)
|
||||
|
||||
init_use_fd(mysqld_t)
|
||||
init_use_fds(mysqld_t)
|
||||
init_use_script_ptys(mysqld_t)
|
||||
|
||||
libs_use_ld_so(mysqld_t)
|
||||
|
@ -79,7 +79,7 @@ files_read_etc_files(NetworkManager_t)
|
||||
files_read_etc_runtime_files(NetworkManager_t)
|
||||
files_read_usr_files(NetworkManager_t)
|
||||
|
||||
init_use_fd(NetworkManager_t)
|
||||
init_use_fds(NetworkManager_t)
|
||||
init_use_script_ptys(NetworkManager_t)
|
||||
init_read_utmp(NetworkManager_t)
|
||||
init_domtrans_script(NetworkManager_t)
|
||||
|
@ -58,7 +58,7 @@ files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
|
||||
|
||||
allow ypbind_t ypbind_var_run_t:file manage_file_perms;
|
||||
allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(ypbind_t,ypbind_var_run_t)
|
||||
files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
|
||||
|
||||
allow ypbind_t var_yp_t:dir rw_dir_perms;
|
||||
allow ypbind_t var_yp_t:file create_file_perms;
|
||||
@ -99,7 +99,7 @@ domain_use_interactive_fds(ypbind_t)
|
||||
files_read_etc_files(ypbind_t)
|
||||
files_list_var(ypbind_t)
|
||||
|
||||
init_use_fd(ypbind_t)
|
||||
init_use_fds(ypbind_t)
|
||||
init_use_script_ptys(ypbind_t)
|
||||
init_udp_send_script(ypbind_t)
|
||||
|
||||
@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
|
||||
allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t)
|
||||
files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
|
||||
|
||||
allow yppasswdd_t var_yp_t:dir rw_dir_perms;
|
||||
allow yppasswdd_t var_yp_t:file create_file_perms;
|
||||
@ -200,7 +200,7 @@ files_read_etc_files(yppasswdd_t)
|
||||
files_read_etc_runtime_files(yppasswdd_t)
|
||||
files_relabel_etc_files(yppasswdd_t)
|
||||
|
||||
init_use_fd(yppasswdd_t)
|
||||
init_use_fds(yppasswdd_t)
|
||||
init_use_script_ptys(yppasswdd_t)
|
||||
init_udp_send_script(yppasswdd_t)
|
||||
|
||||
@ -260,7 +260,7 @@ files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
|
||||
|
||||
allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
|
||||
allow ypserv_t ypserv_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ypserv_t,ypserv_var_run_t)
|
||||
files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ypserv_t)
|
||||
kernel_list_proc(ypserv_t)
|
||||
@ -295,7 +295,7 @@ domain_use_interactive_fds(ypserv_t)
|
||||
|
||||
files_read_var_files(ypserv_t)
|
||||
|
||||
init_use_fd(ypserv_t)
|
||||
init_use_fds(ypserv_t)
|
||||
init_use_script_ptys(ypserv_t)
|
||||
init_udp_send_script(ypserv_t)
|
||||
|
||||
|
@ -45,7 +45,7 @@ allow nscd_t self:udp_socket create_socket_perms;
|
||||
allow nscd_t self:nscd { admin getstat };
|
||||
|
||||
allow nscd_t nscd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(nscd_t,nscd_log_t)
|
||||
logging_log_filetrans(nscd_t,nscd_log_t,file)
|
||||
|
||||
allow nscd_t nscd_var_run_t:file create_file_perms;
|
||||
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
|
||||
@ -93,7 +93,7 @@ domain_use_interactive_fds(nscd_t)
|
||||
files_read_etc_files(nscd_t)
|
||||
files_read_generic_tmp_symlinks(nscd_t)
|
||||
|
||||
init_use_fd(nscd_t)
|
||||
init_use_fds(nscd_t)
|
||||
init_use_script_ptys(nscd_t)
|
||||
|
||||
libs_use_ld_so(nscd_t)
|
||||
|
@ -58,7 +58,7 @@ files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
|
||||
|
||||
allow ntpd_t ntpd_var_run_t:file create_file_perms;
|
||||
allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(ntpd_t,ntpd_var_run_t)
|
||||
files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(ntpd_t)
|
||||
kernel_read_system_state(ntpd_t)
|
||||
@ -100,7 +100,7 @@ files_read_usr_files(ntpd_t)
|
||||
files_list_var_lib(ntpd_t)
|
||||
|
||||
init_exec_script_files(ntpd_t)
|
||||
init_use_fd(ntpd_t)
|
||||
init_use_fds(ntpd_t)
|
||||
init_use_script_ptys(ntpd_t)
|
||||
|
||||
libs_use_ld_so(ntpd_t)
|
||||
@ -128,7 +128,7 @@ optional_policy(`cron',`
|
||||
')
|
||||
|
||||
