Update f14
This commit is contained in:
parent
18549c23df
commit
2968e06818
@ -50,7 +50,7 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
|
|||||||
userdom_use_user_terminals(dmesg_t)
|
userdom_use_user_terminals(dmesg_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
abrt_append_cache_files(dmesg_t)
|
abrt_cache_append(dmesg_t)
|
||||||
abrt_rw_fifo_file(dmesg_t)
|
abrt_rw_fifo_file(dmesg_t)
|
||||||
abrt_manage_pid_files(dmesg_t)
|
abrt_manage_pid_files(dmesg_t)
|
||||||
')
|
')
|
||||||
|
@ -139,7 +139,7 @@ ifdef(`distro_debian', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
abrt_manage_cache_files(logrotate_t)
|
abrt_cache_manage(logrotate_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
|
|
||||||
## <summary>system-config-kdump GUI</summary>
|
## <summary>system-config-kdump GUI</summary>
|
||||||
|
|
||||||
|
@ -20,7 +20,6 @@ files_tmp_file(livecd_tmp_t)
|
|||||||
|
|
||||||
dontaudit livecd_t self:capability2 mac_admin;
|
dontaudit livecd_t self:capability2 mac_admin;
|
||||||
|
|
||||||
unconfined_domain_noaudit(livecd_t)
|
|
||||||
domain_ptrace_all_domains(livecd_t)
|
domain_ptrace_all_domains(livecd_t)
|
||||||
|
|
||||||
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
||||||
@ -28,6 +27,9 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
|||||||
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
|
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hal_dbus_chat(livecd_t)
|
unconfined_domain_noaudit(livecd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hal_dbus_chat(livecd_t)
|
||||||
|
')
|
||||||
|
@ -43,13 +43,14 @@ template(`mono_role_template',`
|
|||||||
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
|
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
|
||||||
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
|
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
|
||||||
|
|
||||||
userdom_unpriv_usertype($1, $1_mono_t)
|
|
||||||
userdom_manage_tmpfs_role($2, $1_mono_t)
|
|
||||||
|
|
||||||
domtrans_pattern($3, mono_exec_t, $1_mono_t)
|
domtrans_pattern($3, mono_exec_t, $1_mono_t)
|
||||||
|
|
||||||
fs_dontaudit_rw_tmpfs_files($1_mono_t)
|
fs_dontaudit_rw_tmpfs_files($1_mono_t)
|
||||||
corecmd_bin_domtrans($1_mono_t, $1_t)
|
corecmd_bin_domtrans($1_mono_t, $1_t)
|
||||||
|
|
||||||
|
userdom_unpriv_usertype($1, $1_mono_t)
|
||||||
|
userdom_manage_tmpfs_role($2, $1_mono_t)
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
dontaudit $1_t $1_mono_t:socket_class_set { read write };
|
dontaudit $1_t $1_mono_t:socket_class_set { read write };
|
||||||
')
|
')
|
||||||
|
@ -1,3 +1,2 @@
|
|||||||
## <summary>system-config-samba dbus service policy</summary>
|
## <summary>system-config-samba dbus service policy</summary>
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
policy_module(sambagui,1.0.0)
|
policy_module(sambagui, 1.0.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -18,6 +18,29 @@ allow sambagui_t self:capability dac_override;
|
|||||||
allow sambagui_t self:fifo_file rw_fifo_file_perms;
|
allow sambagui_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow sambagui_t self:unix_dgram_socket create_socket_perms;
|
allow sambagui_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
# read meminfo
|
||||||
|
kernel_read_system_state(sambagui_t)
|
||||||
|
|
||||||
|
# execut apps of system-config-samba
|
||||||
|
corecmd_exec_shell(sambagui_t)
|
||||||
|
corecmd_exec_bin(sambagui_t)
|
||||||
|
|
||||||
|
dev_dontaudit_read_urand(sambagui_t)
|
||||||
|
|
||||||
|
files_read_etc_files(sambagui_t)
|
||||||
|
files_search_var_lib(sambagui_t)
|
||||||
|
files_read_usr_files(sambagui_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(sambagui_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(sambagui_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(sambagui_t)
|
||||||
|
|
||||||
|
nscd_dontaudit_search_pid(sambagui_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_search_admin_dir(sambagui_t)
|
||||||
|
|
||||||
# handling with samba conf files
|
# handling with samba conf files
|
||||||
samba_append_log(sambagui_t)
|
samba_append_log(sambagui_t)
|
||||||
samba_manage_config(sambagui_t)
|
samba_manage_config(sambagui_t)
|
||||||
@ -27,32 +50,6 @@ samba_initrc_domtrans(sambagui_t)
|
|||||||
samba_domtrans_smbd(sambagui_t)
|
samba_domtrans_smbd(sambagui_t)
|
||||||
samba_domtrans_nmbd(sambagui_t)
|
samba_domtrans_nmbd(sambagui_t)
|
||||||
|
|
||||||
# execut apps of system-config-samba
|
|
||||||
corecmd_exec_shell(sambagui_t)
|
|
||||||
corecmd_exec_bin(sambagui_t)
|
|
||||||
|
|
||||||
files_read_etc_files(sambagui_t)
|
|
||||||
files_read_usr_files(sambagui_t)
|
|
||||||
files_search_var_lib(sambagui_t)
|
|
||||||
|
|
||||||
# reading shadow by pdbedit
|
|
||||||
#auth_read_shadow(sambagui_t)
|
|
||||||
|
|
||||||
auth_use_nsswitch(sambagui_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg(sambagui_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization(sambagui_t)
