trunk: merge UBAC.
This commit is contained in:
parent
932c3536f8
commit
296273a719
@ -1,3 +1,5 @@
|
||||
- Deprecate per-role templates and rolemap support.
|
||||
- Implement user-based access control for use as role separations.
|
||||
- Move shared library calls from individual modules to the domain module.
|
||||
- Enable open permission checks policy capability.
|
||||
- Remove hierarchy from portage module as it is not a good example of
|
||||
|
5
Makefile
5
Makefile
@ -204,6 +204,10 @@ ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
endif
|
||||
|
||||
ifeq "$(UBAC)" "y"
|
||||
M4PARAM += -D enable_ubac
|
||||
endif
|
||||
|
||||
# default MLS/MCS sensitivity and category settings.
|
||||
MLS_SENS ?= 16
|
||||
MLS_CATS ?= 256
|
||||
@ -550,6 +554,7 @@ ifneq "$(DISTRO)" ""
|
||||
endif
|
||||
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
|
||||
|
3
README
3
README
@ -119,6 +119,9 @@ UNK_PERMS String. Set the kernel behavior for handling of
|
||||
policy. The permissions can either be allowed, denied,
|
||||
or the policy loading can be rejected.
|
||||
|
||||
UBAC Boolean. If set, the SELinux user will be used
|
||||
additionally for approximate role separation.
|
||||
|
||||
MLS_SENS Integer. Set the number of sensitivities in the MLS
|
||||
policy. Ignored on standard and MCS policies.
|
||||
|
||||
|
@ -157,7 +157,7 @@ endif
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
|
@ -142,7 +142,7 @@ endif
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
|
@ -48,6 +48,10 @@ DIRECT_INITRC = n
|
||||
# will build a loadable module policy.
|
||||
MONOLITHIC = y
|
||||
|
||||
# User-based access control (UBAC)
|
||||
# Enable UBAC for role separations.
|
||||
UBAC = y
|
||||
|
||||
# Number of MLS Sensitivities
|
||||
# The sensitivities will be s0 to s(MLS_SENS-1).
|
||||
# Dominance will be in increasing numerical order
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:crond_t:s0 staff_r:staff_crond_t:s0
|
||||
system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:crond_t:s0 user_r:user_crond_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:crond_t:s0 staff_r:staff_crond_t:s0
|
||||
system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:crond_t:s0 user_r:user_crond_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
|
||||
system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
|
||||
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
|
||||
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
|
||||
system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
|
||||
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
|
||||
staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
system_r:remote_login_t staff_r:staff_t
|
||||
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
system_r:crond_t staff_r:staff_crond_t
|
||||
system_r:crond_t staff_r:cronjob_t
|
||||
system_r:xdm_t staff_r:staff_t
|
||||
staff_r:staff_su_t staff_r:staff_t
|
||||
staff_r:staff_sudo_t staff_r:staff_t
|
||||
|
@ -1,4 +1,4 @@
|
||||
system_r:crond_t unconfined_r:unconfined_t
|
||||
system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
|
||||
system_r:initrc_t unconfined_r:unconfined_t
|
||||
system_r:local_login_t unconfined_r:unconfined_t
|
||||
system_r:remote_login_t unconfined_r:unconfined_t
|
||||
|
@ -1,7 +1,7 @@
|
||||
system_r:local_login_t user_r:user_t
|
||||
system_r:remote_login_t user_r:user_t
|
||||
system_r:sshd_t user_r:user_t
|
||||
system_r:crond_t user_r:user_crond_t
|
||||
system_r:crond_t user_r:cronjob_t
|
||||
system_r:xdm_t user_r:user_t
|
||||
user_r:user_su_t user_r:user_t
|
||||
user_r:user_sudo_t user_r:user_t
|
||||
|
@ -25,59 +25,219 @@
|
||||
# name_list : name | name_list name
|
||||
#
|
||||
|
||||
define(`basic_ubac_conditions',`
|
||||
ifdef(`enable_ubac',`
|
||||
u1 == u2
|
||||
or u1 == system_u
|
||||
or u2 == system_u
|
||||
or t1 != ubac_constrained_type
|
||||
or t2 != ubac_constrained_type
|
||||
')
|
||||
')
|
||||
|
||||
define(`basic_ubac_constraint',`
|
||||
ifdef(`enable_ubac',`
|
||||
constrain $1 all_$1_perms
|
||||
(
|
||||
basic_ubac_conditions
|
||||
);
|
||||
')
|
||||
')
|
||||
|
||||
define(`exempted_ubac_constraint',`
|
||||
ifdef(`enable_ubac',`
|
||||
constrain $1 all_$1_perms
|
||||
(
|
||||
basic_ubac_conditions
|
||||
or t1 == $2
|
||||
);
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# SELinux process identity change constraint:
|
||||
# File rules
|
||||
#
|
||||
constrain process transition
|
||||
|
||||
exempted_ubac_constraint(dir, ubacfile)
|
||||
exempted_ubac_constraint(file, ubacfile)
|
||||
exempted_ubac_constraint(lnk_file, ubacfile)
|
||||
exempted_ubac_constraint(fifo_file, ubacfile)
|
||||
exempted_ubac_constraint(sock_file, ubacfile)
|
||||
exempted_ubac_constraint(chr_file, ubacfile)
|
||||
exempted_ubac_constraint(blk_file, ubacfile)
|
||||
|
||||
# SElinux object identity change constraint:
|
||||
constrain dir_file_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
u1 == u2
|
||||
or t1 == can_change_object_identity
|
||||
);
|
||||
|
||||
########################################
|
||||
#
|
||||
# Process rules
|
||||
#
|
||||
|
||||
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
|
||||
(
|
||||
basic_ubac_conditions
|
||||
or t1 == ubacproc
|
||||
);
|
||||
|
||||
constrain process { transition noatsecure siginh rlimitinh }
|
||||
(
|
||||
u1 == u2
|
||||
or ( t1 == can_change_process_identity and t2 == process_user_target )
|
||||
|
||||
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
|
||||
|
||||
or ( t1 == can_system_change and u2 == system_u )
|
||||
|
||||
or ( t1 == process_uncond_exempt )
|
||||
);
|
||||
|
||||
#
|
||||
# SELinux process role change constraint:
|
||||
#
|
||||
constrain process transition
|
||||
constrain process { transition noatsecure siginh rlimitinh }
|
||||
(
|
||||
r1 == r2
|
||||
|
||||
or ( t1 == can_change_process_role and t2 == process_user_target )
|
||||
|
||||
or ( t1 == cron_source_domain and t2 == cron_job_domain )
|
||||
|
||||
or ( t1 == can_system_change and r2 == system_r )
|
||||
|
||||
or ( t1 == can_change_process_identity and t2 == process_user_target )
|
||||
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
|
||||
or ( t1 == can_system_change and u2 == system_u )
|
||||
or ( t1 == process_uncond_exempt )
|
||||
);
|
||||
|
||||
#
|
||||
# SELinux dynamic transition constraint:
|
||||
#
|
||||
constrain process dyntransition
|
||||
(
|
||||
u1 == u2 and r1 == r2
|
||||
);
|
||||
|
||||
#
|
||||
# SElinux object identity change constraint:
|
||||
#
|
||||
constrain dir_file_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
u1 == u2
|
||||
# These permissions do not have ubac constraints:
|
||||
# fork
|
||||
# setexec
|
||||
# setfscreate
|
||||
# setcurrent
|
||||
# execmem
|
||||
# execstack
|
||||
# execheap
|
||||
# setkeycreate
|
||||
# setsockcreate
|
||||
|
||||
or t1 == can_change_object_identity
|
||||
);
|
||||
########################################
|
||||
#
|
||||
# File descriptor rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(fd, ubacfd)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Socket rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(socket, ubacsock)
|
||||
exempted_ubac_constraint(tcp_socket, ubacsock)
|
||||
exempted_ubac_constraint(udp_socket, ubacsock)
|
||||
exempted_ubac_constraint(rawip_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_socket, ubacsock)
|
||||
exempted_ubac_constraint(packet_socket, ubacsock)
|
||||
exempted_ubac_constraint(key_socket, ubacsock)
|
||||
exempted_ubac_constraint(unix_stream_socket, ubacsock)
|
||||
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_route_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
|
||||
exempted_ubac_constraint(appletalk_socket, ubacsock)
|
||||
exempted_ubac_constraint(dccp_socket, ubacsock)
|
||||
|
||||
constrain socket_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
u1 == u2
|
||||
|
||||
or t1 == can_change_object_identity
|
||||
);
|
||||
|
||||
########################################
|
||||
#
|
||||
# SysV IPC rules
|
||||
|
||||
exempted_ubac_constraint(sem, ubacipc)
|
||||
exempted_ubac_constraint(msg, ubacipc)
|
||||
exempted_ubac_constraint(msgq, ubacipc)
|
||||
exempted_ubac_constraint(shm, ubacipc)
|
||||
exempted_ubac_constraint(ipc, ubacipc)
|
||||
|
||||
########################################
|
||||
#
|
||||
# SE-X Windows rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(x_drawable, ubacxwin)
|
||||
exempted_ubac_constraint(x_screen, ubacxwin)
|
||||
exempted_ubac_constraint(x_gc, ubacxwin)
|
||||
exempted_ubac_constraint(x_font, ubacxwin)
|
||||
exempted_ubac_constraint(x_colormap, ubacxwin)
|
||||
exempted_ubac_constraint(x_property, ubacxwin)
|
||||
exempted_ubac_constraint(x_selection, ubacxwin)
|
||||
exempted_ubac_constraint(x_cursor, ubacxwin)
|
||||
exempted_ubac_constraint(x_client, ubacxwin)
|
||||
exempted_ubac_constraint(x_device, ubacxwin)
|
||||
exempted_ubac_constraint(x_server, ubacxwin)
|
||||
exempted_ubac_constraint(x_extension, ubacxwin)
|
||||
exempted_ubac_constraint(x_resource, ubacxwin)
|
||||
exempted_ubac_constraint(x_event, ubacxwin)
|
||||
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
|
||||
exempted_ubac_constraint(x_application_data, ubacxwin)
|
||||
|
||||
########################################
|
||||
#
|
||||
# D-BUS rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(dbus, ubacdbus)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Key rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(key, ubackey)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Database rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(db_database, ubacdb)
|
||||
exempted_ubac_constraint(db_table, ubacdb)
|
||||
exempted_ubac_constraint(db_procedure, ubacdb)
|
||||
exempted_ubac_constraint(db_column, ubacdb)
|
||||
exempted_ubac_constraint(db_tuple, ubacdb)
|
||||
exempted_ubac_constraint(db_blob, ubacdb)
|
||||
|
||||
|
||||
|
||||
basic_ubac_constraint(association)
|
||||
basic_ubac_constraint(peer)
|
||||
|
||||
|
||||
# these classes have no UBAC restrictions
|
||||
#class security
|
||||
#class system
|
||||
#class capability
|
||||
#class memprotect
|
||||
#class passwd # userspace
|
||||
#class node
|
||||
#class netif
|
||||
#class packet
|
||||
#class capability2
|
||||
#class nscd # userspace
|
||||
#class context # userspace
|
||||
|
||||
|
||||
|
||||
undefine(`basic_ubac_constraint')
|
||||
undefine(`basic_ubac_conditions')
|
||||
undefine(`exempted_ubac_constraint')
|
||||
|
@ -62,8 +62,8 @@ gen_tunable(global_ssp,false)
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow email client to various content.
|
||||
## nfs, samba, removable devices, user temp
|
||||
## and untrusted content files
|
||||
## nfs, samba, removable devices, and user temp
|
||||
## files
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(mail_read_content,false)
|
||||
@ -89,15 +89,6 @@ gen_tunable(nfs_export_all_ro,false)
|
||||
## </desc>
|
||||
gen_tunable(read_default_t,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow applications to read untrusted content
|
||||
## If this is disallowed, Internet content has
|
||||
## to be manually relabeled for read access to be granted
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(read_untrusted_content,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Support NFS home directories
|
||||
@ -120,12 +111,3 @@ gen_tunable(use_samba_home_dirs,false)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(user_tcp_server,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow applications to write untrusted content
|
||||
## If this is disallowed, no Internet content
|
||||
## will be stored.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(write_untrusted_content,false)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(acct, 1.2.0)
|
||||
policy_module(acct, 1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,8 +64,7 @@ logging_send_syslog_msg(acct_t)
|
||||
miscfiles_read_localization(acct_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(acct_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(acct_t)
|
||||
userdom_dontaudit_search_user_home_dirs(acct_t)
|
||||
|
||||
optional_policy(`
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(alsa, 1.6.0)
|
||||
policy_module(alsa, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -60,10 +60,7 @@ miscfiles_read_localization(alsa_t)
|
||||
|
||||
userdom_manage_unpriv_user_semaphores(alsa_t)
|
||||
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(alsa_t)
|
||||
|
||||
unprivuser_search_home_dirs(alsa_t)
|
||||
userdom_search_user_home_dirs(alsa_t)
|
||||
|
||||
optional_policy(`
|
||||
hal_use_fds(alsa_t)
|
||||
|
@ -33,11 +33,6 @@ interface(`amanda_domtrans_recover',`
|
||||
## The role to be allowed the amanda_recover domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the amanda_recover domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`amanda_run_recover',`
|
||||
@ -47,7 +42,6 @@ interface(`amanda_run_recover',`
|
||||
|
||||
amanda_domtrans_recover($1)
|
||||
role $2 types amanda_recover_t;
|
||||
allow amanda_recover_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amanda, 1.10.0)
|
||||
policy_module(amanda, 1.10.1)
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -182,7 +182,7 @@ manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_
|
||||
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
|
||||
manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
|
||||
manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
|
||||
sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
|
||||
userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
|
||||
manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
|
||||
@ -227,4 +227,5 @@ logging_search_logs(amanda_recover_t)
|
||||
|
||||
miscfiles_read_localization(amanda_recover_t)
|
||||
|
||||
sysadm_search_home_content_dirs(amanda_recover_t)
|
||||
userdom_use_user_terminals(amanda_recover_t)
|
||||
userdom_search_user_home_content(amanda_recover_t)
|
||||
|
@ -34,11 +34,6 @@ interface(`amtu_domtrans',`
|
||||
## The role to be allowed the amtu domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the amtu domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`amtu_run',`
|
||||
gen_require(`
|
||||
@ -47,5 +42,4 @@ interface(`amtu_run',`
|
||||
|
||||
amtu_domtrans($1)
|
||||
role $2 types amtu_t;
|
||||
allow amtu_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(amtu,1.1.0)
|
||||
policy_module(amtu, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,6 +23,8 @@ files_read_etc_files(amtu_t)
|
||||
|
||||
logging_send_audit_msgs(amtu_t)
|
||||
|
||||
userdom_use_user_terminals(amtu_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_dontaudit_search_pid(amtu_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(anaconda, 1.4.0)
|
||||
policy_module(anaconda, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -32,7 +32,7 @@ modutils_domtrans_insmod(anaconda_t)
|
||||
|
||||
seutil_domtrans_semanage(anaconda_t)
|
||||
|
||||
unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
|
||||
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
optional_policy(`
|
||||
kudzu_domtrans(anaconda_t)
|
||||
|
@ -34,11 +34,6 @@ interface(`apt_domtrans',`
|
||||
## The role to allow the apt domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the apt domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`apt_run',`
|
||||
@ -48,7 +43,6 @@ interface(`apt_run',`
|
||||
|
||||
apt_domtrans($1)
|
||||
role $2 types apt_t;
|
||||
allow apt_t $3:chr_file rw_term_perms;
