patch from dan to remove rhgb and gph:fd use
This commit is contained in:
Chris PeBenito
parent
1328802a41
commit
2629c6595a
@ -99,8 +99,3 @@ optional_policy(`udev',`
|
||||
udev_read_db(acct_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(acct_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -70,9 +70,4 @@ ifdef(`targeted_policy',`
|
||||
udev_read_db(dmesg_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(dmesg_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
@ -152,9 +152,6 @@ optional_policy(`udev',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow kudzu_t modules_conf_t:file unlink;
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(kudzu_t)
|
||||
')
|
||||
optional_policy(`lpd',`
|
||||
allow kudzu_t printconf_t:file { getattr read };
|
||||
')
|
||||
|
||||
@ -82,7 +82,4 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
|
||||
allow quota_t file_t:file quotaon;
|
||||
|
||||
allow quota_t proc_t:file getattr;
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(quota_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -98,7 +98,7 @@ optional_policy(`dbus',`
|
||||
dbus_send_system_bus_msg(updfstab_t)
|
||||
')
|
||||
|
||||
optional_policy(`hald',`
|
||||
optional_policy(`hal',`
|
||||
hal_stream_connect(updfstab_t)
|
||||
')
|
||||
|
||||
@ -121,9 +121,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(updfstab_t)
|
||||
')
|
||||
allow updfstab_t tmpfs_t:dir getattr;
|
||||
')
|
||||
|
||||
|
||||
@ -180,6 +180,32 @@ interface(`usermanage_domtrans_admin_passwd',`
|
||||
allow sysadm_passwd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute passwd admin functions in the admin
|
||||
## passwd domain, and allow the specified role
|
||||
## the admin passwd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the admin passwd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the admin passwd domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_admin_passwd',`
|
||||
gen_require(`
|
||||
type sysadm_passwd_t;
|
||||
')
|
||||
|
||||
usermanage_domtrans_admin_passwd($1)
|
||||
role $2 types sysadm_passwd_t;
|
||||
allow sysadm_passwd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute useradd in the useradd domain.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage,1.0)
|
||||
policy_module(usermanage,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -136,10 +136,6 @@ optional_policy(`nis',`
|
||||
nis_use_ypbind(chfn_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Crack local policy
|
||||
@ -224,6 +220,7 @@ init_dontaudit_write_script_pid(groupadd_t)
|
||||
domain_use_wide_inherit_fd(groupadd_t)
|
||||
|
||||
files_manage_etc_files(groupadd_t)
|
||||
files_relabel_etc_files(groupadd_t)
|
||||
|
||||
libs_use_ld_so(groupadd_t)
|
||||
libs_use_shared_libs(groupadd_t)
|
||||
@ -237,6 +234,7 @@ logging_send_syslog_msg(groupadd_t)
|
||||
miscfiles_read_localization(groupadd_t)
|
||||
|
||||
auth_manage_shadow(groupadd_t)
|
||||
auth_relabel_shadow(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
|
||||
@ -259,14 +257,6 @@ optional_policy(`rpm',`
|
||||
rpm_rw_pipe(groupadd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Passwd local policy
|
||||
@ -310,6 +300,7 @@ term_use_all_user_ttys(passwd_t)
|
||||
term_use_all_user_ptys(passwd_t)
|
||||
|
||||
auth_manage_shadow(passwd_t)
|
||||
auth_relabel_shadow(passwd_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(passwd_t)
|
||||
@ -320,6 +311,7 @@ files_read_etc_runtime_files(passwd_t)
|
||||
files_manage_etc_files(passwd_t)
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
@ -335,6 +327,9 @@ miscfiles_read_localization(passwd_t)
|
||||
seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_userdomains(passwd_t)
|
||||
userdom_read_all_userdomains_state(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(passwd_t)
|
||||
@ -343,19 +338,6 @@ optional_policy(`nis',`
|
||||
nis_use_ypbind(passwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Inherit and use descriptors from login.