optional_policy(`firstboot',`
|
||||
firstboot_dontaudit_use_fd(ntpd_t)
|
||||
firstboot_dontaudit_use_fds(ntpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate',`
|
||||
|
@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
|
||||
|
||||
allow openct_t openct_var_run_t:file create_file_perms;
|
||||
allow openct_t openct_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(openct_t,openct_var_run_t)
|
||||
files_pid_filetrans(openct_t,openct_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(openct_t)
|
||||
kernel_list_proc(openct_t)
|
||||
@ -43,7 +43,7 @@ fs_search_auto_mountpoints(openct_t)
|
||||
|
||||
term_dontaudit_use_console(openct_t)
|
||||
|
||||
init_use_fd(openct_t)
|
||||
init_use_fds(openct_t)
|
||||
init_use_script_ptys(openct_t)
|
||||
|
||||
libs_use_ld_so(openct_t)
|
||||
|
@ -59,7 +59,7 @@ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
allow pegasus_t pegasus_var_run_t:file create_file_perms;
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(pegasus_t,pegasus_var_run_t)
|
||||
files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(pegasus_t)
|
||||
kernel_read_fs_sysctls(pegasus_t)
|
||||
@ -97,7 +97,7 @@ files_list_var_lib(pegasus_t)
|
||||
files_read_var_lib_files(pegasus_t)
|
||||
files_read_var_lib_symlinks(pegasus_t)
|
||||
|
||||
init_use_fd(pegasus_t)
|
||||
init_use_fds(pegasus_t)
|
||||
init_use_script_ptys(pegasus_t)
|
||||
init_rw_utmp(pegasus_t)
|
||||
|
||||
|
@ -40,7 +40,7 @@ files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
|
||||
|
||||
allow portmap_t portmap_var_run_t:file create_file_perms;
|
||||
allow portmap_t portmap_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(portmap_t,portmap_var_run_t)
|
||||
files_pid_filetrans(portmap_t,portmap_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(portmap_t)
|
||||
kernel_list_proc(portmap_t)
|
||||
@ -80,7 +80,7 @@ domain_use_interactive_fds(portmap_t)
|
||||
|
||||
files_read_etc_files(portmap_t)
|
||||
|
||||
init_use_fd(portmap_t)
|
||||
init_use_fds(portmap_t)
|
||||
init_use_script_ptys(portmap_t)
|
||||
init_udp_send(portmap_t)
|
||||
init_udp_send_script(portmap_t)
|
||||
@ -104,7 +104,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`inetd',`
|
||||
inetd_udp_sendto(portmap_t)
|
||||
inetd_udp_send(portmap_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount',`
|
||||
@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow portmap_helper_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow portmap_helper_t portmap_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(portmap_helper_t,portmap_var_run_t)
|
||||
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(portmap_helper_t)
|
||||
corenet_udp_sendrecv_all_if(portmap_helper_t)
|
||||
|
@ -45,7 +45,7 @@ template(`postfix_domain_template',`
|
||||
allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
|
||||
|
||||
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(postfix_$1_t,postfix_var_run_t)
|
||||
files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
|
||||
|
||||
kernel_read_system_state(postfix_$1_t)
|
||||
kernel_read_network_state(postfix_$1_t)
|
||||
@ -72,7 +72,7 @@ template(`postfix_domain_template',`
|
||||
files_search_spool(postfix_$1_t)
|
||||
files_getattr_tmp_dirs(postfix_$1_t)
|
||||
|
||||
init_use_fd(postfix_$1_t)
|
||||
init_use_fds(postfix_$1_t)
|
||||
init_sigchld(postfix_$1_t)
|
||||
|
||||
libs_use_ld_so(postfix_$1_t)
|
||||
@ -209,10 +209,9 @@ interface(`postfix_read_config',`
|
||||
## The type of the object to be created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -223,12 +222,7 @@ interface(`postfix_config_filetrans',`
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 postfix_etc_t:dir rw_dir_perms;
|
||||
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 postfix_etc_t:file $2;
|
||||
',`
|
||||
type_transition $1 postfix_etc_t:$3 $2;
|
||||
')
|
||||