|
||||
# TODO: likely have to add dpkg_run here.
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apt, 1.4.0)
|
||||
policy_module(apt, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,6 +119,8 @@ seutil_use_newrole_fds(apt_t)
|
||||
|
||||
sysnet_read_config(apt_t)
|
||||
|
||||
userdom_use_user_terminals(apt_t)
|
||||
|
||||
# with boolean, for cron-apt and such?
|
||||
#optional_policy(`
|
||||
# cron_system_entry(apt_t,apt_exec_t)
|
||||
|
@ -33,11 +33,6 @@ interface(`backup_domtrans',`
|
||||
## The role to be allowed the backup domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`backup_run',`
|
||||
@ -47,5 +42,4 @@ interface(`backup_run',`
|
||||
|
||||
backup_domtrans($1)
|
||||
role $2 types backup_t;
|
||||
allow backup_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(backup, 1.3.0)
|
||||
policy_module(backup, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -71,6 +71,8 @@ logging_send_syslog_msg(backup_t)
|
||||
|
||||
sysnet_read_config(backup_t)
|
||||
|
||||
userdom_use_user_terminals(backup_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(backup_t, backup_exec_t)
|
||||
')
|
||||
|
@ -33,11 +33,6 @@ interface(`bootloader_domtrans',`
|
||||
## The role to be allowed the bootloader domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the bootloader domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`bootloader_run',`
|
||||
@ -48,11 +43,10 @@ interface(`bootloader_run',`
|
||||
bootloader_domtrans($1)
|
||||
|
||||
role $2 types bootloader_t;
|
||||
allow bootloader_t $3:chr_file rw_term_perms;
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# for mke2fs
|
||||
mount_run(bootloader_t, $2, $3)
|
||||
mount_run(bootloader_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(bootloader, 1.9.0)
|
||||
policy_module(bootloader, 1.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -135,6 +135,9 @@ seutil_read_bin_policy(bootloader_t)
|
||||
seutil_read_loadpolicy(bootloader_t)
|
||||
seutil_dontaudit_search_config(bootloader_t)
|
||||
|
||||
userdom_use_user_terminals(bootloader_t)
|
||||
userdom_dontaudit_search_user_home_dirs(bootloader_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
fs_list_tmpfs(bootloader_t)
|
||||
@ -211,11 +214,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
rpm_rw_pipes(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
staff_dontaudit_search_home_dirs(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysadm_dontaudit_search_home_dirs(bootloader_t)
|
||||
')
|
||||
|
@ -37,11 +37,6 @@ interface(`certwatch_domtrans',`
|
||||
## The role to be allowed the certwatch domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the certwatch domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`certwatch_run',`
|
||||
@ -51,7 +46,6 @@ interface(`certwatch_run',`
|
||||
|
||||
certwatch_domtrans($1)
|
||||
role $2 types certwatch_t;
|
||||
allow certwatch_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -32,6 +32,8 @@ logging_send_syslog_msg(certwatch_t)
|
||||
miscfiles_read_certs(certwatch_t)
|
||||
miscfiles_read_localization(certwatch_t)
|
||||
|
||||
userdom_use_user_terminals(certwatch_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_exec_modules(certwatch_t)
|
||||
')
|
||||
|
@ -36,11 +36,6 @@ interface(`consoletype_domtrans',`
|
||||
## The role to be allowed the consoletype domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the consoletype domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`consoletype_run',`
|
||||
gen_require(`
|
||||
@ -49,7 +44,6 @@ interface(`consoletype_run',`
|
||||
|
||||
consoletype_domtrans($1)
|
||||
role $2 types consoletype_t;
|
||||
allow consoletype_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(consoletype, 1.6.0)
|
||||
policy_module(consoletype, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,8 @@ domain_use_interactive_fds(consoletype_t)
|
||||
files_dontaudit_read_root_files(consoletype_t)
|
||||
files_list_usr(consoletype_t)
|
||||
|
||||
userdom_use_user_terminals(consoletype_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
fs_rw_tmpfs_chr_files(consoletype_t)
|
||||
')
|
||||
|
@ -33,11 +33,6 @@ interface(`ddcprobe_domtrans',`
|
||||
## Role to be authenticated for ddcprobe domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the clock domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ddcprobe_run',`
|
||||
@ -47,5 +42,4 @@ interface(`ddcprobe_run',`
|
||||
|
||||
ddcprobe_domtrans($1)
|
||||
role $2 types ddcprobe_t;
|
||||
allow ddcprobe_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ddcprobe, 1.1.0)
|
||||
policy_module(ddcprobe, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -45,6 +45,7 @@ miscfiles_read_localization(ddcprobe_t)
|
||||
|
||||
modutils_read_module_deps(ddcprobe_t)
|
||||
|
||||
userdom_use_user_terminals(ddcprobe_t)
|
||||
userdom_use_all_users_fds(ddcprobe_t)
|
||||
|
||||
#reh why? this does not seem even necessary to function properly
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dmesg, 1.2.0)
|
||||
policy_module(dmesg, 1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -48,8 +48,7 @@ logging_write_generic_logs(dmesg_t)
|
||||
miscfiles_read_localization(dmesg_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
||||
|
||||
sysadm_use_terms(dmesg_t)
|
||||
userdom_use_user_terminals(dmesg_t)
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(dmesg_t)
|
||||
|
@ -38,11 +38,6 @@ interface(`dmidecode_domtrans',`
|
||||
## The role to be allowed the dmidecode domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the dmidecode domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dmidecode_run',`
|
||||
@ -52,5 +47,4 @@ interface(`dmidecode_run',`
|
||||
|
||||
dmidecode_domtrans($1)
|
||||
role $2 types dmidecode_t;
|
||||
allow dmidecode_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dmidecode, 1.3.0)
|
||||
policy_module(dmidecode, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -24,8 +24,8 @@ dev_read_raw_memory(dmidecode_t)
|
||||
|
||||
mls_file_read_all_levels(dmidecode_t)
|
||||
|
||||
term_list_ptys(dmidecode_t)
|
||||
|
||||
files_list_usr(dmidecode_t)
|
||||
|
||||
locallogin_use_fds(dmidecode_t)
|
||||
|
||||
userdom_use_user_terminals(dmidecode_t)
|
||||
|
@ -58,11 +58,6 @@ interface(`dpkg_domtrans_script',`
|
||||
## The role to allow the dpkg domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the dpkg domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dpkg_run',`
|
||||
@ -73,8 +68,7 @@ interface(`dpkg_run',`
|
||||
dpkg_domtrans($1)
|
||||
role $2 types dpkg_t;
|
||||
role $2 types dpkg_script_t;
|
||||
seutil_run_loadpolicy(dpkg_script_t, $2, $3)
|
||||
allow dpkg_t $3:chr_file rw_term_perms;
|
||||
seutil_run_loadpolicy(dpkg_script_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dpkg, 1.5.0)
|
||||
policy_module(dpkg, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -141,8 +141,6 @@ storage_raw_write_fixed_disk(dpkg_t)
|
||||
# for installing kernel packages
|
||||
storage_raw_read_fixed_disk(dpkg_t)
|
||||
|
||||
term_list_ptys(dpkg_t)
|
||||
|
||||
auth_relabel_all_files_except_shadow(dpkg_t)
|
||||
auth_manage_all_files_except_shadow(dpkg_t)
|
||||
auth_dontaudit_read_shadow(dpkg_t)
|
||||
@ -164,6 +162,7 @@ seutil_manage_bin_policy(dpkg_t)
|
||||
|
||||
sysnet_read_config(dpkg_t)
|
||||
|
||||
userdom_use_user_terminals(dpkg_t)
|
||||
userdom_use_unpriv_users_fds(dpkg_t)
|
||||
|
||||
# transition to dpkg script:
|
||||
@ -284,8 +283,6 @@ selinux_compute_user_contexts(dpkg_script_t)
|
||||
storage_raw_read_fixed_disk(dpkg_script_t)
|
||||
storage_raw_write_fixed_disk(dpkg_script_t)
|
||||
|
||||
term_getattr_unallocated_ttys(dpkg_script_t)
|
||||
term_list_ptys(dpkg_script_t)
|
||||
term_use_all_terms(dpkg_script_t)
|
||||
|
||||
auth_dontaudit_getattr_shadow(dpkg_script_t)
|
||||
|
@ -36,11 +36,6 @@ interface(`firstboot_domtrans',`
|
||||
## The role to be allowed the firstboot domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the firstboot domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`firstboot_run',`
|
||||
gen_require(`
|
||||
@ -49,7 +44,6 @@ interface(`firstboot_run',`
|
||||
|
||||
firstboot_domtrans($1)
|
||||
role $2 types firstboot_t;
|
||||
allow firstboot_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(firstboot, 1.8.0)
|
||||
policy_module(firstboot, 1.8.1)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -80,14 +80,15 @@ modutils_domtrans_insmod(firstboot_t)
|
||||
modutils_read_module_config(firstboot_t)
|
||||
modutils_read_module_deps(firstboot_t)
|
||||
|
||||
userdom_use_user_terminals(firstboot_t)
|
||||
# Add/remove user home directories
|
||||
unprivuser_manage_home_content_dirs(firstboot_t)
|
||||
unprivuser_manage_home_content_files(firstboot_t)
|
||||
unprivuser_manage_home_content_symlinks(firstboot_t)
|
||||
unprivuser_manage_home_content_pipes(firstboot_t)
|
||||
unprivuser_manage_home_content_sockets(firstboot_t)
|
||||
unprivuser_home_filetrans_home_dir(firstboot_t)
|
||||
unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
|
||||
userdom_manage_user_home_content_dirs(firstboot_t)
|
||||
userdom_manage_user_home_content_files(firstboot_t)
|
||||
userdom_manage_user_home_content_symlinks(firstboot_t)
|
||||
userdom_manage_user_home_content_pipes(firstboot_t)
|
||||
userdom_manage_user_home_content_sockets(firstboot_t)
|
||||
userdom_home_filetrans_user_home_dir(firstboot_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(firstboot_t)
|
||||
@ -116,6 +117,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_rw_xdm_xserver_shm(firstboot_t)
|
||||
xserver_rw_shm(firstboot_t)
|
||||
xserver_unconfined(firstboot_t)
|
||||
')
|
||||
|
@ -33,11 +33,6 @@ interface(`kismet_domtrans',`
|
||||
## The role to be allowed the kismet domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the role's terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kismet_run',`
|
||||
gen_require(`
|
||||
@ -46,7 +41,6 @@ interface(`kismet_run',`
|
||||
|
||||
kismet_domtrans($1)
|
||||
role $2 types kismet_t;
|
||||
allow kismet_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kismet, 1.1.0)
|
||||
policy_module(kismet, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -52,3 +52,5 @@ auth_use_nsswitch(kismet_t)
|
||||
files_read_etc_files(kismet_t)
|
||||
|
||||
miscfiles_read_localization(kismet_t)
|
||||
|
||||
userdom_use_user_terminals(kismet_t)
|
||||
|
@ -33,11 +33,6 @@ interface(`kudzu_domtrans',`
|
||||
## The role to be allowed the kudzu domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the kudzu domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`kudzu_run',`
|
||||
@ -47,7 +42,6 @@ interface(`kudzu_run',`
|
||||
|
||||
kudzu_domtrans($1)
|
||||
role $2 types kudzu_t;
|
||||
allow kudzu_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kudzu, 1.7.0)
|
||||
policy_module(kudzu, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77,7 +77,6 @@ storage_raw_write_removable_device(kudzu_t)
|
||||
storage_raw_read_fixed_disk(kudzu_t)
|
||||
storage_raw_read_removable_device(kudzu_t)
|
||||
|
||||
term_search_ptys(kudzu_t)
|
||||
term_dontaudit_use_console(kudzu_t)
|
||||
# so it can write messages to the console
|
||||
term_use_unallocated_ttys(kudzu_t)
|
||||
@ -123,9 +122,9 @@ modutils_domtrans_insmod(kudzu_t)
|
||||
|
||||
sysnet_read_config(kudzu_t)
|
||||
|
||||
userdom_use_user_terminals(kudzu_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
|
||||
|
||||
sysadm_search_home_dirs(kudzu_t)
|
||||
userdom_search_user_home_dirs(kudzu_t)
|
||||
|
||||
optional_policy(`
|
||||
gpm_getattr_gpmctl(kudzu_t)
|
||||
|
@ -33,11 +33,6 @@ interface(`logrotate_domtrans',`
|
||||
## The role to be allowed the logrotate domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the logrotate domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logrotate_run',`
|
||||
@ -47,7 +42,6 @@ interface(`logrotate_run',`
|
||||
|
||||
logrotate_domtrans($1)
|
||||
role $2 types logrotate_t;
|
||||
allow logrotate_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logrotate, 1.10.0)
|
||||
policy_module(logrotate, 1.10.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -115,6 +115,8 @@ miscfiles_read_localization(logrotate_t)
|
||||
|
||||
seutil_dontaudit_read_config(logrotate_t)
|
||||
|
||||
userdom_use_user_terminals(logrotate_t)
|
||||
userdom_dontaudit_search_user_home_dirs(logrotate_t)
|
||||
userdom_use_unpriv_users_fds(logrotate_t)
|
||||
|
||||
cron_system_entry(logrotate_t, logrotate_exec_t)
|
||||
@ -122,8 +124,6 @@ cron_search_spool(logrotate_t)
|
||||
|
||||
mta_send_mail(logrotate_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(logrotate_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
|
||||
# for savelog
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logwatch, 1.8.0)
|
||||
policy_module(logwatch, 1.8.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -86,9 +86,9 @@ selinux_dontaudit_getattr_dir(logwatch_t)
|
||||
|
||||
sysnet_dns_name_resolve(logwatch_t)
|
||||
|
||||
mta_send_mail(logwatch_t)
|
||||
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(logwatch_t)
|
||||
mta_send_mail(logwatch_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_read_log(logwatch_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mrtg, 1.5.0)
|
||||
policy_module(mrtg, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -113,11 +113,10 @@ miscfiles_read_localization(mrtg_t)
|
||||
|
||||
selinux_dontaudit_getattr_dir(mrtg_t)
|
||||
|
||||
userdom_use_user_terminals(mrtg_t)
|
||||
userdom_dontaudit_read_user_home_content_files(mrtg_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
|
||||
|
||||
sysadm_use_terms(mrtg_t)
|
||||
sysadm_dontaudit_read_home_content_files(mrtg_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
corenet_udp_sendrecv_lo_if(mrtg_t)
|
||||
')
|
||||
|
@ -33,11 +33,6 @@ interface(`netutils_domtrans',`
|
||||
## The role to be allowed the netutils domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the netutils domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netutils_run',`
|
||||
@ -47,7 +42,6 @@ interface(`netutils_run',`
|
||||
|
||||
netutils_domtrans($1)
|
||||
role $2 types netutils_t;
|
||||
allow netutils_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -155,11 +149,6 @@ interface(`netutils_signal_ping',`
|
||||
## The role to be allowed the ping domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ping domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netutils_run_ping',`
|
||||
@ -169,7 +158,6 @@ interface(`netutils_run_ping',`
|
||||
|
||||
netutils_domtrans_ping($1)
|
||||
role $2 types ping_t;
|
||||
allow ping_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -187,11 +175,6 @@ interface(`netutils_run_ping',`
|
||||
## The role to be allowed the ping domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ping domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netutils_run_ping_cond',`
|
||||
@ -204,7 +187,6 @@ interface(`netutils_run_ping_cond',`
|
||||
|
||||
if ( user_ping ) {
|
||||
netutils_domtrans_ping($1)
|
||||
allow ping_t $3:chr_file rw_term_perms;
|
||||
}
|
||||
')
|
||||
|
||||
@ -259,11 +241,6 @@ interface(`netutils_domtrans_traceroute',`
|
||||
## The role to be allowed the traceroute domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the traceroute domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netutils_run_traceroute',`
|
||||
@ -273,7 +250,6 @@ interface(`netutils_run_traceroute',`
|
||||
|
||||
netutils_domtrans_traceroute($1)
|
||||
role $2 types traceroute_t;
|
||||
allow traceroute_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -291,11 +267,6 @@ interface(`netutils_run_traceroute',`
|
||||
## The role to be allowed the traceroute domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the traceroute domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netutils_run_traceroute_cond',`
|
||||
@ -308,7 +279,6 @@ interface(`netutils_run_traceroute_cond',`
|
||||
|
||||
if( user_ping ) {
|
||||
netutils_domtrans_traceroute($1)
|
||||
allow traceroute_t $3:chr_file rw_term_perms;
|
||||
}
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(netutils, 1.7.0)
|
||||
policy_module(netutils, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -85,6 +85,7 @@ logging_send_syslog_msg(netutils_t)
|
||||
|
||||
miscfiles_read_localization(netutils_t)
|
||||
|
||||
userdom_use_user_terminals(netutils_t)
|
||||
userdom_use_all_users_fds(netutils_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -133,6 +134,8 @@ logging_send_syslog_msg(ping_t)
|
||||
|
||||
miscfiles_read_localization(ping_t)
|
||||
|
||||
userdom_use_user_terminals(ping_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
init_dontaudit_use_fds(ping_t)
|
||||
')
|
||||
@ -197,6 +200,8 @@ logging_send_syslog_msg(traceroute_t)
|
||||
|
||||
miscfiles_read_localization(traceroute_t)
|
||||
|
||||
userdom_use_user_terminals(traceroute_t)
|
||||
|
||||
#rules needed for nmap
|
||||
dev_read_rand(traceroute_t)
|
||||
dev_read_urand(traceroute_t)
|
||||
|
@ -40,11 +40,6 @@ interface(`portage_domtrans',`
|
||||
## The role to allow the portage domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow for portage to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`portage_run',`
|
||||
@ -54,9 +49,6 @@ interface(`portage_run',`
|
||||
|
||||
portage_domtrans($1)
|
||||
role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||
allow portage_t $3:chr_file rw_term_perms;
|
||||
allow portage_fetch_t $3:chr_file rw_term_perms;
|
||||
allow portage_sandbox_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -186,6 +178,8 @@ interface(`portage_compile_domain',`
|
||||
|
||||
logging_send_syslog_msg($1)
|
||||
|
||||
userdom_use_user_terminals($1)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# some gui ebuilds want to interact with X server, like xawtv
|
||||
optional_policy(`
|
||||
@ -231,11 +225,6 @@ interface(`portage_domtrans_gcc_config',`
|
||||
## The role to allow the gcc_config domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow for gcc_config to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`portage_run_gcc_config',`
|
||||
@ -245,5 +234,4 @@ interface(`portage_run_gcc_config',`
|
||||
|
||||
portage_domtrans_gcc_config($1)
|
||||
role $2 types gcc_config_t;
|
||||
allow gcc_config_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(portage, 1.6.1)
|
||||
policy_module(portage, 1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -90,8 +90,6 @@ files_search_pids(gcc_config_t)
|
||||
# the directory it is being run from
|
||||
files_list_all(gcc_config_t)
|
||||
|
||||
term_search_ptys(gcc_config_t)
|
||||
|
||||
# seems to be ok without this
|
||||
init_dontaudit_read_script_status_files(gcc_config_t)
|
||||
|
||||
@ -105,6 +103,8 @@ logging_send_syslog_msg(gcc_config_t)
|
||||
|
||||
miscfiles_read_localization(gcc_config_t)
|
||||
|
||||
userdom_use_user_terminals(gcc_config_t)
|
||||
|
||||
consoletype_exec(gcc_config_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -245,7 +245,8 @@ miscfiles_read_localization(portage_fetch_t)
|
||||
sysnet_read_config(portage_fetch_t)
|
||||
sysnet_dns_name_resolve(portage_fetch_t)
|
||||
|
||||
sysadm_dontaudit_read_home_content_files(portage_fetch_t)
|
||||
userdom_use_user_terminals(portage_fetch_t)
|
||||
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
|
@ -33,11 +33,6 @@ interface(`prelink_domtrans',`
|
||||
## The role to allow the prelink domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the prelink domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`prelink_run',`
|
||||
@ -47,7 +42,6 @@ interface(`prelink_run',`
|
||||
|
||||
prelink_domtrans($1)
|
||||
role $2 types prelink_t;
|
||||
allow prelink_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink, 1.5.0)
|
||||
policy_module(prelink, 1.5.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -79,6 +79,8 @@ libs_delete_lib_symlinks(prelink_t)
|
||||
|
||||
miscfiles_read_localization(prelink_t)
|
||||
|
||||
userdom_use_user_terminals(prelink_t)
|
||||
|
||||
optional_policy(`
|
||||
amanda_manage_lib(prelink_t)
|
||||
')
|
||||
|
@ -33,11 +33,6 @@ interface(`quota_domtrans',`
|
||||
## The role to be allowed the quota domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the quota domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`quota_run',`
|
||||
@ -47,7 +42,6 @@ interface(`quota_run',`
|
||||
|
||||
quota_domtrans($1)
|
||||
role $2 types quota_t;
|
||||
allow quota_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(quota, 1.3.0)
|
||||
policy_module(quota, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -72,6 +72,7 @@ init_use_script_ptys(quota_t)
|
||||
|
||||
logging_send_syslog_msg(quota_t)
|
||||
|
||||
userdom_use_user_terminals(quota_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(quota_t)
|
||||
|
||||
optional_policy(`
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(readahead, 1.7.0)
|
||||
policy_module(readahead, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -77,8 +77,7 @@ logging_dontaudit_search_audit_config(readahead_t)
|
||||
miscfiles_read_localization(readahead_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(readahead_t)
|
||||
userdom_dontaudit_search_user_home_dirs(readahead_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(readahead_t, readahead_exec_t)
|
||||
|
@ -56,11 +56,6 @@ interface(`rpm_domtrans_script',`
|
||||
## The role to allow the RPM domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the RPM domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`rpm_run',`
|
||||
@ -71,10 +66,9 @@ interface(`rpm_run',`
|
||||
rpm_domtrans($1)
|
||||
role $2 types rpm_t;
|
||||
role $2 types rpm_script_t;
|
||||
seutil_run_loadpolicy(rpm_script_t, $2, $3)
|
||||
seutil_run_semanage(rpm_script_t, $2, $3)
|
||||
seutil_run_setfiles(rpm_script_t, $2, $3)
|
||||
allow rpm_t $3:chr_file rw_term_perms;
|
||||
seutil_run_loadpolicy(rpm_script_t, $2)
|
||||
seutil_run_semanage(rpm_script_t, $2)
|
||||
seutil_run_setfiles(rpm_script_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpm, 1.8.0)
|
||||
policy_module(rpm, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -132,8 +132,6 @@ storage_raw_write_fixed_disk(rpm_t)
|
||||
# for installing kernel packages
|
||||
storage_raw_read_fixed_disk(rpm_t)
|
||||
|
||||
term_list_ptys(rpm_t)
|
||||
|
||||
auth_relabel_all_files_except_shadow(rpm_t)
|
||||
auth_manage_all_files_except_shadow(rpm_t)
|
||||
auth_dontaudit_read_shadow(rpm_t)
|
||||
@ -168,6 +166,7 @@ logging_send_syslog_msg(rpm_t)
|
||||
seutil_manage_src_policy(rpm_t)
|
||||
seutil_manage_bin_policy(rpm_t)
|
||||
|
||||
userdom_use_user_terminals(rpm_t)
|
||||
userdom_use_unpriv_users_fds(rpm_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -273,8 +272,6 @@ selinux_compute_user_contexts(rpm_script_t)
|
||||
storage_raw_read_fixed_disk(rpm_script_t)
|
||||
storage_raw_write_fixed_disk(rpm_script_t)
|
||||
|
||||
term_getattr_unallocated_ttys(rpm_script_t)
|
||||
term_list_ptys(rpm_script_t)
|
||||
term_use_all_terms(rpm_script_t)
|
||||
|
||||
auth_dontaudit_getattr_shadow(rpm_script_t)
|
||||
@ -338,7 +335,7 @@ optional_policy(`
|
||||
unconfined_domtrans(rpm_script_t)
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans(rpm_script_t)
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -125,29 +125,12 @@ template(`su_restricted_domain_template', `
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per role template for the su module.