|
||||
ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
|
||||
|
||||
# make sure that getcon succeeds
|
||||
allow passwd_t userdomain:dir search;
|
||||
allow passwd_t userdomain:file read;
|
||||
allow passwd_t userdomain:process getattr;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Password admin local policy
|
||||
@ -403,7 +385,10 @@ term_use_all_user_ttys(sysadm_passwd_t)
|
||||
term_use_all_user_ptys(sysadm_passwd_t)
|
||||
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(sysadm_passwd_t)
|
||||
# allow vipw to exec the editor
|
||||
corecmd_search_sbin(sysadm_passwd_t)
|
||||
corecmd_exec_bin(sysadm_passwd_t)
|
||||
@ -413,6 +398,7 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||
|
||||
files_manage_etc_files(sysadm_passwd_t)
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
@ -439,24 +425,6 @@ optional_policy(`nis',`
|
||||
nis_use_ypbind(sysadm_passwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types sysadm_passwd_t;
|
||||
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
|
||||
|
||||
# Inherit and use descriptors from login.
|
||||
ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
|
||||
|
||||
# allow checking if a shell is executable
|
||||
allow sysadm_passwd_t shell_exec_t:file execute;
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
role system_r types sysadm_passwd_t;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Useradd local policy
|
||||
@ -494,6 +462,7 @@ term_use_all_user_ttys(useradd_t)
|
||||
term_use_all_user_ptys(useradd_t)
|
||||
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
|
||||
@ -506,6 +475,7 @@ domain_use_wide_inherit_fd(useradd_t)
|
||||
|
||||
files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
|
||||
init_use_fd(useradd_t)
|
||||
init_rw_script_pid(useradd_t)
|
||||
@ -542,14 +512,3 @@ optional_policy(`rpm',`
|
||||
rpm_use_fd(useradd_t)
|
||||
rpm_rw_pipe(useradd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
|
||||
|
||||
# /var/mail is a link to /var/spool/mail
|
||||
allow useradd_t mail_spool_t:lnk_file read;
|
||||
') dnl end TODO
|
||||
|
||||
@ -418,10 +418,6 @@ optional_policy(`udev', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(httpd_t)
|
||||
')
|
||||
|
||||
can_tcp_connect(web_client_domain, httpd_t)
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
@ -230,7 +230,4 @@ optional_policy(`cron',`
|
||||
|
||||
r_dir_file(apmd_t, hwdata_t)
|
||||
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(apmd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -114,9 +114,3 @@ optional_policy(`udev',`
|
||||
udev_read_db(arpwatch_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# TODO from daemon_domain
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(arpwatch_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -108,8 +108,3 @@ optional_policy(`udev',`
|
||||
udev_read_db(avahi_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(avahi_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -181,9 +181,6 @@ ifdef(`TODO',`
|
||||
can_udp_send(domain, named_t)
|
||||
can_udp_send(named_t, domain)
|
||||
can_tcp_connect(domain, named_t)
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(named_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -158,12 +158,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(bluetooth_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(bluetooth_t)
|
||||
')
|
||||
') dnl end TOOD
|
||||
|
||||
########################################
|
||||
#
|
||||
# Bluetooth helper local policy
|
||||
|
||||
@ -107,10 +107,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(canna_t)
|
||||
')
|
||||
|
||||
optional_policy(`canna',`
|
||||
canna_stream_connect(i18n_input_t)
|
||||
')
|
||||
|
||||
@ -73,12 +73,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(cpucontrol_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cpucontrol_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# CPU frequency scaling daemons
|
||||
@ -132,9 +126,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(cpuspeed_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cpuspeed_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -200,10 +200,6 @@ ifdef(`TODO',`
|
||||
# NB The constraints file has some entries for crond_t, this makes it
|
||||
# different from all other domains...
|
||||
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(crond_t)
|
||||
')
|
||||
|
||||
# crond tries to search /root. Not sure why.
|
||||
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
||||
|
||||
|
||||
@ -226,9 +226,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cupsd_t)
|
||||
')
|
||||
allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
|
||||
allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
|
||||
allow cupsd_t kernel_t:tcp_socket recvfrom;
|
||||
@ -377,13 +374,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(ptal_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ptal_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
|
||||
allow userdomain ptal_t:unix_stream_socket connectto;
|
||||
allow userdomain ptal_var_run_t:sock_file write;
|
||||
allow userdomain ptal_var_run_t:dir search;
|
||||
@ -491,12 +481,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(hplip_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(hplip_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
allow hplip_t devpts_t:dir search;
|
||||
allow hplip_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
@ -627,12 +611,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(cupsd_config_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cupsd_config_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
allow cupsd_config_t devpts_t:dir search;
|
||||
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
|
||||
@ -140,9 +140,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(cyrus_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cyrus_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -139,9 +139,3 @@ optional_policy(`sysnetwork',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(system_dbusd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(system_dbusd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -138,9 +138,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(dhcpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(dhcpd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -101,9 +101,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(dictd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(dictd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -107,9 +107,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(distccd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(distccd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -185,9 +185,3 @@ optional_policy(`nis',`
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket(dovecot_auth_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(dovecot_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -131,12 +131,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(fingerd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(fingerd_t)
|
||||
')
|
||||
')
|
||||
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
dontaudit fingerd_t user_home_t:dir search;
|
||||
|
||||
@ -220,9 +220,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev', `
|
||||
udev_read_db(ftpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ftpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -95,7 +95,4 @@ ifdef(`TODO',`