type_transition $1 postfix_etc_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -263,7 +257,7 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postfix_dontaudit_use_fd',`
|
||||
interface(`postfix_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type postfix_master_t;
|
||||
')
|
||||
|
@ -361,7 +361,7 @@ tunable_policy(`read_default_t',`
|
||||
')
|
||||
|
||||
optional_policy(`locallogin',`
|
||||
locallogin_dontaudit_use_fd(postfix_map_t)
|
||||
locallogin_dontaudit_use_fds(postfix_map_t)
|
||||
')
|
||||
|
||||
# a "run" interface needs to be
|
||||
@ -438,14 +438,14 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`crond',`
|
||||
cron_use_fd(postfix_postdrop_t)
|
||||
cron_use_fds(postfix_postdrop_t)
|
||||
cron_rw_pipes(postfix_postdrop_t)
|
||||
cron_use_system_job_fds(postfix_postdrop_t)
|
||||
cron_rw_system_job_pipes(postfix_postdrop_t)
|
||||
')
|
||||
|
||||
optional_policy(`ppp',`
|
||||
ppp_use_fd(postfix_postqueue_t)
|
||||
ppp_use_fds(postfix_postqueue_t)
|
||||
ppp_sigchld(postfix_postqueue_t)
|
||||
')
|
||||
|
||||
|
@ -58,7 +58,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(postgresql_t,postgresql_lock_t)
|
||||
files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
|
||||
|
||||
allow postgresql_t postgresql_log_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_log_t:file create_file_perms;
|
||||
@ -75,7 +75,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file
|
||||
allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
|
||||
allow postgresql_t postgresql_var_run_t:file create_file_perms;
|
||||
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(postgresql_t,postgresql_var_run_t)
|
||||
files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(postgresql_t)
|
||||
kernel_read_system_state(postgresql_t)
|
||||
@ -122,7 +122,7 @@ files_read_etc_runtime_files(postgresql_t)
|
||||
files_read_usr_files(postgresql_t)
|
||||
|
||||
init_read_utmp(postgresql_t)
|
||||
init_use_fd(postgresql_t)
|
||||
init_use_fds(postgresql_t)
|
||||
init_use_script_ptys(postgresql_t)
|
||||
|
||||
libs_use_ld_so(postgresql_t)
|
||||
|
@ -10,7 +10,7 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ppp_use_fd',`
|
||||
interface(`ppp_use_fds',`
|
||||
gen_require(`
|
||||
type pppd_t;
|
||||
')
|
||||
@ -29,7 +29,7 @@ interface(`ppp_use_fd',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ppp_dontaudit_use_fd',`
|
||||
interface(`ppp_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type pppd_t;
|
||||
')
|
||||
|
@ -80,15 +80,15 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
||||
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_t:file r_file_perms;
|
||||
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
||||
files_etc_filetrans(pppd_t,pppd_etc_t)
|
||||
files_etc_filetrans(pppd_t,pppd_etc_t,file)
|
||||
|
||||
allow pppd_t pppd_etc_rw_t:file create_file_perms;
|
||||
|
||||
allow pppd_t pppd_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(pppd_t,pppd_lock_t)
|
||||
files_lock_filetrans(pppd_t,pppd_lock_t,file)
|
||||
|
||||
allow pppd_t pppd_log_t:file create_file_perms;
|
||||
logging_log_filetrans(pppd_t,pppd_log_t)
|
||||
logging_log_filetrans(pppd_t,pppd_log_t,file)
|
||||
|
||||
allow pppd_t pppd_tmp_t:dir create_dir_perms;
|
||||
allow pppd_t pppd_tmp_t:file create_file_perms;
|
||||
@ -96,7 +96,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
|
||||
|
||||
allow pppd_t pppd_var_run_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(pppd_t,pppd_var_run_t)
|
||||
files_pid_filetrans(pppd_t,pppd_var_run_t,file)
|
||||
|
||||
allow pppd_t pptp_t:process signal;
|
||||
|
||||
@ -155,7 +155,7 @@ files_read_etc_files(pppd_t)
|
||||
|
||||
init_read_utmp(pppd_t)
|
||||
init_dontaudit_write_utmp(pppd_t)
|
||||
init_use_fd(pppd_t)
|
||||
init_use_fds(pppd_t)
|
||||
init_use_script_ptys(pppd_t)
|
||||
|
||||
libs_use_ld_so(pppd_t)