|
||||
## The role template for the su module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domain which is allowed
|
||||
## to change the linux user id, to run shells as a different
|
||||
## user.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
@ -155,8 +138,13 @@ template(`su_restricted_domain_template', `
|
||||
## The role associated with the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`su_per_role_template',`
|
||||
template(`su_role_template',`
|
||||
gen_require(`
|
||||
attribute su_domain_type;
|
||||
type su_exec_t;
|
||||
@ -167,9 +155,10 @@ template(`su_per_role_template',`
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_interactive_fd($1_su_t)
|
||||
role $3 types $1_su_t;
|
||||
ubac_constrained($1_su_t)
|
||||
role $2 types $1_su_t;
|
||||
|
||||
allow $2 $1_su_t:process signal;
|
||||
allow $3 $1_su_t:process signal;
|
||||
|
||||
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
dontaudit $1_su_t self:capability sys_tty_config;
|
||||
@ -179,13 +168,15 @@ template(`su_per_role_template',`
|
||||
allow $1_su_t self:key { search write };
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domtrans_pattern($2, su_exec_t, $1_su_t)
|
||||
domtrans_pattern($3, su_exec_t, $1_su_t)
|
||||
|
||||
ps_process_pattern($3, $1_su_t)
|
||||
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_su_t, $2)
|
||||
allow $2 $1_su_t:fd use;
|
||||
allow $2 $1_su_t:fifo_file rw_file_perms;
|
||||
allow $2 $1_su_t:process sigchld;
|
||||
corecmd_shell_domtrans($1_su_t, $3)
|
||||
allow $3 $1_su_t:fd use;
|
||||
allow $3 $1_su_t:fifo_file rw_file_perms;
|
||||
allow $3 $1_su_t:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctls($1_su_t)
|
||||
@ -200,7 +191,7 @@ template(`su_per_role_template',`
|
||||
# needed for pam_rootok
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
|
||||
auth_domtrans_user_chk_passwd($1, $1_su_t)
|
||||
auth_domtrans_chk_passwd($1_su_t)
|
||||
auth_dontaudit_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
auth_rw_faillog($1_su_t)
|
||||
@ -224,8 +215,8 @@ template(`su_per_role_template',`
|
||||
|
||||
miscfiles_read_localization($1_su_t)
|
||||
|
||||
userdom_use_user_terminals($1, $1_su_t)
|
||||
userdom_search_user_home_dirs($1, $1_su_t)
|
||||
userdom_use_user_terminals($1_su_t)
|
||||
userdom_search_user_home_dirs($1_su_t)
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
domain_role_change_exemption($1_su_t)
|
||||
@ -285,17 +276,9 @@ template(`su_per_role_template',`
|
||||
|
||||
# Modify .Xauthority file (via xauth program).
|
||||
optional_policy(`
|
||||
xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
|
||||
xserver_domtrans_user_xauth($1, $1_su_t)
|
||||
xserver_user_home_dir_filetrans_user_xauth($1_su_t)
|
||||
xserver_domtrans_xauth($1_su_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_su_t $1_home_t:file manage_file_perms;
|
||||
|
||||
# Access sshd cookie files.
|
||||
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
||||
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(su, 1.8.0)
|
||||
policy_module(su, 1.8.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per role template for the sudo module.
|
||||
## The role template for the sudo module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -10,30 +10,25 @@
|
||||
## to change the linux user id, to run commands as a different
|
||||
## user.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## The prefix of the user role (e.g., user
|
||||
## is the prefix for user_r).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## The user role.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The user domain associated with the role.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`sudo_per_role_template',`
|
||||
template(`sudo_role_template',`
|
||||
|
||||
gen_require(`
|
||||
type sudo_exec_t;
|
||||
@ -47,7 +42,8 @@ template(`sudo_per_role_template',`
|
||||
type $1_sudo_t;
|
||||
application_domain($1_sudo_t, sudo_exec_t)
|
||||
domain_interactive_fd($1_sudo_t)
|
||||
role $3 types $1_sudo_t;
|
||||
ubac_constrained($1_sudo_t)
|
||||
role $2 types $1_sudo_t;
|
||||
|
||||
##############################
|
||||
#
|
||||
@ -71,13 +67,13 @@ template(`sudo_per_role_template',`
|
||||
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
|
||||
|
||||
# Enter this derived domain from the user domain
|
||||
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
|
||||
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
|
||||
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_sudo_t, $2)
|
||||
allow $2 $1_sudo_t:fd use;
|
||||
allow $2 $1_sudo_t:fifo_file rw_file_perms;
|
||||
allow $2 $1_sudo_t:process sigchld;
|
||||
corecmd_shell_domtrans($1_sudo_t, $3)
|
||||
allow $3 $1_sudo_t:fd use;
|
||||
allow $3 $1_sudo_t:fifo_file rw_file_perms;
|
||||
allow $3 $1_sudo_t:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctls($1_sudo_t)
|
||||
kernel_read_system_state($1_sudo_t)
|
||||
@ -113,22 +109,11 @@ template(`sudo_per_role_template',`
|
||||
|
||||
miscfiles_read_localization($1_sudo_t)
|
||||
|
||||
userdom_manage_user_home_content_files($1, $1_sudo_t)
|
||||
userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
|
||||
userdom_manage_user_tmp_files($1, $1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
|
||||
userdom_use_user_terminals($1, $1_sudo_t)
|
||||
userdom_use_unpriv_users_fds($1_sudo_t)
|
||||
userdom_manage_user_home_content_files($1_sudo_t)
|
||||
userdom_manage_user_home_content_symlinks($1_sudo_t)
|
||||
userdom_manage_user_tmp_files($1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
userdom_use_user_terminals($1_sudo_t)
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# for when the network connection is killed
|
||||
dontaudit unpriv_userdomain $1_sudo_t:process signal;
|
||||
|
||||
ifdef(`mta.te', `
|
||||
domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
|
||||
')
|
||||
|
||||
') dnl end TODO
|
||||
userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(sudo, 1.3.0)
|
||||
policy_module(sudo, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -7,5 +7,3 @@ policy_module(sudo, 1.3.0)
|
||||
|
||||
type sudo_exec_t;
|
||||
application_executable_file(sudo_exec_t)
|
||||
|
||||
# Remaining policy in per user domain template.
|
||||
|
@ -46,11 +46,6 @@ interface(`tripwire_domtrans_tripwire',`
|
||||
## The role to be allowed the tripwire domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the tripwire domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tripwire_run_tripwire',`
|
||||
@ -60,7 +55,6 @@ interface(`tripwire_run_tripwire',`
|
||||
|
||||
tripwire_domtrans_tripwire($1)
|
||||
role $2 types tripwire_t;
|
||||
allow tripwire_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -96,11 +90,6 @@ interface(`tripwire_domtrans_twadmin',`
|
||||
## The role to be allowed the twadmin domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the twadmin domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tripwire_run_twadmin',`
|
||||
@ -110,7 +99,6 @@ interface(`tripwire_run_twadmin',`
|
||||
|
||||
tripwire_domtrans_twadmin($1)
|
||||
role $2 types twadmin_t;
|
||||
allow twadmin_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -146,11 +134,6 @@ interface(`tripwire_domtrans_twprint',`
|
||||
## The role to be allowed the twprint domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the twprint domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tripwire_run_twprint',`
|
||||
@ -160,7 +143,6 @@ interface(`tripwire_run_twprint',`
|
||||
|
||||
tripwire_domtrans_twprint($1)
|
||||
role $2 types twprint_t;
|
||||
allow twprint_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -196,11 +178,6 @@ interface(`tripwire_domtrans_siggen',`
|
||||
## The role to be allowed the siggen domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the siggen domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tripwire_run_siggen',`
|
||||
@ -210,5 +187,4 @@ interface(`tripwire_run_siggen',`
|
||||
|
||||
tripwire_domtrans_siggen($1)
|
||||
role $2 types siggen_t;
|
||||
allow siggen_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tripwire, 1.1.0)
|
||||
policy_module(tripwire, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -81,6 +81,8 @@ files_getattr_all_sockets(tripwire_t)
|
||||
|
||||
logging_send_syslog_msg(tripwire_t)
|
||||
|
||||
userdom_use_user_terminals(tripwire_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(tripwire_t, tripwire_exec_t)
|
||||
')
|
||||
@ -100,6 +102,8 @@ logging_send_syslog_msg(twadmin_t)
|
||||
|
||||
miscfiles_read_localization(twadmin_t)
|
||||
|
||||
userdom_use_user_terminals(twadmin_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Twprint local policy
|
||||
@ -124,6 +128,8 @@ logging_send_syslog_msg(twprint_t)
|
||||
|
||||
miscfiles_read_localization(twprint_t)
|
||||
|
||||
userdom_use_user_terminals(twprint_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Siggen local policy
|
||||
@ -137,3 +143,5 @@ files_read_all_files(siggen_t)
|
||||
logging_send_syslog_msg(siggen_t)
|
||||
|
||||
miscfiles_read_localization(siggen_t)
|
||||
|
||||
userdom_use_user_terminals(siggen_t)
|
||||
|
@ -32,11 +32,6 @@ interface(`tzdata_domtrans',`
|
||||
## The role to allow the tzdata domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the tzdata domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`tzdata_run',`
|
||||
@ -46,5 +41,4 @@ interface(`tzdata_run',`
|
||||
|
||||
tzdata_domtrans($1)
|
||||
role $2 types tzdata_t;
|
||||
allow tzdata_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tzdata, 1.2.0)
|
||||
policy_module(tzdata, 1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27,6 +27,8 @@ miscfiles_read_localization(tzdata_t)
|
||||
miscfiles_manage_localization(tzdata_t)
|
||||
miscfiles_etc_filetrans_localization(tzdata_t)
|
||||
|
||||
userdom_use_user_terminals(tzdata_t)