|
||||
# Access the mouse.
|
||||
# cjp: why write?
|
||||
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(gpm_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -183,10 +183,6 @@ optional_policy(`updfstab',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(hald_t)
|
||||
')
|
||||
|
||||
allow hald_t device_t:dir create_dir_perms;
|
||||
|
||||
optional_policy(`hald',`
|
||||
|
||||
@ -92,9 +92,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(howl_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(howl_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -155,12 +155,6 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(inetd_t)
|
||||
')
|
||||
') dnl TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# inetd child local_policy
|
||||
|
||||
@ -144,10 +144,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(innd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(innd_t)
|
||||
')
|
||||
allow innd_t sysadm_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
@ -148,12 +148,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(kadmind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(kadmind_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Krb5kdc local policy
|
||||
@ -254,10 +248,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(krb5kdc_t)
|
||||
')
|
||||
|
||||
# Allow user programs to talk to KDC
|
||||
allow krb5kdc_t userdomain:udp_socket recvfrom;
|
||||
allow userdomain krb5kdc_t:udp_socket recvfrom;
|
||||
|
||||
@ -148,9 +148,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(slapd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(slapd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -233,10 +233,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(lpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(lpd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
|
||||
@ -141,9 +141,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(mysqld_t)
|
||||
')
|
||||
optional_policy(`daemontools',`
|
||||
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
|
||||
mysqld_signal(svc_start_t)
|
||||
|
||||
@ -143,12 +143,6 @@ optional_policy(`vpn',`
|
||||
vpn_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(NetworkManager_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
###########################################################
|
||||
#
|
||||
# Partially converted rules. THESE ARE ONLY TEMPORARY
|
||||
|
||||
@ -130,12 +130,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(ypbind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ypbind_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# ypserv local policy
|
||||
@ -228,10 +222,6 @@ optional_policy(`udev', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb', `
|
||||
rhgb_domain(ypserv_t)
|
||||
')
|
||||
|
||||
# Read and write /var/yp.
|
||||
ifdef(`rpcd.te', `
|
||||
allow rpcd_t ypserv_conf_t:file { getattr read };
|
||||
|
||||
@ -133,9 +133,3 @@ optional_policy(`samba',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(nscd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(nscd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -161,9 +161,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ntpd_t)
|
||||
')
|
||||
allow ntpd_t sysadm_t:udp_socket sendto;
|
||||
allow sysadm_t ntpd_t:udp_socket recvfrom;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pegasus,1.0.1)
|
||||
policy_module(pegasus,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -13,6 +13,9 @@ init_daemon_domain(pegasus_t,pegasus_exec_t)
|
||||
type pegasus_data_t;
|
||||
files_type(pegasus_data_t)
|
||||
|
||||
type pegasus_tmp_t;
|
||||
files_tmp_file(pegasus_tmp_t)
|
||||
|
||||
type pegasus_conf_t;
|
||||
files_type(pegasus_conf_t)
|
||||
|
||||
@ -29,30 +32,37 @@ files_pid_file(pegasus_var_run_t)
|
||||
|
||||
allow pegasus_t self:capability { dac_override net_bind_service audit_write };
|
||||
dontaudit pegasus_t self:capability sys_tty_config;
|
||||
allow pegasus_t self:process signal;
|
||||
allow pegasus_t self:fifo_file rw_file_perms;
|
||||
allow pegasus_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow pegasus_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow pegasus_t pegasus_conf_t:dir r_dir_perms;
|
||||
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
|
||||
allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
|
||||
allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
|
||||
|
||||
allow pegasus_t pegasus_data_t:dir rw_dir_perms;
|
||||
allow pegasus_t pegasus_data_t:file create_file_perms;
|
||||
allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
|
||||
type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
|
||||
|
||||
allow pegasus_t pegasus_mof_t:dir r_dir_perms;
|
||||
allow pegasus_t pegasus_mof_t:file r_file_perms;
|
||||
allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
|
||||
|
||||
allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
|
||||
allow pegasus_t pegasus_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
|
||||
allow pegasus_t pegasus_var_run_t:file create_file_perms;
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(pegasus_t,pegasus_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(pegasus_t)
|
||||
kernel_read_fs_sysctl(pegasus_t)
|
||||
kernel_read_system_state(pegasus_t)
|
||||
kernel_search_vm_sysctl(pegasus_t)
|
||||
|
||||
@ -76,7 +86,7 @@ fs_search_auto_mountpoints(pegasus_t)
|
||||
term_dontaudit_use_console(pegasus_t)
|
||||
|
||||
auth_use_nsswitch(pegasus_t)
|
||||
auth_read_shadow(pegasus_t)
|
||||
auth_domtrans_chk_passwd(pegasus_t)
|
||||
|
||||
domain_use_wide_inherit_fd(pegasus_t)
|
||||
domain_read_all_domains_state(pegasus_t)
|
||||