|
||||
@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t)
|
||||
allow pptp_t pppd_log_t:file append;
|
||||
|
||||
allow pptp_t pptp_log_t:file create_file_perms;
|
||||
logging_log_filetrans(pptp_t,pptp_log_t)
|
||||
logging_log_filetrans(pptp_t,pptp_log_t,file)
|
||||
|
||||
allow pptp_t pptp_var_run_t:file create_file_perms;
|
||||
allow pptp_t pptp_var_run_t:dir rw_dir_perms;
|
||||
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
|
||||
files_pid_filetrans(pptp_t,pptp_var_run_t)
|
||||
files_pid_filetrans(pptp_t,pptp_var_run_t,file)
|
||||
|
||||
kernel_list_proc(pptp_t)
|
||||
kernel_read_kernel_sysctls(pptp_t)
|
||||
@ -281,7 +281,7 @@ term_use_ptmx(pptp_t)
|
||||
|
||||
domain_use_interactive_fds(pptp_t)
|
||||
|
||||
init_use_fd(pptp_t)
|
||||
init_use_fds(pptp_t)
|
||||
init_use_script_ptys(pptp_t)
|
||||
|
||||
libs_use_ld_so(pptp_t)
|
||||
|
@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
|
||||
|
||||
allow privoxy_t privoxy_log_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||
logging_log_filetrans(privoxy_t,privoxy_log_t)
|
||||
logging_log_filetrans(privoxy_t,privoxy_log_t,file)
|
||||
|
||||
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(privoxy_t,privoxy_var_run_t)
|
||||
files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(privoxy_t)
|
||||
kernel_list_proc(privoxy_t)
|
||||
@ -63,7 +63,7 @@ domain_use_interactive_fds(privoxy_t)
|
||||
|
||||
files_read_etc_files(privoxy_t)
|
||||
|
||||
init_use_fd(privoxy_t)
|
||||
init_use_fds(privoxy_t)
|
||||
init_use_script_ptys(privoxy_t)
|
||||
|
||||
libs_use_ld_so(privoxy_t)
|
||||
|
@ -90,7 +90,7 @@ optional_policy(`nscd',`
|
||||
optional_policy(`postfix',`
|
||||
# for a bug in the postfix local program
|
||||
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
||||
postfix_dontaudit_use_fd(procmail_t)
|
||||
postfix_dontaudit_use_fds(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`sendmail',`
|
||||
|
@ -45,7 +45,7 @@ logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
|
||||
|
||||
allow radiusd_t radiusd_var_run_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(radiusd_t,radiusd_var_run_t)
|
||||
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(radiusd_t)
|
||||
kernel_read_system_state(radiusd_t)
|
||||
@ -86,7 +86,7 @@ files_read_usr_files(radiusd_t)
|
||||
files_read_etc_files(radiusd_t)
|
||||
files_read_etc_runtime_files(radiusd_t)
|
||||
|
||||
init_use_fd(radiusd_t)
|
||||
init_use_fds(radiusd_t)
|
||||
init_use_script_ptys(radiusd_t)
|
||||
|
||||
libs_use_ld_so(radiusd_t)
|
||||
|
@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read };
|
||||
|
||||
allow radvd_t radvd_var_run_t:file create_file_perms;
|
||||
allow radvd_t radvd_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(radvd_t,radvd_var_run_t)
|
||||
files_pid_filetrans(radvd_t,radvd_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(radvd_t)
|
||||
kernel_read_net_sysctls(radvd_t)
|
||||
@ -63,7 +63,7 @@ domain_use_interactive_fds(radvd_t)
|
||||
files_read_etc_files(radvd_t)
|
||||
files_list_usr(radvd_t)
|
||||
|
||||
init_use_fd(radvd_t)
|
||||
init_use_fds(radvd_t)
|
||||
init_use_script_ptys(radvd_t)
|
||||
|
||||
libs_use_ld_so(radvd_t)
|
||||
|
@ -44,7 +44,7 @@ domain_use_interactive_fds(rdisc_t)
|
||||
|
||||
files_read_etc_files(rdisc_t)
|
||||
|
||||
init_use_fd(rdisc_t)
|
||||
init_use_fds(rdisc_t)
|
||||
init_use_script_ptys(rdisc_t)
|
||||
|
||||
libs_use_ld_so(rdisc_t)
|
||||
|
@ -45,7 +45,7 @@ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
|
||||
|
||||
allow rlogind_t rlogind_var_run_t:file create_file_perms;
|
||||
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(rlogind_t,rlogind_var_run_t)
|
||||
files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(rlogind_t)
|
||||
kernel_read_system_state(rlogind_t)
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user