|
||||
|
||||
# tzdata looks for /var/spool/postfix/etc/localtime.
|
||||
optional_policy(`
|
||||
postfix_search_spool(tzdata_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(updfstab, 1.4.0)
|
||||
policy_module(updfstab, 1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -76,7 +76,7 @@ seutil_read_config(updfstab_t)
|
||||
seutil_read_default_contexts(updfstab_t)
|
||||
seutil_read_file_contexts(updfstab_t)
|
||||
|
||||
userdom_dontaudit_search_all_users_home_content(updfstab_t)
|
||||
userdom_dontaudit_search_user_home_content(updfstab_t)
|
||||
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -86,7 +86,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
init_dbus_chat_script(updfstab_t)
|
||||
|
||||
dbus_system_bus_client_template(updfstab, updfstab_t)
|
||||
dbus_system_bus_client(updfstab_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -34,11 +34,6 @@ interface(`usbmodules_domtrans',`
|
||||
## The role to be allowed the usbmodules domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the usbmodules domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`usbmodules_run',`
|
||||
@ -48,5 +43,4 @@ interface(`usbmodules_run',`
|
||||
|
||||
usbmodules_domtrans($1)
|
||||
role $2 types usbmodules_t;
|
||||
allow usbmodules_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usbmodules, 1.1.0)
|
||||
policy_module(usbmodules, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -37,6 +37,8 @@ miscfiles_read_hwdata(usbmodules_t)
|
||||
|
||||
modutils_read_module_deps(usbmodules_t)
|
||||
|
||||
userdom_use_user_terminals(usbmodules_t)
|
||||
|
||||
optional_policy(`
|
||||
hotplug_read_config(usbmodules_t)
|
||||
')
|
||||
|
@ -35,11 +35,6 @@ interface(`usermanage_domtrans_chfn',`
|
||||
## The role to be allowed the chfn domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the chfn domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_chfn',`
|
||||
gen_require(`
|
||||
@ -48,7 +43,6 @@ interface(`usermanage_run_chfn',`
|
||||
|
||||
usermanage_domtrans_chfn($1)
|
||||
role $2 types chfn_t;
|
||||
allow chfn_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -86,11 +80,6 @@ interface(`usermanage_domtrans_groupadd',`
|
||||
## The role to be allowed the groupadd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the groupadd domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`usermanage_run_groupadd',`
|
||||
@ -100,10 +89,9 @@ interface(`usermanage_run_groupadd',`
|
||||
|
||||
usermanage_domtrans_groupadd($1)
|
||||
role $2 types groupadd_t;
|
||||
allow groupadd_t $3:chr_file rw_term_perms;
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(groupadd_t, $2, $3)
|
||||
nscd_run(groupadd_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
@ -142,11 +130,6 @@ interface(`usermanage_domtrans_passwd',`
|
||||
## The role to be allowed the passwd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the passwd domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_passwd',`
|
||||
gen_require(`
|
||||
@ -155,7 +138,6 @@ interface(`usermanage_run_passwd',`
|
||||
|
||||
usermanage_domtrans_passwd($1)
|
||||
role $2 types passwd_t;
|
||||
allow passwd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -195,11 +177,6 @@ interface(`usermanage_domtrans_admin_passwd',`
|
||||
## The role to be allowed the admin passwd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the admin passwd domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`usermanage_run_admin_passwd',`
|
||||
@ -209,10 +186,9 @@ interface(`usermanage_run_admin_passwd',`
|
||||
|
||||
usermanage_domtrans_admin_passwd($1)
|
||||
role $2 types sysadm_passwd_t;
|
||||
allow sysadm_passwd_t $3:chr_file rw_term_perms;
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(sysadm_passwd_t, $2, $3)
|
||||
nscd_run(sysadm_passwd_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
@ -269,11 +245,6 @@ interface(`usermanage_domtrans_useradd',`
|
||||
## The role to be allowed the useradd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the useradd domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`usermanage_run_useradd',`
|
||||
@ -283,10 +254,9 @@ interface(`usermanage_run_useradd',`
|
||||
|
||||
usermanage_domtrans_useradd($1)
|
||||
role $2 types useradd_t;
|
||||
allow useradd_t $3:chr_file rw_term_perms;
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(useradd_t, $2, $3)
|
||||
nscd_run(useradd_t, $2)
|
||||
')
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(usermanage, 1.11.0)
|
||||
policy_module(usermanage, 1.11.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,7 +119,7 @@ seutil_dontaudit_search_config(chfn_t)
|
||||
userdom_use_unpriv_users_fds(chfn_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home_content(chfn_t)
|
||||
userdom_dontaudit_search_user_home_content(chfn_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -153,7 +153,7 @@ corecmd_exec_bin(crack_t)
|
||||
|
||||
logging_send_syslog_msg(crack_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(crack_t)
|
||||
userdom_dontaudit_search_user_home_dirs(crack_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
# the package cracklib-runtime on Debian contains a daily maintenance
|
||||
@ -227,9 +227,8 @@ auth_use_nsswitch(groupadd_t)
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(groupadd_t)
|
||||
|
||||
# for when /root is the cwd
|
||||
sysadm_dontaudit_search_home_dirs(groupadd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(groupadd_t)
|
||||
|
||||
optional_policy(`
|
||||
dpkg_use_fds(groupadd_t)
|
||||
@ -316,13 +315,14 @@ miscfiles_read_localization(passwd_t)
|
||||
|
||||
seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
userdom_use_user_terminals(passwd_t)
|
||||
userdom_use_unpriv_users_fds(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
userdom_read_all_users_state(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home_content(passwd_t)
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(passwd_t)
|
||||
@ -406,7 +406,7 @@ seutil_dontaudit_search_config(sysadm_passwd_t)
|
||||
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
|
||||
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(sysadm_passwd_t)
|
||||
@ -485,10 +485,10 @@ seutil_domtrans_setfiles(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# Add/remove user home directories
|
||||
userdom_manage_all_users_home_content_dirs(useradd_t)
|
||||
userdom_manage_all_users_home_content_files(useradd_t)
|
||||
unprivuser_home_filetrans_home_dir(useradd_t)
|
||||
unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set)
|
||||
userdom_manage_user_home_content_dirs(useradd_t)
|
||||
userdom_manage_user_home_content_files(useradd_t)
|
||||
userdom_home_filetrans_user_home_dir(useradd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
|
||||
|
||||
mta_manage_spool(useradd_t)
|
||||
|
||||
|
@ -33,11 +33,6 @@ interface(`vpn_domtrans',`
|
||||
## The role to be allowed the vpnc domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the vpnc domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`vpn_run',`
|
||||
@ -47,8 +42,7 @@ interface(`vpn_run',`
|
||||
|
||||
vpn_domtrans($1)
|
||||
role $2 types vpnc_t;
|
||||
allow vpnc_t $3:chr_file rw_term_perms;
|
||||
sysnet_run_ifconfig(vpnc_t, $2, $3)
|
||||
sysnet_run_ifconfig(vpnc_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(vpn, 1.9.0)
|
||||
policy_module(vpn, 1.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -105,10 +105,10 @@ sysnet_etc_filetrans_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
userdom_use_all_users_fds(vpnc_t)
|
||||
userdom_dontaudit_search_all_users_home_content(vpnc_t)
|
||||
userdom_dontaudit_search_user_home_content(vpnc_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template(vpnc, vpnc_t)
|
||||
dbus_system_bus_client(vpnc_t)
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(vpnc_t)
|
||||
|
@ -34,11 +34,6 @@ interface(`ada_domtrans',`
|
||||
## The role to be allowed the ada domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the ada domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ada_run',`
|
||||
gen_require(`
|
||||
@ -47,5 +42,4 @@ interface(`ada_run',`
|
||||
|
||||
ada_domtrans($1)
|
||||
role $2 types ada_t;
|
||||
allow ada_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ada, 1.2.0)
|
||||
policy_module(ada, 1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -18,6 +18,8 @@ role system_r types ada_t;
|
||||
|
||||
allow ada_t self:process { execstack execmem };
|
||||
|
||||
userdom_use_user_terminals(ada_t)
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain_noaudit(ada_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(calamaris, 1.3.0)
|
||||
policy_module(calamaris, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -65,7 +65,7 @@ miscfiles_read_localization(calamaris_t)
|
||||
|
||||
sysnet_read_config(calamaris_t)
|
||||
|
||||
sysadm_dontaudit_list_home_dirs(calamaris_t)
|
||||
userdom_dontaudit_list_user_home_dirs(calamaris_t)
|
||||
|
||||
squid_read_log(calamaris_t)
|
||||
|
||||
|
@ -1,187 +1,33 @@
|
||||
## <summary>Policy for cdrecord</summary>
|
||||
|
||||
#######################################
|
||||
########################################
|
||||
## <summary>
|
||||
## The per role template for the cdrecord module.
|
||||
## Role access for cdrecord
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates derived domains which are used
|
||||
## for cdrecord.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`cdrecord_per_role_template', `
|
||||
|
||||
interface(`cdrecord_role',`
|
||||
gen_require(`
|
||||
type cdrecord_exec_t;
|
||||
type cdrecord_t, cdrecord_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_cdrecord_t;
|
||||
application_domain($1_cdrecord_t, cdrecord_exec_t)
|
||||
role $3 types $1_cdrecord_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
|
||||
allow $1_cdrecord_t self:process { getsched setsched sigkill };
|
||||
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
|
||||
|
||||
# allow ps to show cdrecord and allow the user to kill it
|
||||
ps_process_pattern($2,$1_cdrecord_t)
|
||||
allow $2 $1_cdrecord_t:process signal;
|
||||
role $1 types cdrecord_t;
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t)
|
||||
domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
|
||||
|
||||
# allow searching for cdrom-drive
|
||||
dev_list_all_dev_nodes($1_cdrecord_t)
|
||||
allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
|
||||
|
||||
domain_interactive_fd($1_cdrecord_t)
|
||||
domain_use_interactive_fds($1_cdrecord_t)
|
||||
|
||||
files_read_etc_files($1_cdrecord_t)
|
||||
|
||||
term_use_controlling_term($1_cdrecord_t)
|
||||
term_list_ptys($1_cdrecord_t)
|
||||
|
||||
# allow cdrecord to write the CD
|
||||
storage_raw_write_removable_device($1_cdrecord_t)
|
||||
storage_write_scsi_generic($1_cdrecord_t)
|
||||
|
||||
logging_send_syslog_msg($1_cdrecord_t)
|
||||
|
||||
miscfiles_read_localization($1_cdrecord_t)
|
||||
|
||||
# write to the user domain tty.
|
||||
userdom_use_user_terminals($1, $1_cdrecord_t)
|
||||
userdom_use_user_terminals($1, $2)
|
||||
|
||||
userdom_read_user_home_content_files($1, $1_cdrecord_t)
|
||||
|
||||
# Handle nfs home dirs
|
||||
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
|
||||
fs_list_auto_mountpoints($1_cdrecord_t)
|
||||
files_list_home($1_cdrecord_t)
|
||||
fs_read_nfs_files($1_cdrecord_t)
|
||||
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
|
||||
fs_dontaudit_read_nfs_files($1_cdrecord_t)
|
||||
fs_dontaudit_list_nfs($1_cdrecord_t)
|
||||
')
|
||||
# Handle samba home dirs
|
||||
tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
|
||||
fs_list_auto_mountpoints($1_cdrecord_t)
|
||||
files_list_home($1_cdrecord_t)
|
||||
fs_read_cifs_files($1_cdrecord_t)
|
||||
fs_read_cifs_symlinks($1_cdrecord_t)
|
||||
',`
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
|
||||
fs_dontaudit_read_cifs_files($1_cdrecord_t)
|
||||
fs_dontaudit_list_cifs($1_cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle removable media, /tmp, and /home
|
||||
tunable_policy(`cdrecord_read_content',`
|
||||
userdom_list_user_tmp($1, $1_cdrecord_t)
|
||||
userdom_read_user_tmp_files($1, $1_cdrecord_t)
|
||||
userdom_read_user_tmp_symlinks($1, $1_cdrecord_t)
|
||||
userdom_search_user_home_dirs($1, $1_cdrecord_t)
|
||||
userdom_read_user_home_content_files($1, $1_cdrecord_t)
|
||||
userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
',`
|
||||
fs_search_removable($1_cdrecord_t)
|
||||
fs_read_removable_files($1_cdrecord_t)
|
||||
fs_read_removable_symlinks($1_cdrecord_t)
|
||||
')
|
||||
',`
|
||||
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
fs_dontaudit_list_removable($1_cdrecord_t)
|
||||
fs_dontaudit_read_removable_files($1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle default_t content
|
||||
tunable_policy(`cdrecord_read_content && read_default_t',`
|
||||
files_list_default($1_cdrecord_t)
|
||||
files_read_default_files($1_cdrecord_t)
|
||||
files_read_default_symlinks($1_cdrecord_t)
|
||||
',`
|
||||
files_dontaudit_read_default_files($1_cdrecord_t)
|
||||
files_dontaudit_list_default($1_cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle untrusted content
|
||||
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
|
||||
files_list_tmp($1_cdrecord_t)
|
||||
files_list_home($1_cdrecord_t)
|
||||
userdom_search_user_home_dirs($1, $1_cdrecord_t)
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_cdrecord_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_cdrecord_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t)
|
||||
userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
|
||||
userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
|
||||
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t)
|
||||
',`
|
||||
files_dontaudit_list_tmp($1_cdrecord_t)
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
files_search_mnt($1_cdrecord_t)
|
||||
fs_read_nfs_files($1_cdrecord_t)
|
||||
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
resmgr_stream_connect($1_cdrecord_t)
|
||||
')
|
||||
# allow ps to show cdrecord and allow the user to kill it
|
||||
ps_process_pattern($2, cdrecord_t)
|
||||
allow $2 cdrecord_t:process signal;
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cdrecord, 1.4.0)
|
||||
policy_module(cdrecord, 2.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -15,5 +15,112 @@ policy_module(cdrecord, 1.4.0)
|
||||
## </desc>
|
||||
gen_tunable(cdrecord_read_content, false)
|
||||
|
||||
type cdrecord_t;
|
||||
type cdrecord_exec_t;
|
||||
application_executable_file(cdrecord_exec_t)
|
||||
typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
|
||||
typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
|
||||
application_domain(cdrecord_t, cdrecord_exec_t)
|
||||
ubac_constrained(cdrecord_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
|
||||
allow cdrecord_t self:process { getsched setsched sigkill };
|
||||
allow cdrecord_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# allow searching for cdrom-drive
|
||||
dev_list_all_dev_nodes(cdrecord_t)
|
||||
|
||||
domain_interactive_fd(cdrecord_t)
|
||||
domain_use_interactive_fds(cdrecord_t)
|
||||
|
||||
files_read_etc_files(cdrecord_t)
|
||||
|
||||
term_use_controlling_term(cdrecord_t)
|
||||
term_list_ptys(cdrecord_t)
|
||||
|
||||
# allow cdrecord to write the CD
|
||||
storage_raw_write_removable_device(cdrecord_t)
|
||||
storage_write_scsi_generic(cdrecord_t)
|
||||
|
||||
logging_send_syslog_msg(cdrecord_t)
|
||||
|
||||
miscfiles_read_localization(cdrecord_t)
|
||||
|
||||
# write to the user domain tty.
|
||||
userdom_use_user_terminals(cdrecord_t)
|
||||
userdom_read_user_home_content_files(cdrecord_t)
|
||||
|
||||
# Handle nfs home dirs
|
||||
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
|
||||
fs_list_auto_mountpoints(cdrecord_t)
|
||||
files_list_home(cdrecord_t)
|
||||
fs_read_nfs_files(cdrecord_t)
|
||||
fs_read_nfs_symlinks(cdrecord_t)
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home(cdrecord_t)
|
||||
fs_dontaudit_list_auto_mountpoints(cdrecord_t)
|
||||
fs_dontaudit_read_nfs_files(cdrecord_t)
|
||||
fs_dontaudit_list_nfs(cdrecord_t)
|
||||
')
|
||||
# Handle samba home dirs
|
||||
tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
|
||||
fs_list_auto_mountpoints(cdrecord_t)
|
||||
files_list_home(cdrecord_t)
|
||||
fs_read_cifs_files(cdrecord_t)
|
||||
fs_read_cifs_symlinks(cdrecord_t)
|
||||
',`
|
||||
files_dontaudit_list_home(cdrecord_t)
|
||||
fs_dontaudit_list_auto_mountpoints(cdrecord_t)
|
||||
fs_dontaudit_read_cifs_files(cdrecord_t)
|
||||
fs_dontaudit_list_cifs(cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle removable media, /tmp, and /home
|
||||
tunable_policy(`cdrecord_read_content',`
|
||||
userdom_list_user_tmp(cdrecord_t)
|
||||
userdom_read_user_tmp_files(cdrecord_t)
|
||||
userdom_read_user_tmp_symlinks(cdrecord_t)
|
||||
userdom_read_user_home_content_files(cdrecord_t)
|
||||
userdom_read_user_home_content_symlinks(cdrecord_t)
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable(cdrecord_t)
|
||||
fs_read_removable_files(cdrecord_t)
|
||||
fs_read_removable_symlinks(cdrecord_t)
|
||||
')
|
||||
',`
|
||||
files_dontaudit_list_tmp(cdrecord_t)
|
||||
files_dontaudit_list_home(cdrecord_t)
|
||||
fs_dontaudit_list_removable(cdrecord_t)
|
||||
fs_dontaudit_read_removable_files(cdrecord_t)
|
||||
userdom_dontaudit_list_user_tmp(cdrecord_t)
|
||||
userdom_dontaudit_read_user_tmp_files(cdrecord_t)
|
||||
userdom_dontaudit_list_user_home_dirs(cdrecord_t)
|
||||
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
|
||||
')
|
||||
|
||||
# Handle default_t content
|
||||
tunable_policy(`cdrecord_read_content && read_default_t',`
|
||||
files_list_default(cdrecord_t)
|
||||
files_read_default_files(cdrecord_t)
|
||||
files_read_default_symlinks(cdrecord_t)
|
||||
',`
|
||||
files_dontaudit_read_default_files(cdrecord_t)
|
||||
files_dontaudit_list_default(cdrecord_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
files_search_mnt(cdrecord_t)
|
||||
fs_read_nfs_files(cdrecord_t)
|
||||
fs_read_nfs_symlinks(cdrecord_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
resmgr_stream_connect(cdrecord_t)
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
|
||||
HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0)
|
||||
|
||||
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
|
||||
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
|
||||
|
@ -1,244 +1,55 @@
|
||||
## <summary>Ethereal packet capture tool.</summary>
|
||||
|
||||
#######################################
|
||||
########################################
|
||||
## <summary>
|
||||
## The per role template for the ethereal module.
|
||||
## Role access for ethereal
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for ethereal packet capture tool.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ethereal_per_role_template',`
|
||||
|
||||
interface(`ethereal_role',`
|
||||
gen_require(`
|
||||
type ethereal_exec_t;
|
||||
type ethereal_t, ethereal_exec_t, ethereal_home_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
role $1 types ethereal_t;
|
||||
|
||||
# Type for program
|
||||
type $1_ethereal_t;
|
||||
application_domain($1_ethereal_t, ethereal_exec_t)
|
||||
role $3 types $1_ethereal_t;
|
||||
domain_auto_trans($2, ethereal_exec_t, ethereal_t)
|
||||
allow ethereal_t $2:fd use;
|
||||
allow ethereal_t $2:process sigchld;
|
||||
|
||||
type $1_ethereal_home_t alias $1_ethereal_rw_t;
|
||||
files_poly_member($1_ethereal_home_t)
|
||||
userdom_user_home_content($1, $1_ethereal_home_t)
|
||||
|
||||
type $1_ethereal_tmp_t;
|
||||
files_tmp_file($1_ethereal_tmp_t)
|
||||
|
||||
type $1_ethereal_tmpfs_t;
|
||||
files_tmpfs_file($1_ethereal_tmpfs_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
allow $1_ethereal_t self:capability { net_admin net_raw setgid };
|
||||
allow $1_ethereal_t self:process { signal getsched };
|
||||
allow $1_ethereal_t self:fifo_file { getattr read write };
|
||||
allow $1_ethereal_t self:shm destroy;
|
||||
allow $1_ethereal_t self:shm create_shm_perms;
|
||||
allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
|
||||
allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
|
||||
allow $1_ethereal_t self:tcp_socket create_socket_perms;
|
||||
allow $1_ethereal_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Re-execute itself (why?)
|
||||
can_exec($1_ethereal_t, ethereal_exec_t)
|
||||
corecmd_search_bin($1_ethereal_t)
|
||||
|
||||
# /home/.ethereal
|
||||
manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
|
||||
|
||||
# Store temporary files
|
||||
manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
|
||||
manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
|
||||
files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
|
||||
manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
|
||||
manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
|
||||
manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
|
||||
manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
|
||||
fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
|
||||
allow $1_ethereal_t $2:fd use;
|
||||
allow $1_ethereal_t $2:process sigchld;
|
||||
|
||||
manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
|
||||
|
||||
kernel_read_kernel_sysctls($1_ethereal_t)
|
||||
kernel_read_system_state($1_ethereal_t)
|
||||
kernel_read_sysctl($1_ethereal_t)
|
||||
|
||||
corecmd_search_bin($1_ethereal_t)
|
||||
|
||||
corenet_tcp_connect_generic_port($1_ethereal_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_ethereal_t)
|
||||
|
||||
dev_read_urand($1_ethereal_t)
|
||||
|
||||
files_read_etc_files($1_ethereal_t)
|
||||
files_read_usr_files($1_ethereal_t)
|
||||
|
||||
fs_list_inotifyfs($1_ethereal_t)
|
||||
fs_search_auto_mountpoints($1_ethereal_t)
|
||||
|
||||
libs_read_lib_files($1_ethereal_t)
|
||||
|
||||
miscfiles_read_fonts($1_ethereal_t)
|
||||
miscfiles_read_localization($1_ethereal_t)
|
||||
|
||||
seutil_use_newrole_fds($1_ethereal_t)
|
||||
|
||||
sysnet_read_config($1_ethereal_t)
|
||||
|
||||
userdom_manage_user_home_content_files($1, $1_ethereal_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_ethereal_t)
|
||||
fs_manage_nfs_files($1_ethereal_t)
|
||||
fs_manage_nfs_symlinks($1_ethereal_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_ethereal_t)
|
||||
fs_manage_cifs_files($1_ethereal_t)
|
||||
fs_manage_cifs_symlinks($1_ethereal_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_ethereal_t)
|
||||
')
|
||||
|
||||
# Manual transition from userhelper
|
||||
optional_policy(`
|
||||
userhelper_use_user_fd($1, $1_ethereal_t)
|
||||
userhelper_sigchld_user($1, $1_ethereal_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets($1_ethereal_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Why does it write this?