@ -122,16 +132,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(pegasus_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(pegasus_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
# bad rules
|
||||
type pegasus_conf_exec_t, entry_type;
|
||||
files_type(pegasus_conf_exec_t)
|
||||
allow pegasus_conf_exec_t pegasus_conf_t:dir rw_dir_perms;
|
||||
allow pegasus_conf_exec_t pegasus_conf_t:file create_file_perms;
|
||||
allow pegasus_conf_exec_t pegasus_conf_t:lnk_file create_lnk_perms;
|
||||
|
||||
@ -133,10 +133,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(portmap_t)
|
||||
')
|
||||
|
||||
ifdef(`rpcd.te',`can_udp_send(portmap_t, rpcd_t)')
|
||||
allow portmap_t rpcd_t:udp_socket sendto;
|
||||
allow rpcd_t portmap_t:udp_socket recvfrom;
|
||||
|
||||
@ -185,9 +185,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(postgresql_t)
|
||||
')
|
||||
ifdef(`targeted_policy', `', `
|
||||
bool allow_user_postgresql_connect false;
|
||||
|
||||
|
||||
@ -316,15 +316,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(pptp_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(pppd_t)
|
||||
')
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(pptp_t)
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`postfix.te', `
|
||||
allow pppd_t postfix_etc_t:dir search;
|
||||
allow pppd_t postfix_etc_t:file r_file_perms;
|
||||
|
||||
@ -95,9 +95,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(privoxy_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(privoxy_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -130,9 +130,3 @@ optional_policy(`snmp',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(radiusd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(radiusd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -94,9 +94,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(radvd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(radvd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -113,12 +113,6 @@ template(`rpc_domain_template', `
|
||||
optional_policy(`udev',`
|
||||
udev_read_db($1_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain($1_t)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -308,12 +308,6 @@ optional_policy(`udev', `
|
||||
udev_read_db(smbd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(smbd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
gen_require(`
|
||||
type boot_t, default_t, tmpfs_t;
|
||||
@ -428,12 +422,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(nmbd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(nmbd_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# smbmount Local policy
|
||||
@ -640,12 +628,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(winbind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(winbind_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Winbind helper local policy
|
||||
|
||||
@ -99,10 +99,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(saslauthd_t)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(saslauthd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -136,10 +136,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(sendmail_t)
|
||||
')
|
||||
|
||||
allow sendmail_t etc_mail_t:dir rw_dir_perms;
|
||||
allow sendmail_t etc_mail_t:file create_file_perms;
|
||||
# for the start script to run make -C /etc/mail
|
||||
|
||||
@ -149,10 +149,6 @@ can_udp_send(snmpd_t, sysadm_t)
|
||||
optional_policy(`cupsd',`
|
||||
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(snmpd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
|
||||
@ -146,10 +146,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(spamd_t)
|
||||
')
|
||||
|
||||
optional_policy(`amavis', `
|
||||
# for bayes tokens
|
||||
allow spamd_t var_lib_t:dir { getattr search };
|
||||
|
||||
@ -177,9 +177,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(squid_t)
|
||||
')
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
|
||||
@ -255,10 +255,4 @@ ifdef(`targeted_policy',`',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ssh_keygen_t)
|
||||
')
|
||||
')
|
||||
')
|
||||
|
||||
@ -113,13 +113,7 @@ ifdef(`distro_gentoo', `
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(stunnel_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(stunnel_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
', `
|
||||
',`
|
||||
allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
|
||||
dev_read_urand(stunnel_t)
|
||||
|
||||
@ -104,9 +104,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev', `
|
||||
udev_read_db(tftpd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(tftpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -131,9 +131,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(zebra_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(zebra_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -368,14 +368,18 @@ interface(`auth_manage_shadow',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# auth_relabelto_shadow(domain)
|
||||
## <summary>
|
||||
## Relabel to the shadow
|
||||
## password file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_relabelto_shadow',`
|
||||
gen_require(`
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
type shadow_t;
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -383,6 +387,26 @@ interface(`auth_relabelto_shadow',`
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel from and to the shadow
|
||||
## password file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_relabel_shadow',`
|
||||
gen_require(`
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
type shadow_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 shadow_t:file { relabelfrom relabelto };
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to the login failure log.