|
||||
optional_policy(`
|
||||
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
|
||||
')
|
||||
#TODO
|
||||
gnome_application($1_ethereal, $1)
|
||||
gnome_file_dialog($1_ethereal, $1)
|
||||
# FIXME: policy is incomplete
|
||||
')
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The administrative functions template for the ethereal module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates rules for administrating ethereal,
|
||||
## allowing the specified user to manage ethereal files.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ethereal_admin_template',`
|
||||
gen_require(`
|
||||
type $1_ethereal_t;
|
||||
')
|
||||
|
||||
# Create various types of sockets
|
||||
allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow $1_ethereal_t self:udp_socket create_socket_perms;
|
||||
allow $1_ethereal_t self:packet_socket create_socket_perms;
|
||||
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_ethereal_t self:tcp_socket create_socket_perms;
|
||||
|
||||
userdom_use_user_terminals($1, $1_ethereal_t)
|
||||
# Ethereal tries to write to user terminal
|
||||
userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
|
||||
manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run ethereal in ethereal domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Run ethereal in ethereal domain.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ethereal_domtrans_user_ethereal',`
|
||||
interface(`ethereal_domtrans',`
|
||||
gen_require(`
|
||||
type $1_ethereal_t, ethereal_exec_t;
|
||||
type ethereal_t, ethereal_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t)
|
||||
domtrans_pattern($1, ethereal_exec_t, ethereal_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -251,7 +62,7 @@ template(`ethereal_domtrans_user_ethereal',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`ethereal_domtrans_tethereal',`
|
||||
interface(`ethereal_domtrans_tethereal',`
|
||||
gen_require(`
|
||||
type tethereal_t, tethereal_exec_t;
|
||||
')
|
||||
@ -274,11 +85,6 @@ template(`ethereal_domtrans_tethereal',`
|
||||
## The role to be allowed the tethereal domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the tethereal domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ethereal_run_tethereal',`
|
||||
gen_require(`
|
||||
@ -287,5 +93,4 @@ interface(`ethereal_run_tethereal',`
|
||||
|
||||
ethereal_domtrans_tethereal($1)
|
||||
role $2 types tethereal_t;
|
||||
allow tethereal_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
@ -1,13 +1,35 @@
|
||||
|
||||
policy_module(ethereal, 1.5.0)
|
||||
policy_module(ethereal, 2.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type ethereal_t;
|
||||
type ethereal_exec_t;
|
||||
application_executable_file(ethereal_exec_t)
|
||||
typealias ethereal_t alias { user_ethereal_t staff_ethereal_t sysadm_ethereal_t };
|
||||
typealias ethereal_t alias { auditadm_ethereal_t secadm_ethereal_t };
|
||||
application_domain(ethereal_t, ethereal_exec_t)
|
||||
ubac_constrained(ethereal_t)
|
||||
|
||||
type ethereal_home_t;
|
||||
typealias ethereal_home_t alias { user_ethereal_home_t staff_ethereal_home_t sysadm_ethereal_home_t };
|
||||
typealias ethereal_home_t alias { auditadm_ethereal_home_t secadm_ethereal_home_t };
|
||||
files_poly_member(ethereal_home_t)
|
||||
userdom_user_home_content(ethereal_home_t)
|
||||
|
||||
type ethereal_tmp_t;
|
||||
typealias ethereal_tmp_t alias { user_ethereal_tmp_t staff_ethereal_tmp_t sysadm_ethereal_tmp_t };
|
||||
typealias ethereal_tmp_t alias { auditadm_ethereal_tmp_t secadm_ethereal_tmp_t };
|
||||
files_tmp_file(ethereal_tmp_t)
|
||||
ubac_constrained(ethereal_tmp_t)
|
||||
|
||||
type ethereal_tmpfs_t;
|
||||
typealias ethereal_tmpfs_t alias { user_ethereal_tmpfs_t staff_ethereal_tmpfs_t sysadm_ethereal_tmpfs_t };
|
||||
typealias ethereal_tmpfs_t alias { auditadm_ethereal_tmpfs_t secadm_ethereal_tmpfs_t };
|
||||
files_tmpfs_file(ethereal_tmpfs_t)
|
||||
ubac_constrained(ethereal_tmpfs_t)
|
||||
|
||||
type tethereal_t;
|
||||
type tethereal_exec_t;
|
||||
@ -16,6 +38,99 @@ application_domain(tethereal_t, tethereal_exec_t)
|
||||
type tethereal_tmp_t;
|
||||
files_tmp_file(tethereal_tmp_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# Local Policy
|
||||
#
|
||||
|
||||
allow ethereal_t self:capability { net_admin net_raw setgid };
|
||||
allow ethereal_t self:process { signal getsched };
|
||||
allow ethereal_t self:fifo_file { getattr read write };
|
||||
allow ethereal_t self:shm destroy;
|
||||
allow ethereal_t self:shm create_shm_perms;
|
||||
allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
|
||||
allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
|
||||
allow ethereal_t self:tcp_socket create_socket_perms;
|
||||
allow ethereal_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Re-execute itself (why?)
|
||||
can_exec(ethereal_t, ethereal_exec_t)
|
||||
corecmd_search_bin(ethereal_t)
|
||||
|
||||
# /home/.ethereal
|
||||
manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
|
||||
manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
|
||||
manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
|
||||
userdom_user_home_dir_filetrans(ethereal_t, ethereal_home_t, dir)
|
||||
|
||||
# Store temporary files
|
||||
manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
|
||||
manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
|
||||
files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
|
||||
manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
|
||||
manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
|
||||
manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
|
||||
manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
|
||||
fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctls(ethereal_t)
|
||||
kernel_read_system_state(ethereal_t)
|
||||
kernel_read_sysctl(ethereal_t)
|
||||
|
||||
corecmd_search_bin(ethereal_t)
|
||||
|
||||
corenet_tcp_connect_generic_port(ethereal_t)
|
||||
corenet_tcp_sendrecv_generic_if(ethereal_t)
|
||||
|
||||
dev_read_urand(ethereal_t)
|
||||
|
||||
files_read_etc_files(ethereal_t)
|
||||
files_read_usr_files(ethereal_t)
|
||||
|
||||
fs_list_inotifyfs(ethereal_t)
|
||||
fs_search_auto_mountpoints(ethereal_t)
|
||||
|
||||
libs_read_lib_files(ethereal_t)
|
||||
|
||||
miscfiles_read_fonts(ethereal_t)
|
||||
miscfiles_read_localization(ethereal_t)
|
||||
|
||||
seutil_use_newrole_fds(ethereal_t)
|
||||
|
||||
sysnet_read_config(ethereal_t)
|
||||
|
||||
userdom_manage_user_home_content_files(ethereal_t)
|
||||
userdom_use_user_terminals(ethereal_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(ethereal_t)
|
||||
fs_manage_nfs_files(ethereal_t)
|
||||
fs_manage_nfs_symlinks(ethereal_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(ethereal_t)
|
||||
fs_manage_cifs_files(ethereal_t)
|
||||
fs_manage_cifs_symlinks(ethereal_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ethereal_t)
|
||||
')
|
||||
|
||||
# Manual transition from userhelper
|
||||
optional_policy(`
|
||||
userhelper_use_fd(ethereal_t)
|
||||
userhelper_sigchld(ethereal_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets(ethereal_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Tethereal policy
|
||||
@ -48,6 +163,8 @@ seutil_use_newrole_fds(tethereal_t)
|
||||
|
||||
sysnet_dns_name_resolve(tethereal_t)
|
||||
|
||||
userdom_use_user_terminals(tethereal_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(tethereal_t)
|
||||
')
|
||||
|
@ -2,13 +2,13 @@
|
||||
# HOME_DIR/
|
||||
#
|
||||
|
||||
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
|
||||
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
|
||||
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
|
||||
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
|
||||
|
||||
#
|
||||
# /tmp
|
||||
#
|
||||
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
|
||||
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
@ -1,795 +1,71 @@
|
||||
## <summary>Evolution email client</summary>
|
||||
|
||||
#######################################
|
||||
########################################
|
||||
## <summary>
|
||||
## The per role template for the evolution module.
|
||||
## Role access for evolution
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for evolution email client and other related evolution applications such as webcal and alarm
|
||||
## type is also created to protect the user evolution keys.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`evolution_per_role_template',`
|
||||
interface(`evolution_role',`
|
||||
gen_require(`
|
||||
type evolution_t, evolution_exec_t, evolution_home_t;
|
||||
type evolution_alarm_t, evolution_alarm_exec_t;
|
||||
type evolution_exchange_t, evolution_exchange_exec_t;
|
||||
type evolution_exchange_orbit_tmp_t;
|
||||
type evolution_server_t, evolution_server_exec_t;
|
||||
type evolution_webcal_t, evolution_webcal_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
|
||||
role $1 types { evolution_server_t evolution_webcal_t };
|
||||
|
||||
type $1_evolution_t;
|
||||
application_domain($1_evolution_t, evolution_exec_t)
|
||||
role $3 types $1_evolution_t;
|
||||
domtrans_pattern($2, evolution_exec_t, evolution_t)
|
||||
domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
|
||||
domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
|
||||
domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
|
||||
domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
|
||||
|
||||
type $1_evolution_tmpfs_t;
|
||||
files_tmpfs_file($1_evolution_tmpfs_t)
|
||||
ps_process_pattern($2, evolution_t)
|
||||
ps_process_pattern($2, evolution_alarm_t)
|
||||
ps_process_pattern($2, evolution_exchange_t)
|
||||
ps_process_pattern($2, evolution_server_t)
|
||||
ps_process_pattern($2, evolution_webcal_t)
|
||||
|
||||
type $1_evolution_home_t alias $1_evolution_rw_t;
|
||||
files_poly_member($1_evolution_home_t)
|
||||
userdom_user_home_content($1, $1_evolution_home_t)
|
||||
allow evolution_t $2:dir search;
|
||||
allow evolution_t $2:file read;
|
||||
allow evolution_t $2:lnk_file read;
|
||||
allow evolution_t $2:unix_stream_socket connectto;
|
||||
|
||||
type $1_evolution_orbit_tmp_t;
|
||||
files_tmp_file($1_evolution_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_alarm_t;
|
||||
application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
|
||||
role $3 types $1_evolution_alarm_t;
|
||||
|
||||
type $1_evolution_alarm_tmpfs_t;
|
||||
files_tmpfs_file($1_evolution_alarm_tmpfs_t)
|
||||
|
||||
type $1_evolution_alarm_orbit_tmp_t;
|
||||
files_tmp_file($1_evolution_alarm_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_exchange_t;
|
||||
application_domain($1_evolution_exchange_t, evolution_exchange_exec_t)
|
||||
role $3 types $1_evolution_exchange_t;
|
||||
|
||||
type $1_evolution_exchange_tmpfs_t;
|
||||
files_tmpfs_file($1_evolution_exchange_tmpfs_t)
|
||||
|
||||
type $1_evolution_exchange_tmp_t;
|
||||
files_tmp_file($1_evolution_exchange_tmp_t)
|
||||
|
||||
type $1_evolution_exchange_orbit_tmp_t;
|
||||
files_tmp_file($1_evolution_exchange_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_server_t;
|
||||
application_domain($1_evolution_server_t, evolution_server_exec_t)
|
||||
role $3 types $1_evolution_server_t;
|
||||
|
||||
type $1_evolution_server_orbit_tmp_t;
|
||||
files_tmp_file($1_evolution_server_orbit_tmp_t)
|
||||
|
||||
type $1_evolution_webcal_t;
|
||||
application_domain($1_evolution_webcal_t, evolution_webcal_exec_t)
|
||||
role $3 types $1_evolution_webcal_t;
|
||||
|
||||
type $1_evolution_webcal_tmpfs_t;
|
||||
files_tmpfs_file($1_evolution_webcal_tmpfs_t)
|
||||
|
||||
type $1_orbit_tmp_t;
|
||||
files_tmp_file($1_orbit_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_t self:capability { setuid setgid sys_nice };
|
||||
allow $1_evolution_t self:process { signal getsched setsched };
|
||||
allow $1_evolution_t self:fifo_file rw_file_perms;
|
||||
allow $1_evolution_t self:tcp_socket create_socket_perms;
|
||||
allow $1_evolution_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_alarm_t:file read;
|
||||
|
||||
allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
can_exec($1_evolution_t, evolution_alarm_exec_t)
|
||||
|
||||
allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
|
||||
allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file })
|
||||
|
||||
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
|
||||
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file })
|
||||
|
||||
allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_server_t:file read;
|
||||
|
||||
allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
can_exec($1_evolution_t, evolution_server_exec_t)
|
||||
|
||||
allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
|
||||
allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_evolution_t $2:dir search;
|
||||
allow $1_evolution_t $2:fd use;
|
||||
allow $1_evolution_t $2:file read;
|
||||
allow $1_evolution_t $2:lnk_file read;
|
||||
allow $1_evolution_t $2:process sigchld;
|
||||
allow $1_evolution_t $2:unix_stream_socket connectto;
|
||||
allow $1_evolution_t $2:dir search;
|
||||
allow $1_evolution_t $2:file read;
|
||||
|
||||
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
|
||||
|
||||
allow $2 $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $2 $1_evolution_t:process noatsecure;
|
||||
allow $2 $1_evolution_t:process signal_perms;
|
||||
allow $2 evolution_t:unix_stream_socket connectto;
|
||||
allow $2 evolution_t:process noatsecure;
|
||||
allow $2 evolution_t:process signal_perms;
|
||||
|
||||
# Access .evolution
|
||||
allow $2 $1_evolution_home_t:dir manage_dir_perms;
|
||||
allow $2 $1_evolution_home_t:file manage_file_perms;
|
||||
allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
|
||||
userdom_search_user_home_dirs($1, $1_evolution_t)
|
||||
allow $2 evolution_home_t:dir manage_dir_perms;
|
||||
allow $2 evolution_home_t:file manage_file_perms;
|
||||
allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
|
||||
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2, $1_evolution_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state($1_evolution_t)
|
||||
|
||||
#FIXME check to see if really needed
|
||||
kernel_read_kernel_sysctls($1_evolution_t)
|
||||
kernel_read_system_state($1_evolution_t)
|
||||
# Allow netstat
|
||||
kernel_read_network_state($1_evolution_t)
|
||||
kernel_read_net_sysctls($1_evolution_t)
|
||||
|
||||
corecmd_exec_shell($1_evolution_t)
|
||||
# Run various programs
|
||||
corecmd_exec_bin($1_evolution_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_evolution_t)
|
||||
corenet_all_recvfrom_netlabel($1_evolution_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_udp_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_evolution_t)
|
||||
corenet_tcp_sendrecv_pop_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_pop_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_smtp_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_smtp_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_innd_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_innd_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_ldap_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_ldap_port($1_evolution_t)
|
||||
corenet_tcp_sendrecv_ipp_port($1_evolution_t)
|
||||
corenet_udp_sendrecv_ipp_port($1_evolution_t)
|
||||
corenet_tcp_connect_pop_port($1_evolution_t)
|
||||
corenet_tcp_connect_smtp_port($1_evolution_t)
|
||||
corenet_tcp_connect_innd_port($1_evolution_t)
|
||||
corenet_tcp_connect_ldap_port($1_evolution_t)
|
||||
corenet_tcp_connect_ipp_port($1_evolution_t)
|
||||
corenet_sendrecv_pop_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_smtp_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_innd_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_ldap_client_packets($1_evolution_t)
|
||||
corenet_sendrecv_ipp_client_packets($1_evolution_t)
|
||||
# not sure about this bind
|
||||
corenet_udp_bind_all_nodes($1_evolution_t)
|
||||
corenet_udp_bind_generic_port($1_evolution_t)
|
||||
|
||||
dev_read_urand($1_evolution_t)
|
||||
|
||||
files_read_etc_files($1_evolution_t)
|
||||
files_read_usr_files($1_evolution_t)
|
||||
files_read_usr_symlinks($1_evolution_t)
|
||||
files_read_var_files($1_evolution_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_t)
|
||||
|
||||
logging_send_syslog_msg($1_evolution_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_t)
|
||||
|
||||
sysnet_read_config($1_evolution_t)
|
||||
sysnet_dns_name_resolve($1_evolution_t)
|
||||
|
||||
udev_read_state($1_evolution_t)
|
||||
|
||||
userdom_rw_user_tmp_files($1, $1_evolution_t)
|
||||
userdom_manage_user_tmp_dirs($1, $1_evolution_t)
|
||||
userdom_manage_user_tmp_sockets($1, $1_evolution_t)
|
||||
userdom_manage_user_tmp_files($1, $1_evolution_t)
|
||||
userdom_use_user_terminals($1, $1_evolution_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t)
|
||||
|
||||
mta_read_config($1_evolution_t)
|
||||
|
||||
xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t)
|
||||
xserver_read_xdm_tmp_files($1_evolution_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_evolution_t)
|
||||
fs_manage_nfs_files($1_evolution_t)
|
||||
fs_manage_nfs_symlinks($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_evolution_t)
|
||||
fs_manage_cifs_files($1_evolution_t)
|
||||
fs_manage_cifs_symlinks($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
|
||||
fs_list_auto_mountpoints($1_evolution_t)
|
||||
files_list_home($1_evolution_t)
|
||||
fs_read_nfs_files($1_evolution_t)
|
||||
fs_read_nfs_symlinks($1_evolution_t)
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
|
||||
fs_dontaudit_read_nfs_files($1_evolution_t)
|
||||
fs_dontaudit_list_nfs($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && use_samba_home_dirs',`
|
||||
fs_list_auto_mountpoints($1_evolution_t)
|
||||
files_list_home($1_evolution_t)
|
||||
fs_read_cifs_files($1_evolution_t)
|
||||
fs_read_cifs_symlinks($1_evolution_t)
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
|
||||
fs_dontaudit_read_cifs_files($1_evolution_t)
|
||||
fs_dontaudit_list_cifs($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content',`
|
||||
userdom_list_user_tmp($1, $1_evolution_t)
|
||||
userdom_read_user_tmp_files($1, $1_evolution_t)
|
||||
userdom_read_user_tmp_symlinks($1, $1_evolution_t)
|
||||
userdom_search_user_home_dirs($1, $1_evolution_t)
|
||||
userdom_read_user_home_content_files($1, $1_evolution_t)
|
||||
userdom_read_user_home_content_symlinks($1, $1_evolution_t)
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable($1_evolution_t)
|
||||
fs_read_removable_files($1_evolution_t)
|
||||
fs_read_removable_symlinks($1_evolution_t)
|
||||
')
|
||||
',`
|
||||
files_dontaudit_list_tmp($1_evolution_t)
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
fs_dontaudit_list_removable($1_evolution_t)
|
||||
fs_dontaudit_read_removable_files($1_evolution_t)
|
||||
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
|
||||
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
|
||||
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && read_default_t',`
|
||||
files_list_default($1_evolution_t)
|
||||
files_read_default_files($1_evolution_t)
|
||||
files_read_default_symlinks($1_evolution_t)
|
||||
',`
|
||||
files_dontaudit_read_default_files($1_evolution_t)
|
||||
files_dontaudit_list_default($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && read_untrusted_content',`
|
||||
files_list_tmp($1_evolution_t)
|
||||
files_list_home($1_evolution_t)
|
||||
userdom_search_user_home_dirs($1,$1_evolution_t)
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_evolution_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
|
||||
userdom_list_user_tmp_untrusted_content($1, $1_evolution_t)
|
||||
userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t)
|
||||
',`
|
||||
files_dontaudit_list_tmp($1_evolution_t)
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
|
||||
userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t)
|
||||
userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t)
|
||||
userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_t)
|
||||
fs_manage_nfs_dirs($1_evolution_t)
|
||||
fs_manage_nfs_files($1_evolution_t)
|
||||
fs_manage_nfs_symlinks($1_evolution_t)
|
||||
',`
|
||||
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
|
||||
fs_dontaudit_manage_nfs_dirs($1_evolution_t)
|
||||
fs_dontaudit_manage_nfs_files($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_t)
|
||||
fs_manage_cifs_dirs($1_evolution_t)
|
||||
fs_manage_cifs_files($1_evolution_t)
|
||||
fs_manage_cifs_symlinks($1_evolution_t)
|
||||
',`
|
||||
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
|
||||
fs_dontaudit_manage_cifs_dirs($1_evolution_t)
|
||||
fs_dontaudit_manage_cifs_files($1_evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
|
||||
userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
files_dontaudit_list_tmp($1_evolution_t)
|
||||
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
|
||||
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
|
||||
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
|
||||
#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
automount_read_state($1_evolution_t)
|
||||
')
|
||||
|
||||
# Allow printing the mail
|
||||
optional_policy(`
|
||||
cups_read_rw_config($1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client_template($1_evolution, $1_evolution_t)
|
||||
dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
# Encrypt mail
|
||||
optional_policy(`
|
||||
gpg_domtrans_user_gpg($1, $1_evolution_t)
|
||||
gpg_signal_user_gpg($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_user_lpr($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mozilla_read_user_home_files($1, $1_evolution_t)
|
||||
mozilla_domtrans_user_mozilla($1, $1_evolution_t)
|
||||
')
|
||||
|
||||
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_t)
|
||||
')
|
||||
|
||||
### Junk mail filtering (start spamd)
|
||||
optional_policy(`
|
||||
spamassassin_exec_spamd($1_evolution_t)
|
||||
spamassassin_domtrans_user_client($1, $1_evolution_t)
|
||||
spamassassin_domtrans_user_local_client($1, $1_evolution_t)
|
||||
# Allow evolution to signal the daemon
|
||||
# FIXME: Now evolution can read spamd temp files
|
||||
spamassassin_read_spamd_tmp_files($1_evolution_t)
|
||||
spamassassin_signal_spamd($1_evolution_t)
|
||||
spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution, $1)
|
||||
|
||||
#TODO gnome stuff
|
||||
# Store passwords in .gnome2_private
|
||||
# Type for storing secret data
|
||||
# (different from home, not directly accessible from ROLE_t)
|
||||
type $1_evolutioin_secret_t;
|
||||
userdom_user_home_content($1,$1_evolutioin_secret_t)
|
||||
|
||||
# Put secret files in .gnome2_private
|
||||
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
|
||||
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
|
||||
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
|
||||
|
||||
allow $2 $1_evolution_secret_t:file unlink;
|
||||
|
||||
ifdef(`TODO',`
|
||||
gnome_file_dialog($1_evolution, $1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution alarm local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_alarm_t self:process { signal getsched };
|
||||
allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
|
||||
allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
|
||||
allow $1_evolution_alarm_t $2:fd use;
|
||||
|
||||
dev_read_urand($1_evolution_alarm_t)
|
||||
|
||||
files_read_etc_files($1_evolution_alarm_t)
|
||||
files_read_usr_files($1_evolution_alarm_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_alarm_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_alarm_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t)
|
||||
|
||||
xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_alarm_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution_alarm,$1)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution exchange connector local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_exchange_t self:process getsched;
|
||||
allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
|
||||
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
# /tmp/.exchange-$USER
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
|
||||
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
|
||||
#FIXME, who should own this. I dont think this module should
|
||||
allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
|
||||
allow evolution_exchange_t $2:unix_stream_socket connectto;
|
||||
|
||||
# Clock applet talks to exchange (FIXME: Needs policy)
|
||||
allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Transition from user domain
|
||||
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
|
||||
|
||||
kernel_read_network_state($1_evolution_exchange_t)
|
||||
kernel_read_net_sysctls($1_evolution_exchange_t)
|
||||
|
||||
# Allow netstat
|
||||
corecmd_exec_bin($1_evolution_exchange_t)
|
||||
|
||||
dev_read_urand($1_evolution_exchange_t)
|
||||
|
||||
files_read_etc_files($1_evolution_exchange_t)
|
||||
files_read_usr_files($1_evolution_exchange_t)
|
||||
|
||||
# Access evolution home
|
||||
fs_search_auto_mountpoints($1_evolution_exchange_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_exchange_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t)
|
||||
|
||||
xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution_exchange, $1)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution data server local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_server_t self:process { getsched signal };
|
||||
|
||||
allow $1_evolution_server_t self:fifo_file { read write };
|
||||
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
|
||||
# Talk to ldap (address book),
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
allow $1_evolution_server_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
|
||||
allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
|
||||
allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Transition from user type
|
||||
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
|
||||
|
||||
kernel_read_system_state($1_evolution_server_t)
|
||||
|
||||
corecmd_exec_shell($1_evolution_server_t)
|
||||
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
corenet_all_recvfrom_unlabeled($1_evolution_server_t)
|
||||
corenet_all_recvfrom_netlabel($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
|
||||
corenet_tcp_connect_http_cache_port($1_evolution_server_t)
|
||||
corenet_tcp_connect_http_port($1_evolution_server_t)
|
||||
corenet_sendrecv_http_client_packets($1_evolution_server_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
|
||||
|
||||
dev_read_urand($1_evolution_server_t)
|
||||
|
||||
files_read_etc_files($1_evolution_server_t)
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
files_read_usr_files($1_evolution_server_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_server_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_server_t)
|
||||
# Look in /etc/pki
|
||||
miscfiles_read_certs($1_evolution_server_t)
|
||||
|
||||
# Talk to ldap (address book)
|
||||
sysnet_read_config($1_evolution_server_t)
|
||||
sysnet_dns_name_resolve($1_evolution_server_t)
|
||||
sysnet_use_ldap($1_evolution_server_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1, $1_evolution_server_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files($1_evolution_server_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files($1_evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_server_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution_server, $1)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution webcal local policy
|
||||
#
|
||||
|
||||
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
|
||||
|
||||
# X/evolution common stuff
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# Transition from user type
|
||||
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
|
||||
corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
|
||||
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
|
||||
corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
|
||||
corenet_tcp_connect_http_port($1_evolution_webcal_t)
|
||||
corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
|
||||
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
|
||||
|
||||
# Networking capability - connect to website and handle ics link
|
||||
sysnet_read_config($1_evolution_webcal_t)
|
||||
sysnet_dns_name_resolve($1_evolution_webcal_t)
|
||||
|
||||
# Search home directory (?)
|
||||
userdom_search_user_home_dirs($1, $1_evolution_webcal_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t)
|
||||
|
||||
xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_webcal_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Gnome common stuff
|
||||
gnome_application($1_evolution_webcal, $1)
|
||||
')
|
||||
allow $2 evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in users evolution home folders.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
@ -802,52 +78,36 @@ template(`evolution_per_role_template',`
|
||||
## </param>
|
||||
## <param name="class">
|
||||
## <summary>
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, dir will be used.
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`evolution_home_filetrans',`
|
||||
interface(`evolution_home_filetrans',`
|
||||
gen_require(`
|
||||
type $1_evolution_home_t;
|
||||
type evolution_home_t;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_home_t:dir rw_dir_perms;
|
||||
type_transition $2 $1_evolution_home_t:$4 $3;
|
||||
allow $1 evolution_home_t:dir rw_dir_perms;
|
||||
type_transition $1 evolution_home_t:$3 $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to user evolution unix stream socket.
|
||||
## Connect to evolution unix stream socket.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Connect to user evolution unix stream socket.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
## be called from a per-userdomain template.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`evolution_stream_connect',`
|
||||
interface(`evolution_stream_connect',`
|
||||
gen_require(`
|
||||
type $1_evolution_t, $1_evolution_home_t;
|
||||
type evolution_t, evolution_home_t;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $2 $1_evolution_home_t:dir search;
|
||||
allow $1 evolution_t:unix_stream_socket connectto;
|
||||
allow $1 evolution_home_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -855,12 +115,6 @@ template(`evolution_stream_connect',`
|
||||
## Send and receive messages from
|
||||
## evolution over dbus.
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
@ -869,12 +123,12 @@ template(`evolution_stream_connect',`
|
||||
#
|
||||
interface(`evolution_dbus_chat',`
|
||||
gen_require(`
|
||||
type $1_evolution_t;
|
||||
type evolution_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_t:dbus send_msg;
|
||||
allow $1_evolution_t $2:dbus send_msg;
|
||||
allow $1 evolution_t:dbus send_msg;
|
||||
allow evolution_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -882,12 +136,6 @@ interface(`evolution_dbus_chat',`
|
||||
## Send and receive messages from
|
||||
## evolution_alarm over dbus.
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
@ -896,10 +144,10 @@ interface(`evolution_dbus_chat',`
|
||||
#
|
||||
interface(`evolution_alarm_dbus_chat',`
|
||||
gen_require(`
|
||||
type $1_evolution_alarm_t;
|
||||
type evolution_alarm_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $2 $1_evolution_alarm_t:dbus send_msg;
|
||||
allow $1_evolution_alarm_t $2:dbus send_msg;
|
||||
allow $1 evolution_alarm_t:dbus send_msg;
|
||||
allow evolution_alarm_t $1:dbus send_msg;
|
||||
')
|
||||
|
@ -1,22 +1,629 @@
|
||||
|
||||
policy_module(evolution, 1.6.0)
|
||||
policy_module(evolution, 2.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type evolution_t;
|
||||
type evolution_exec_t;
|
||||
application_executable_file(evolution_exec_t)
|
||||
typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
|
||||
typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
|
||||
application_domain(evolution_t, evolution_exec_t)
|
||||
ubac_constrained(evolution_t)
|
||||
|
||||
type evolution_alarm_t;
|
||||
type evolution_alarm_exec_t;
|
||||
application_executable_file(evolution_alarm_exec_t)
|
||||
typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
|
||||
typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
|
||||
application_domain(evolution_alarm_t, evolution_alarm_exec_t)
|
||||
ubac_constrained(evolution_alarm_t)
|
||||
|
||||
type evolution_alarm_tmpfs_t;
|
||||
typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
|
||||
typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
|
||||
files_tmpfs_file(evolution_alarm_tmpfs_t)
|
||||
ubac_constrained(evolution_alarm_tmpfs_t)
|
||||
|
||||
type evolution_alarm_orbit_tmp_t;
|
||||
typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
|
||||
typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
|
||||
files_tmp_file(evolution_alarm_orbit_tmp_t)
|
||||
ubac_constrained(evolution_alarm_orbit_tmp_t)
|
||||
|
||||
type evolution_exchange_t;
|
||||
type evolution_exchange_exec_t;
|
||||
application_executable_file(evolution_exchange_exec_t)
|
||||
typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
|
||||
typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
|
||||
application_domain(evolution_exchange_t, evolution_exchange_exec_t)
|
||||
ubac_constrained(evolution_exchange_t)
|
||||
|
||||
type evolution_exchange_tmpfs_t;
|
||||
typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
|
||||
typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
|
||||
files_tmpfs_file(evolution_exchange_tmpfs_t)
|
||||
ubac_constrained(evolution_exchange_tmpfs_t)
|
||||
|
||||
type evolution_exchange_tmp_t;
|
||||
typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
|
||||
typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
|
||||
files_tmp_file(evolution_exchange_tmp_t)
|
||||
ubac_constrained(evolution_exchange_tmp_t)
|
||||
|
||||
type evolution_exchange_orbit_tmp_t;
|
||||
typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
|
||||
typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
|
||||
files_tmp_file(evolution_exchange_orbit_tmp_t)
|
||||
ubac_constrained(evolution_exchange_orbit_tmp_t)
|
||||
|
||||
type evolution_home_t;
|
||||
typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
|
||||
typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
|
||||
files_poly_member(evolution_home_t)
|
||||
userdom_user_home_content(evolution_home_t)
|
||||
|
||||
type evolution_orbit_tmp_t;
|
||||
typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
|
||||
typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
|
||||
files_tmp_file(evolution_orbit_tmp_t)
|
||||
ubac_constrained(evolution_orbit_tmp_t)
|
||||
|
||||
type evolution_server_t;
|
||||
type evolution_server_exec_t;
|
||||
application_executable_file(evolution_server_exec_t)
|
||||
typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
|
||||
typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
|
||||
application_domain(evolution_server_t, evolution_server_exec_t)
|
||||
ubac_constrained(evolution_server_t)
|
||||
|
||||
type evolution_server_orbit_tmp_t;
|
||||
typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
|
||||
typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
|
||||
files_tmp_file(evolution_server_orbit_tmp_t)
|
||||
ubac_constrained(evolution_server_orbit_tmp_t)
|
||||
|
||||
type evolution_tmpfs_t;
|
||||
typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
|
||||
typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
|
||||
files_tmpfs_file(evolution_tmpfs_t)
|
||||
ubac_constrained(evolution_tmpfs_t)
|
||||
|
||||
type evolution_webcal_t;
|
||||
type evolution_webcal_exec_t;
|
||||
application_executable_file(evolution_webcal_exec_t)
|
||||
typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
|
||||
typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
|
||||
application_domain(evolution_webcal_t, evolution_webcal_exec_t)
|
||||
ubac_constrained(evolution_webcal_t)
|
||||
|
||||
type evolution_webcal_tmpfs_t;
|
||||
typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
|
||||
typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
|
||||
files_tmpfs_file(evolution_webcal_tmpfs_t)
|
||||
ubac_constrained(evolution_webcal_tmpfs_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution local policy
|
||||
#
|
||||
|
||||
allow evolution_t self:capability { setuid setgid sys_nice };
|
||||
allow evolution_t self:process { signal getsched setsched };
|
||||
allow evolution_t self:fifo_file rw_file_perms;
|
||||
allow evolution_t self:tcp_socket create_socket_perms;
|
||||
allow evolution_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow evolution_t evolution_alarm_t:dir search_dir_perms;
|
||||
allow evolution_t evolution_alarm_t:file read;
|
||||
|
||||
allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
can_exec(evolution_t, evolution_alarm_exec_t)
|
||||
|
||||
allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow evolution_t evolution_home_t:dir manage_dir_perms;
|
||||
allow evolution_t evolution_home_t:file manage_file_perms;
|
||||
allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
userdom_search_user_home_dirs(evolution_t)
|
||||
|
||||
allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
|
||||
allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
|
||||
|
||||
allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
|
||||
allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
|
||||
|
||||
allow evolution_t evolution_server_t:dir search_dir_perms;
|
||||
allow evolution_t evolution_server_t:file read;
|
||||
|
||||
allow evolution_t evolution_server_t:unix_stream_socket connectto;
|
||||
allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
can_exec(evolution_t, evolution_server_exec_t)
|
||||
|
||||
allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
|
||||
allow evolution_t evolution_tmpfs_t:file manage_file_perms;
|
||||
allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
#FIXME check to see if really needed
|
||||
kernel_read_kernel_sysctls(evolution_t)
|
||||
kernel_read_system_state(evolution_t)
|
||||
# Allow netstat
|
||||
kernel_read_network_state(evolution_t)
|
||||
kernel_read_net_sysctls(evolution_t)
|
||||
|
||||
corecmd_exec_shell(evolution_t)
|
||||
# Run various programs
|
||||
corecmd_exec_bin(evolution_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(evolution_t)
|
||||
corenet_all_recvfrom_netlabel(evolution_t)
|
||||
corenet_tcp_sendrecv_generic_if(evolution_t)
|
||||
corenet_udp_sendrecv_generic_if(evolution_t)
|
||||
corenet_raw_sendrecv_generic_if(evolution_t)
|
||||
corenet_tcp_sendrecv_all_nodes(evolution_t)
|
||||
corenet_udp_sendrecv_all_nodes(evolution_t)
|
||||
corenet_tcp_sendrecv_pop_port(evolution_t)
|
||||
corenet_udp_sendrecv_pop_port(evolution_t)
|
||||
corenet_tcp_sendrecv_smtp_port(evolution_t)
|
||||
corenet_udp_sendrecv_smtp_port(evolution_t)
|
||||
corenet_tcp_sendrecv_innd_port(evolution_t)
|
||||
corenet_udp_sendrecv_innd_port(evolution_t)
|
||||
corenet_tcp_sendrecv_ldap_port(evolution_t)
|
||||
corenet_udp_sendrecv_ldap_port(evolution_t)
|
||||
corenet_tcp_sendrecv_ipp_port(evolution_t)
|
||||
corenet_udp_sendrecv_ipp_port(evolution_t)
|
||||
corenet_tcp_connect_pop_port(evolution_t)
|
||||
corenet_tcp_connect_smtp_port(evolution_t)
|
||||
corenet_tcp_connect_innd_port(evolution_t)
|
||||
corenet_tcp_connect_ldap_port(evolution_t)
|
||||
corenet_tcp_connect_ipp_port(evolution_t)
|
||||
corenet_sendrecv_pop_client_packets(evolution_t)
|
||||
corenet_sendrecv_smtp_client_packets(evolution_t)
|
||||
corenet_sendrecv_innd_client_packets(evolution_t)
|
||||
corenet_sendrecv_ldap_client_packets(evolution_t)
|
||||
corenet_sendrecv_ipp_client_packets(evolution_t)
|
||||
# not sure about this bind
|
||||
corenet_udp_bind_all_nodes(evolution_t)
|
||||
corenet_udp_bind_generic_port(evolution_t)
|
||||
|
||||
dev_read_urand(evolution_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(evolution_t)
|
||||
|
||||
files_read_etc_files(evolution_t)
|
||||
files_read_usr_files(evolution_t)
|
||||
files_read_usr_symlinks(evolution_t)
|
||||
files_read_var_files(evolution_t)
|
||||
|
||||
fs_search_auto_mountpoints(evolution_t)
|
||||
|
||||
logging_send_syslog_msg(evolution_t)
|
||||
|
||||
miscfiles_read_localization(evolution_t)
|
||||
|
||||
sysnet_read_config(evolution_t)
|
||||
sysnet_dns_name_resolve(evolution_t)
|
||||
|
||||
udev_read_state(evolution_t)
|
||||
|
||||
userdom_rw_user_tmp_files(evolution_t)
|
||||
userdom_manage_user_tmp_dirs(evolution_t)
|
||||
userdom_manage_user_tmp_sockets(evolution_t)
|
||||
userdom_manage_user_tmp_files(evolution_t)
|
||||
userdom_use_user_terminals(evolution_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_t)
|
||||
|
||||
mta_read_config(evolution_t)
|
||||
|
||||
xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
|
||||
xserver_read_xdm_tmp_files(evolution_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(evolution_t)
|
||||
fs_manage_nfs_files(evolution_t)
|
||||
fs_manage_nfs_symlinks(evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(evolution_t)
|
||||
fs_manage_cifs_files(evolution_t)
|
||||
fs_manage_cifs_symlinks(evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
|
||||
fs_list_auto_mountpoints(evolution_t)
|
||||
files_list_home(evolution_t)
|
||||
fs_read_nfs_files(evolution_t)
|
||||
fs_read_nfs_symlinks(evolution_t)
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home(evolution_t)
|
||||
fs_dontaudit_list_auto_mountpoints(evolution_t)
|
||||
fs_dontaudit_read_nfs_files(evolution_t)
|
||||
fs_dontaudit_list_nfs(evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && use_samba_home_dirs',`
|
||||
fs_list_auto_mountpoints(evolution_t)
|
||||
files_list_home(evolution_t)
|
||||
fs_read_cifs_files(evolution_t)
|
||||
fs_read_cifs_symlinks(evolution_t)
|
||||
',`
|
||||
files_dontaudit_list_home(evolution_t)
|
||||
fs_dontaudit_list_auto_mountpoints(evolution_t)
|
||||
fs_dontaudit_read_cifs_files(evolution_t)
|
||||
fs_dontaudit_list_cifs(evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content',`
|
||||
userdom_list_user_tmp(evolution_t)
|
||||
userdom_read_user_tmp_files(evolution_t)
|
||||
userdom_read_user_tmp_symlinks(evolution_t)
|
||||
userdom_read_user_home_content_files(evolution_t)
|
||||
userdom_read_user_home_content_symlinks(evolution_t)
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable(evolution_t)
|
||||
fs_read_removable_files(evolution_t)
|
||||
fs_read_removable_symlinks(evolution_t)
|
||||
')
|
||||
',`
|
||||
files_dontaudit_list_tmp(evolution_t)
|
||||
files_dontaudit_list_home(evolution_t)
|
||||
fs_dontaudit_list_removable(evolution_t)
|
||||
fs_dontaudit_read_removable_files(evolution_t)
|
||||
userdom_dontaudit_list_user_tmp(evolution_t)
|
||||
userdom_dontaudit_read_user_tmp_files(evolution_t)
|
||||
userdom_dontaudit_list_user_home_dirs(evolution_t)
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_t)
|
||||
')
|
||||
|
||||
tunable_policy(`mail_read_content && read_default_t',`
|
||||
files_list_default(evolution_t)
|
||||
files_read_default_files(evolution_t)
|
||||
files_read_default_symlinks(evolution_t)
|
||||
',`
|
||||
files_dontaudit_read_default_files(evolution_t)
|
||||
files_dontaudit_list_default(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
automount_read_state(evolution_t)
|
||||
')
|
||||
|
||||
# Allow printing the mail
|
||||
optional_policy(`
|
||||
cups_read_rw_config(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(evolution_t)
|
||||
dbus_session_bus_client(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_t)
|
||||
')
|
||||
|
||||
# Encrypt mail
|
||||
optional_policy(`
|
||||
gpg_domtrans(evolution_t)
|
||||
gpg_signal(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_lpr(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mozilla_read_user_home_files(evolution_t)
|
||||
mozilla_domtrans(evolution_t)
|
||||
')
|
||||
|
||||
# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
|
||||
optional_policy(`
|
||||
nis_use_ypbind(evolution_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(evolution_t)
|
||||
')
|
||||
|
||||
### Junk mail filtering (start spamd)
|
||||
optional_policy(`
|
||||
spamassassin_exec_spamd(evolution_t)
|
||||
spamassassin_domtrans_client(evolution_t)
|
||||
spamassassin_domtrans_local_client(evolution_t)
|
||||
# Allow evolution to signal the daemon
|
||||
# FIXME: Now evolution can read spamd temp files
|
||||
spamassassin_read_spamd_tmp_files(evolution_t)
|
||||
spamassassin_signal_spamd(evolution_t)
|
||||
spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution alarm local policy
|
||||
#
|
||||
|
||||
allow evolution_alarm_t self:process { signal getsched };
|
||||
allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
|
||||
allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
|
||||
allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
|
||||
allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
|
||||
allow evolution_alarm_t evolution_home_t:file manage_file_perms;
|
||||
allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
|
||||
allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
dev_read_urand(evolution_alarm_t)
|
||||
|
||||
files_read_etc_files(evolution_alarm_t)
|
||||
files_read_usr_files(evolution_alarm_t)
|
||||
|
||||
fs_search_auto_mountpoints(evolution_alarm_t)
|
||||
|
||||
miscfiles_read_localization(evolution_alarm_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs(evolution_alarm_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
|
||||
|
||||
xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(evolution_alarm_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_session_bus_client(evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_alarm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(evolution_alarm_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution exchange connector local policy
|
||||
#
|
||||
|
||||
allow evolution_exchange_t self:process getsched;
|
||||
allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow evolution_exchange_t self:tcp_socket create_socket_perms;
|
||||
allow evolution_exchange_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
|
||||
allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
|
||||
allow evolution_exchange_t evolution_home_t:file manage_file_perms;
|
||||
allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
|
||||
allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
|
||||
|
||||
# /tmp/.exchange-$USER
|
||||
allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
|
||||
allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
|
||||
|
||||
allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
|
||||
allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
|
||||
allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_network_state(evolution_exchange_t)
|
||||
kernel_read_net_sysctls(evolution_exchange_t)
|
||||
|
||||
# Allow netstat
|
||||
corecmd_exec_bin(evolution_exchange_t)
|
||||
|
||||
dev_read_urand(evolution_exchange_t)
|
||||
|
||||
files_read_etc_files(evolution_exchange_t)
|
||||
files_read_usr_files(evolution_exchange_t)
|
||||
|
||||
# Access evolution home
|
||||
fs_search_auto_mountpoints(evolution_exchange_t)
|
||||
|
||||
miscfiles_read_localization(evolution_exchange_t)
|
||||
|
||||
userdom_write_user_tmp_sockets(evolution_exchange_t)
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs(evolution_exchange_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
|
||||
|
||||
xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(evolution_exchange_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_exchange_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(evolution_exchange_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution data server local policy
|
||||
#
|
||||
|
||||
allow evolution_server_t self:process { getsched signal };
|
||||
|
||||
allow evolution_server_t self:fifo_file { read write };
|
||||
allow evolution_server_t self:unix_stream_socket { accept connectto };
|
||||
# Talk to ldap (address book),
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
allow evolution_server_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow evolution_server_t evolution_t:unix_stream_socket connectto;
|
||||
allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
|
||||
|
||||
allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
|
||||
allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
|
||||
|
||||
# Access evolution home
|
||||
allow evolution_server_t evolution_home_t:dir manage_dir_perms;
|
||||
allow evolution_server_t evolution_home_t:file manage_file_perms;
|
||||
allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
|
||||
allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
|
||||
|
||||
kernel_read_system_state(evolution_server_t)
|
||||
|
||||
corecmd_exec_shell(evolution_server_t)
|
||||
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
corenet_all_recvfrom_unlabeled(evolution_server_t)
|
||||
corenet_all_recvfrom_netlabel(evolution_server_t)
|
||||
corenet_tcp_sendrecv_generic_if(evolution_server_t)
|
||||
corenet_tcp_sendrecv_all_nodes(evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_port(evolution_server_t)
|
||||
corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
|
||||
corenet_tcp_connect_http_cache_port(evolution_server_t)
|
||||
corenet_tcp_connect_http_port(evolution_server_t)
|
||||
corenet_sendrecv_http_client_packets(evolution_server_t)
|
||||
corenet_sendrecv_http_cache_client_packets(evolution_server_t)
|
||||
|
||||
dev_read_urand(evolution_server_t)
|
||||
|
||||
files_read_etc_files(evolution_server_t)
|
||||
# Obtain weather data via http (read server name from xml file in /usr)
|
||||
files_read_usr_files(evolution_server_t)
|
||||
|
||||
fs_search_auto_mountpoints(evolution_server_t)
|
||||
|
||||
miscfiles_read_localization(evolution_server_t)
|
||||
# Look in /etc/pki
|
||||
miscfiles_read_certs(evolution_server_t)
|
||||
|
||||
# Talk to ldap (address book)
|
||||
sysnet_read_config(evolution_server_t)
|
||||
sysnet_dns_name_resolve(evolution_server_t)
|
||||
sysnet_use_ldap(evolution_server_t)
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs(evolution_server_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
|
||||
|
||||
# Access evolution home
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(evolution_server_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_files(evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf(evolution_server_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(evolution_server_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Evolution webcal local policy
|
||||
#
|
||||
|
||||
allow evolution_webcal_t self:tcp_socket create_socket_perms;
|
||||
|
||||
# X/evolution common stuff
|
||||
allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
|
||||
allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
|
||||
allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
|
||||
allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
|
||||
fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
corenet_all_recvfrom_unlabeled(evolution_webcal_t)
|
||||
corenet_all_recvfrom_netlabel(evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
|
||||
corenet_raw_sendrecv_generic_if(evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_all_nodes(evolution_webcal_t)
|
||||
corenet_raw_sendrecv_all_nodes(evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_port(evolution_webcal_t)
|
||||
corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
|
||||
corenet_tcp_connect_http_cache_port(evolution_webcal_t)
|
||||
corenet_tcp_connect_http_port(evolution_webcal_t)
|
||||
corenet_sendrecv_http_client_packets(evolution_webcal_t)
|
||||
corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
|
||||
|
||||
# Networking capability - connect to website and handle ics link
|
||||
sysnet_read_config(evolution_webcal_t)
|
||||
sysnet_dns_name_resolve(evolution_webcal_t)
|
||||
|
||||
# Search home directory (?)
|
||||
userdom_search_user_home_dirs(evolution_webcal_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
|
||||
# until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
|
||||
|
||||
xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(evolution_webcal_t)
|
||||
')