|
||||
|
||||
@ -253,10 +253,6 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(pam_console_t)
|
||||
')
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
@ -87,11 +87,3 @@ optional_policy(`udev',`
|
||||
optional_policy(`userdomain',`
|
||||
userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(hwclock_t)
|
||||
')
|
||||
|
||||
optional_policy(`gnome-pty-helper', `allow hwclock_t sysadm_gph_t:fd use;')
|
||||
') dnl end TODO
|
||||
|
||||
@ -894,9 +894,11 @@ interface(`files_mounton_all_mountpoints',`
|
||||
gen_require(`
|
||||
attribute mountpoint;
|
||||
class dir { getattr search mounton };
|
||||
class file { getattr mounton };
|
||||
')
|
||||
|
||||
allow $1 mountpoint:dir { getattr search mounton };
|
||||
allow $1 mountpoint:file { getattr mounton };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1333,6 +1335,23 @@ interface(`files_exec_etc_files',`
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel from and to generic files in /etc.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_etc_files',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:dir list_dir_perms;
|
||||
allow $1 etc_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_boot_flag(domain)
|
||||
|
||||
@ -203,12 +203,3 @@ optional_policy(`udev',`
|
||||
optional_policy(`updfstab',`
|
||||
updfstab_domtrans(hotplug_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(hotplug_t)
|
||||
')
|
||||
|
||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
@ -141,12 +141,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(ipsec_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ipsec_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ipsec_mgmt Local policy
|
||||
|
||||
@ -102,13 +102,3 @@ optional_policy(`selinuxutil',`
|
||||
optional_policy(`udev',`
|
||||
udev_read_db(iptables_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`gnome-pty-helper',`
|
||||
allow iptables_t sysadm_gph_t:fd use;
|
||||
')
|
||||
') dnl ifdef TODO
|
||||
|
||||
@ -175,12 +175,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(auditd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(auditd_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# klogd local policy
|
||||
@ -380,12 +374,7 @@ optional_policy(`udev',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(syslogd_t)
|
||||
')
|
||||
|
||||
allow syslogd_t tmpfs_t:dir search;
|
||||
dontaudit syslogd_t unlabeled_t:file { getattr read };
|
||||
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
|
||||
# log to the xconsole
|
||||
|
||||
@ -117,12 +117,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(clvmd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(clvmd_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# LVM Local policy
|
||||
@ -270,11 +264,5 @@ ifdef(`TODO',`
|
||||
allow lvm_t var_t:dir { search getattr };
|
||||
allow lvm_t ramfs_t:filesystem unmount;
|
||||
|
||||
optional_policy(`gnome-pty-helper',`
|
||||
allow lvm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(lvm_t)
|
||||
')
|
||||
dontaudit lvm_t xconsole_device_t:fifo_file getattr;
|
||||
') dnl end TODO
|
||||
|
||||
@ -141,13 +141,4 @@ ifdef(`TODO',`
|
||||
|
||||
# for when /etc/mtab loses its type
|
||||
allow mount_t file_t:file unlink;
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `
|
||||
allow mount_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(mount_t)
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
@ -147,12 +147,6 @@ optional_policy(`udev',`
|
||||
udev_read_db(cardmgr_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(cardmgr_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
# Create device files in /tmp.
|
||||
# cjp: why is this created all over the place?
|
||||
allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
|
||||
|
||||
@ -88,7 +88,4 @@ ifdef(`TODO',`
|
||||
dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
|
||||
|
||||
allow mdadm_t var_t:dir getattr;
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(mdadm_t)
|
||||
')
|
||||
') dnl TODO
|
||||
|
||||
@ -244,12 +244,6 @@ optional_policy(`userdomain',`
|
||||
userdom_use_all_user_fd(dhcpc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(dhcpc_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Ifconfig local policy
|
||||
@ -343,10 +337,3 @@ optional_policy(`nis',`
|
||||
optional_policy(`ppp',`
|
||||
ppp_use_fd(ifconfig_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
optional_policy(`rhgb',`
|
||||
rhgb_domain(ifconfig_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
@ -2476,6 +2476,40 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state of all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_all_userdomains_state',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
allow $1 userdomain:dir search_dir_perms;
|
||||
allow $1 userdomain:file r_file_perms;
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_getattr_all_userdomains',`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
')
|
||||
|
||||
allow $1 userdomain:process getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit the file descriptors from all user domains
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.0.1)
|
||||
policy_module(userdomain,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -295,6 +295,7 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
|
||||
optional_policy(`usermanage',`
|
||||
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
|
||||
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user