|
||||
|
@ -1,164 +1,32 @@
|
||||
## <summary>Games</summary>
|
||||
|
||||
#######################################
|
||||
############################################################
|
||||
## <summary>
|
||||
## The per role template for the games module.
|
||||
## Role access for games
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for games.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`games_per_role_template',`
|
||||
|
||||
interface(`games_role',`
|
||||
gen_require(`
|
||||
type games_exec_t, games_data_t;
|
||||
type games_t, games_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
role $1 types games_t;
|
||||
|
||||
type $1_games_t;
|
||||
application_domain($1_games_t, games_exec_t)
|
||||
role $3 types $1_games_t;
|
||||
domtrans_pattern($2, games_exec_t, games_t)
|
||||
allow $2 games_t:unix_stream_socket connectto;
|
||||
allow games_t $2:unix_stream_socket connectto;
|
||||
|
||||
type $1_games_devpts_t;
|
||||
term_pty($1_games_devpts_t)
|
||||
|
||||
type $1_games_tmpfs_t;
|
||||
files_tmpfs_file($1_games_tmpfs_t)
|
||||
|
||||
type $1_games_tmp_t;
|
||||
files_tmp_file($1_games_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow $1_games_t self:sem create_sem_perms;
|
||||
allow $1_games_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_games_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern($1_games_t, games_data_t, games_data_t)
|
||||
manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t)
|
||||
|
||||
allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty($1_games_t,$1_games_devpts_t)
|
||||
|
||||
manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
|
||||
manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
|
||||
files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
|
||||
manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
|
||||
manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
|
||||
manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
|
||||
fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
can_exec($1_games_t, games_exec_t)
|
||||
|
||||
domain_auto_trans($2, games_exec_t, $1_games_t)
|
||||
allow $2 $1_games_t:unix_stream_socket connectto;
|
||||
allow $1_games_t $2:unix_stream_socket connectto;
|
||||
|
||||
kernel_read_system_state($1_games_t)
|
||||
|
||||
corecmd_exec_bin($1_games_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_games_t)
|
||||
corenet_all_recvfrom_netlabel($1_games_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_games_t)
|
||||
corenet_udp_sendrecv_generic_if($1_games_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_games_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_games_t)
|
||||
corenet_udp_sendrecv_all_ports($1_games_t)
|
||||
corenet_tcp_bind_all_nodes($1_games_t)
|
||||
corenet_tcp_bind_generic_port($1_games_t)
|
||||
corenet_tcp_connect_generic_port($1_games_t)
|
||||
corenet_sendrecv_generic_client_packets($1_games_t)
|
||||
corenet_sendrecv_generic_server_packets($1_games_t)
|
||||
|
||||
dev_read_sound($1_games_t)
|
||||
dev_write_sound($1_games_t)
|
||||
dev_read_input($1_games_t)
|
||||
dev_read_mouse($1_games_t)
|
||||
dev_read_urand($1_games_t)
|
||||
|
||||
files_list_var($1_games_t)
|
||||
files_search_var_lib($1_games_t)
|
||||
files_dontaudit_search_var($1_games_t)
|
||||
files_read_etc_files($1_games_t)
|
||||
files_read_usr_files($1_games_t)
|
||||
files_read_var_files($1_games_t)
|
||||
|
||||
init_dontaudit_rw_utmp($1_games_t)
|
||||
|
||||
logging_dontaudit_search_logs($1_games_t)
|
||||
|
||||
miscfiles_read_man_pages($1_games_t)
|
||||
miscfiles_read_localization($1_games_t)
|
||||
|
||||
sysnet_read_config($1_games_t)
|
||||
|
||||
userdom_manage_user_tmp_dirs($1,$1_games_t)
|
||||
userdom_manage_user_tmp_files($1,$1_games_t)
|
||||
userdom_manage_user_tmp_symlinks($1,$1_games_t)
|
||||
userdom_manage_user_tmp_sockets($1,$1_games_t)
|
||||
# Suppress .icons denial until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow $1_games_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_games_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets($1_games_t)
|
||||
xserver_read_xdm_lib_files($1_games_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
gnome_application($1_games, $1)
|
||||
gnome_file_dialog($1_games, $1)
|
||||
# Access /home/user/.gnome2
|
||||
# FIXME: Change to use per app types
|
||||
allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
|
||||
allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
|
||||
allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms;
|
||||
#missing policy
|
||||
optional_policy(`
|
||||
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
|
||||
')
|
||||
')
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2, games_t)
|
||||
allow $2 games_t:process signal_perms;
|
||||
')
|
||||
|
@ -1,67 +1,182 @@
|
||||
|
||||
policy_module(games, 1.7.0)
|
||||
policy_module(games, 2.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type games_data_t;
|
||||
files_type(games_data_t)
|
||||
|
||||
# games_t is for system operation of games, generic games daemons and
|
||||
# games recovery scripts
|
||||
type games_t;
|
||||
type games_exec_t;
|
||||
init_system_domain(games_t, games_exec_t)
|
||||
typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
|
||||
typealias games_t alias { auditadm_games_t secadm_games_t };
|
||||
application_domain(games_t, games_exec_t)
|
||||
ubac_constrained(games_t)
|
||||
|
||||
type games_var_run_t;
|
||||
files_pid_file(games_var_run_t)
|
||||
type games_data_t;
|
||||
typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
|
||||
typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
|
||||
files_type(games_data_t)
|
||||
ubac_constrained(games_data_t)
|
||||
|
||||
type games_devpts_t;
|
||||
typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
|
||||
typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
|
||||
term_pty(games_devpts_t)
|
||||
ubac_constrained(games_devpts_t)
|
||||
|
||||
# games_srv_t is for system operation of games, generic games daemons and
|
||||
# games recovery scripts
|
||||
type games_srv_t;
|
||||
init_system_domain(games_srv_t, games_exec_t)
|
||||
|
||||
type games_srv_var_run_t;
|
||||
files_pid_file(games_srv_var_run_t)
|
||||
|
||||
type games_tmp_t;
|
||||
typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
|
||||
typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
|
||||
files_tmp_file(games_tmp_t)
|
||||
ubac_constrained(games_tmp_t)
|
||||
|
||||
type games_tmpfs_t;
|
||||
typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
|
||||
typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
|
||||
files_tmpfs_file(games_tmpfs_t)
|
||||
ubac_constrained(games_tmpfs_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Server local policy
|
||||
#
|
||||
|
||||
dontaudit games_srv_t self:capability sys_tty_config;
|
||||
allow games_srv_t self:process signal_perms;
|
||||
|
||||
manage_files_pattern(games_srv_t, games_data_t, games_data_t)
|
||||
manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
|
||||
|
||||
manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
|
||||
files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
|
||||
|
||||
can_exec(games_srv_t, games_exec_t)
|
||||
|
||||
kernel_read_kernel_sysctls(games_srv_t)
|
||||
kernel_list_proc(games_srv_t)
|
||||
kernel_read_proc_symlinks(games_srv_t)
|
||||
|
||||
dev_read_sysfs(games_srv_t)
|
||||
|
||||
fs_getattr_all_fs(games_srv_t)
|
||||
fs_search_auto_mountpoints(games_srv_t)
|
||||
|
||||
term_dontaudit_use_console(games_srv_t)
|
||||
|
||||
domain_use_interactive_fds(games_srv_t)
|
||||
|
||||
init_use_fds(games_srv_t)
|
||||
init_use_script_ptys(games_srv_t)
|
||||
|
||||
logging_send_syslog_msg(games_srv_t)
|
||||
|
||||
miscfiles_read_localization(games_srv_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(games_srv_t)
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(games_srv_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(games_srv_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
dontaudit games_t self:capability sys_tty_config;
|
||||
allow games_t self:process signal_perms;
|
||||
allow games_t self:sem create_sem_perms;
|
||||
allow games_t self:tcp_socket create_stream_socket_perms;
|
||||
allow games_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(games_t, games_data_t, games_data_t)
|
||||
manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
|
||||
|
||||
manage_files_pattern(games_t, games_var_run_t, games_var_run_t)
|
||||
files_pid_filetrans(games_t, games_var_run_t, file)
|
||||
allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
term_create_pty(games_t, games_devpts_t)
|
||||
|
||||
can_exec(games_t,games_exec_t)
|
||||
manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
|
||||
manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
|
||||
files_tmp_filetrans(games_t, games_tmp_t, { file dir })
|
||||
|
||||
kernel_read_kernel_sysctls(games_t)
|
||||
kernel_list_proc(games_t)
|
||||
kernel_read_proc_symlinks(games_t)
|
||||
manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
|
||||
manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
|
||||
manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
|
||||
manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
|
||||
fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
dev_read_sysfs(games_t)
|
||||
can_exec(games_t, games_exec_t)
|
||||
|
||||
fs_getattr_all_fs(games_t)
|
||||
fs_search_auto_mountpoints(games_t)
|
||||
kernel_read_system_state(games_t)
|
||||
|
||||
term_dontaudit_use_console(games_t)
|
||||
corecmd_exec_bin(games_t)
|
||||
|
||||
domain_use_interactive_fds(games_t)
|
||||
corenet_all_recvfrom_unlabeled(games_t)
|
||||
corenet_all_recvfrom_netlabel(games_t)
|
||||
corenet_tcp_sendrecv_generic_if(games_t)
|
||||
corenet_udp_sendrecv_generic_if(games_t)
|
||||
corenet_tcp_sendrecv_all_nodes(games_t)
|
||||
corenet_udp_sendrecv_all_nodes(games_t)
|
||||
corenet_tcp_sendrecv_all_ports(games_t)
|
||||
corenet_udp_sendrecv_all_ports(games_t)
|
||||
corenet_tcp_bind_all_nodes(games_t)
|
||||
corenet_tcp_bind_generic_port(games_t)
|
||||
corenet_tcp_connect_generic_port(games_t)
|
||||
corenet_sendrecv_generic_client_packets(games_t)
|
||||
corenet_sendrecv_generic_server_packets(games_t)
|
||||
|
||||
init_use_fds(games_t)
|
||||
init_use_script_ptys(games_t)
|
||||
dev_read_sound(games_t)
|
||||
dev_write_sound(games_t)
|
||||
dev_read_input(games_t)
|
||||
dev_read_mouse(games_t)
|
||||
dev_read_urand(games_t)
|
||||
|
||||
logging_send_syslog_msg(games_t)
|
||||
files_list_var(games_t)
|
||||
files_search_var_lib(games_t)
|
||||
files_dontaudit_search_var(games_t)
|
||||
files_read_etc_files(games_t)
|
||||
files_read_usr_files(games_t)
|
||||
files_read_var_files(games_t)
|
||||
|
||||
init_dontaudit_rw_utmp(games_t)
|
||||
|
||||
logging_dontaudit_search_logs(games_t)
|
||||
|
||||
miscfiles_read_man_pages(games_t)
|
||||
miscfiles_read_localization(games_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(games_t)
|
||||
sysnet_read_config(games_t)
|
||||
|
||||
sysadm_dontaudit_search_home_dirs(games_t)
|
||||
userdom_manage_user_tmp_dirs(games_t)
|
||||
userdom_manage_user_tmp_files(games_t)
|
||||
userdom_manage_user_tmp_symlinks(games_t)
|
||||
userdom_manage_user_tmp_sockets(games_t)
|
||||
# Suppress .icons denial until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files(games_t)
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(games_t)
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow games_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(games_t)
|
||||
nscd_socket_use(games_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets(games_t)
|
||||
xserver_read_xdm_lib_files(games_t)
|
||||
')
|
||||
|
@ -1,4 +1,4 @@
|
||||
HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
|
||||
HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0)
|
||||
|
||||
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
|
||||
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
|
||||
|
@ -1,193 +1,42 @@
|
||||
## <summary>giFT peer to peer file sharing tool</summary>
|
||||
|
||||
#######################################
|
||||
############################################################
|
||||
## <summary>
|
||||
## The per role template for the gift module.
|
||||
## Role access for gift
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domains which are used
|
||||
## for gift client sessions and gift daemons.
|
||||
## </p>
|
||||
## <p>
|
||||
## This template is invoked automatically for each user, and
|
||||
## generally does not need to be invoked directly
|
||||
## by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## Role allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## User domain for the role
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`gift_per_role_template',`
|
||||
interface(`gift_role',`
|
||||
gen_require(`
|
||||
type gift_t, gift_exec_t;
|
||||
type giftd_t, giftd_exec_t;
|
||||
type gift_home_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type $1_gift_t;
|
||||
application_domain($1_gift_t, gift_exec_t)
|
||||
role $3 types $1_gift_t;
|
||||
|
||||
type $1_gift_home_t alias $1_gift_rw_t;
|
||||
files_poly_member($1_gift_home_t)
|
||||
userdom_user_home_content($1, $1_gift_home_t)
|
||||
|
||||
type $1_gift_tmpfs_t;
|
||||
files_tmpfs_file($1_gift_tmpfs_t)
|
||||
|
||||
type $1_giftd_t;
|
||||
application_domain($1_giftd_t, giftd_exec_t)
|
||||
role $3 types $1_giftd_t;
|
||||
|
||||
##############################
|
||||
#
|
||||
# giFT user interface local policy
|
||||
#
|
||||
|
||||
allow $1_gift_t self:tcp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
|
||||
manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
|
||||
manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
|
||||
manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
|
||||
fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
|
||||
userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir)
|
||||
|
||||
# Launch gift daemon
|
||||
domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
|
||||
role $1 types { gift_t giftd_t };
|
||||
|
||||
# transition from user domain
|
||||
domtrans_pattern($2, gift_exec_t, $1_gift_t)
|
||||
domtrans_pattern($2, gift_exec_t, gift_t)
|
||||
domtrans_pattern($2, giftd_exec_t, giftd_t)
|
||||
|
||||
# user managed content
|
||||
manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_dirs_pattern($2, gift_home_t, gift_home_t)
|
||||
manage_files_pattern($2, gift_home_t, gift_home_t)
|
||||
manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
|
||||
relabel_dirs_pattern($2, gift_home_t, gift_home_t)
|
||||
relabel_files_pattern($2, gift_home_t, gift_home_t)
|
||||
relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
|
||||
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2, $1_gift_t)
|
||||
allow $2 $1_gift_t:process signal_perms;
|
||||
|
||||
# Read /proc/meminfo
|
||||
kernel_read_system_state($1_giftd_t)
|
||||
|
||||
# Connect to gift daemon
|
||||
corenet_all_recvfrom_unlabeled($1_gift_t)
|
||||
corenet_all_recvfrom_netlabel($1_gift_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_gift_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_gift_t)
|
||||
corenet_tcp_sendrecv_giftd_port($1_gift_t)
|
||||
corenet_tcp_connect_giftd_port($1_gift_t)
|
||||
corenet_sendrecv_giftd_client_packets($1_gift_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_gift_t)
|
||||
|
||||
sysnet_read_config($1_gift_t)
|
||||
|
||||
# giftui looks in .icons, .themes.
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_gift_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_gift_t)
|
||||
fs_manage_nfs_files($1_gift_t)
|
||||
fs_manage_nfs_symlinks($1_gift_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_gift_t)
|
||||
fs_manage_cifs_files($1_gift_t)
|
||||
fs_manage_cifs_symlinks($1_gift_t)
|
||||
')
|
||||
|
||||
# optional_policy(`
|
||||
# gnome_user_application($1,$1_gift,$1_gift_t)
|
||||
# ')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_gift_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# giFT server local policy
|
||||
#
|
||||
|
||||
allow $1_giftd_t self:process { signal setsched };
|
||||
allow $1_giftd_t self:unix_stream_socket create_socket_perms;
|
||||
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_giftd_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
|
||||
manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
|
||||
userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir)
|
||||
|
||||
domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
|
||||
|
||||
kernel_read_system_state($1_giftd_t)
|
||||
kernel_read_kernel_sysctls($1_giftd_t)
|
||||
|
||||
# Serve content on various p2p networks. Ports can be random.
|
||||
corenet_all_recvfrom_unlabeled($1_giftd_t)
|
||||
corenet_all_recvfrom_netlabel($1_giftd_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_giftd_t)
|
||||
corenet_udp_sendrecv_generic_if($1_giftd_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_giftd_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_giftd_t)
|
||||
corenet_udp_sendrecv_all_ports($1_giftd_t)
|
||||
corenet_tcp_bind_all_nodes($1_giftd_t)
|
||||
corenet_udp_bind_all_nodes($1_giftd_t)
|
||||
corenet_tcp_bind_all_ports($1_giftd_t)
|
||||
corenet_udp_bind_all_ports($1_giftd_t)
|
||||
corenet_tcp_connect_all_ports($1_giftd_t)
|
||||
corenet_sendrecv_all_client_packets($1_giftd_t)
|
||||
|
||||
files_read_usr_files($1_giftd_t)
|
||||
# Read /etc/mtab
|
||||
files_read_etc_runtime_files($1_giftd_t)
|
||||
|
||||
miscfiles_read_localization($1_giftd_t)
|
||||
|
||||
sysnet_read_config($1_giftd_t)
|
||||
|
||||
userdom_use_user_terminals($1,$1_giftd_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_giftd_t)
|
||||
fs_manage_nfs_files($1_giftd_t)
|
||||
fs_manage_nfs_symlinks($1_giftd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs($1_giftd_t)
|
||||
fs_manage_cifs_files($1_giftd_t)
|
||||
fs_manage_cifs_symlinks($1_giftd_t)
|
||||
')
|
||||
ps_process_pattern($2, { gift_t giftd_t })
|
||||
allow $2 { gift_t giftd_t }:process signal_perms;
|
||||
')
|
||||
|
@ -1,13 +1,149 @@
|
||||
|
||||
policy_module(gift, 1.4.0)
|
||||
policy_module(gift, 2.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type gift_t;
|
||||
type gift_exec_t;
|
||||
application_executable_file(gift_exec_t)
|
||||
typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
|
||||
typealias gift_t alias { auditadm_gift_t secadm_gift_t };
|
||||
application_domain(gift_t, gift_exec_t)
|
||||
ubac_constrained(gift_t)
|
||||
|
||||
type gift_home_t;
|
||||
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
|
||||
typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
|
||||
files_poly_member(gift_home_t)
|
||||
userdom_user_home_content(gift_home_t)
|
||||
|
||||
type gift_tmpfs_t;
|
||||
typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
|
||||
typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
|
||||
files_tmpfs_file(gift_tmpfs_t)
|
||||
ubac_constrained(gift_tmpfs_t)
|
||||
|
||||
type giftd_t;
|
||||
type giftd_exec_t;
|
||||
application_executable_file(giftd_exec_t)
|
||||
typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
|
||||
typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
|
||||
application_domain(giftd_t, giftd_exec_t)
|
||||
ubac_constrained(giftd_t)
|
||||
|
||||
##############################
|
||||
#
|
||||
# giFT user interface local policy
|
||||
#
|
||||
|
||||
allow gift_t self:tcp_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
|
||||
manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
|
||||
manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
|
||||
manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
|
||||
fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
|
||||
manage_files_pattern(gift_t, gift_home_t, gift_home_t)
|
||||
manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
|
||||
userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
|
||||
|
||||
# Launch gift daemon
|
||||
domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
|
||||
|
||||
# Read /proc/meminfo
|
||||
kernel_read_system_state(giftd_t)
|
||||
|
||||
# Connect to gift daemon
|
||||
corenet_all_recvfrom_unlabeled(gift_t)
|
||||
corenet_all_recvfrom_netlabel(gift_t)
|
||||
corenet_tcp_sendrecv_generic_if(gift_t)
|
||||
corenet_tcp_sendrecv_all_nodes(gift_t)
|
||||
corenet_tcp_sendrecv_giftd_port(gift_t)
|
||||
corenet_tcp_connect_giftd_port(gift_t)
|
||||
corenet_sendrecv_giftd_client_packets(gift_t)
|
||||
|
||||
fs_search_auto_mountpoints(gift_t)
|
||||
|
||||
sysnet_read_config(gift_t)
|
||||
|
||||
# giftui looks in .icons, .themes.
|
||||
userdom_dontaudit_read_user_home_content_files(gift_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(gift_t)
|
||||
fs_manage_nfs_files(gift_t)
|
||||
fs_manage_nfs_symlinks(gift_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(gift_t)
|
||||
fs_manage_cifs_files(gift_t)
|
||||
fs_manage_cifs_symlinks(gift_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(gift_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# giFT server local policy
|
||||
#
|
||||
|
||||
allow giftd_t self:process { signal setsched };
|
||||
allow giftd_t self:unix_stream_socket create_socket_perms;
|
||||
allow giftd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow giftd_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
|
||||
manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
|
||||
manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
|
||||
userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
|
||||
|
||||
kernel_read_system_state(giftd_t)
|
||||
kernel_read_kernel_sysctls(giftd_t)
|
||||
|
||||
# Serve content on various p2p networks. Ports can be random.
|
||||
corenet_all_recvfrom_unlabeled(giftd_t)
|
||||
corenet_all_recvfrom_netlabel(giftd_t)
|
||||
corenet_tcp_sendrecv_generic_if(giftd_t)
|
||||
corenet_udp_sendrecv_generic_if(giftd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(giftd_t)
|
||||
corenet_udp_sendrecv_all_nodes(giftd_t)
|
||||
corenet_tcp_sendrecv_all_ports(giftd_t)
|
||||
corenet_udp_sendrecv_all_ports(giftd_t)
|
||||
corenet_tcp_bind_all_nodes(giftd_t)
|
||||
corenet_udp_bind_all_nodes(giftd_t)
|
||||
corenet_tcp_bind_all_ports(giftd_t)
|
||||
corenet_udp_bind_all_ports(giftd_t)
|
||||
corenet_tcp_connect_all_ports(giftd_t)
|
||||
corenet_sendrecv_all_client_packets(giftd_t)
|
||||
|
||||
files_read_usr_files(giftd_t)
|
||||
# Read /etc/mtab
|
||||
files_read_etc_runtime_files(giftd_t)
|
||||
|
||||
miscfiles_read_localization(giftd_t)
|
||||
|
||||
sysnet_read_config(giftd_t)
|
||||
|
||||
userdom_use_user_terminals(giftd_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(giftd_t)
|
||||
fs_manage_nfs_files(giftd_t)
|
||||
fs_manage_nfs_symlinks(giftd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_manage_cifs_dirs(giftd_t)
|
||||
fs_manage_cifs_files(giftd_t)
|
||||
fs_manage_cifs_symlinks(giftd_t)
|
||||
')
|
||||
|
@ -1,8 +1,8 @@
|
||||
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
|
||||
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
|
||||
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
|
||||
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
||||
|
||||
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
|
||||
|
||||
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
|
||||
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
|
||||
|
||||
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user