|
|
||||||
|
|
||||||
# read meminfo
|
|
||||||
kernel_read_system_state(sambagui_t)
|
|
||||||
|
|
||||||
dev_dontaudit_read_urand(sambagui_t)
|
|
||||||
nscd_dontaudit_search_pid(sambagui_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_search_admin_dir(sambagui_t)
|
|
||||||
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(sambagui_t)
|
consoletype_exec(sambagui_t)
|
||||||
')
|
')
|
||||||
|
@ -5308,6 +5308,25 @@ interface(`files_getattr_generic_locks',`
|
|||||||
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
getattr_files_pattern($1, var_lock_t, var_lock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete generic lock files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`files_delete_generic_locks',`
|
||||||
|
gen_require(`
|
||||||
|
type var_t, var_lock_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 var_t:dir search_dir_perms;
|
||||||
|
delete_files_pattern($1, var_lock_t, var_lock_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete generic
|
## Create, read, write, and delete generic
|
||||||
|
@ -5,6 +5,20 @@ policy_module(dbadm, 1.0.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow dbadm to manage files in users home directories
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(dbadm_manage_user_files, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow dbadm to read files in users home directories
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(dbadm_read_user_files, false)
|
||||||
|
|
||||||
role dbadm_r;
|
role dbadm_r;
|
||||||
|
|
||||||
userdom_unpriv_user_template(dbadm)
|
userdom_unpriv_user_template(dbadm)
|
||||||
@ -14,6 +28,29 @@ userdom_unpriv_user_template(dbadm)
|
|||||||
# database admin local policy
|
# database admin local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
|
||||||
|
|
||||||
|
files_dontaudit_search_all_dirs(dbadm_t)
|
||||||
|
files_delete_generic_locks(dbadm_t)
|
||||||
|
files_list_var(dbadm_t)
|
||||||
|
|
||||||
|
selinux_get_enforce_mode(dbadm_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(dbadm_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_search_user_home_dirs(dbadm_t)
|
||||||
|
|
||||||
|
tunable_policy(`dbadm_manage_user_files',`
|
||||||
|
userdom_manage_user_home_content_files(dbadm_t)
|
||||||
|
userdom_read_user_tmp_files(dbadm_t)
|
||||||
|
userdom_write_user_tmp_files(dbadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`dbadm_read_user_files',`
|
||||||
|
userdom_read_user_home_content_files(dbadm_t)
|
||||||
|
userdom_read_user_tmp_files(dbadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_admin(dbadm_t, dbadm_r)
|
mysql_admin(dbadm_t, dbadm_r)
|
||||||
')
|
')
|
||||||
@ -22,11 +59,6 @@ optional_policy(`
|
|||||||
postgresql_admin(dbadm_t, dbadm_r)
|
postgresql_admin(dbadm_t, dbadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
# For starting up daemon processes
|
|
||||||
optional_policy(`
|
|
||||||
su_role_template(dbadm, dbadm_r, dbadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
sudo_role_template(dbadm, dbadm_r, dbadm_t)
|
sudo_role_template(dbadm, dbadm_r, dbadm_t)
|
||||||
')
|
')
|
||||||
|
@ -22,14 +22,29 @@ kernel_read_ring_buffer(staff_usertype)
|
|||||||
kernel_getattr_core_if(staff_usertype)
|
kernel_getattr_core_if(staff_usertype)
|
||||||
kernel_getattr_message_if(staff_usertype)
|
kernel_getattr_message_if(staff_usertype)
|
||||||
kernel_read_software_raid_state(staff_usertype)
|
kernel_read_software_raid_state(staff_usertype)
|
||||||
|
kernel_read_fs_sysctls(staff_usertype)
|
||||||
|
|
||||||
|
domain_read_all_domains_state(staff_usertype)
|
||||||
|
domain_getattr_all_domains(staff_usertype)
|
||||||
|
domain_obj_id_change_exemption(staff_t)
|
||||||
|
|
||||||
|
files_read_kernel_modules(staff_usertype)
|
||||||
|
|
||||||
|
seutil_read_module_store(staff_t)
|
||||||
|
seutil_run_newrole(staff_t, staff_r)
|
||||||
|
|
||||||
|
term_use_unallocated_ttys(staff_usertype)
|
||||||
|
|
||||||
auth_domtrans_pam_console(staff_t)
|
auth_domtrans_pam_console(staff_t)
|
||||||
|
|
||||||
init_dbus_chat(staff_t)
|
init_dbus_chat(staff_t)
|
||||||
init_dbus_chat_script(staff_t)
|
init_dbus_chat_script(staff_t)
|
||||||
|
|
||||||
seutil_read_module_store(staff_t)
|
miscfiles_read_hwdata(staff_usertype)
|
||||||
seutil_run_newrole(staff_t, staff_r)
|
|
||||||
|
modutils_read_module_config(staff_usertype)
|
||||||
|
modutils_read_module_deps(staff_usertype)
|
||||||
|
|
||||||
netutils_run_ping(staff_t, staff_r)
|
netutils_run_ping(staff_t, staff_r)
|
||||||
netutils_signal_ping(staff_t)
|
netutils_signal_ping(staff_t)
|
||||||
|
|
||||||
@ -41,142 +56,50 @@ optional_policy(`
|
|||||||
mozilla_run_plugin(staff_t, staff_r)
|
mozilla_run_plugin(staff_t, staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
auth_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
auditadm_role_change(staff_r)
|
auditadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbadm_role_change(staff_r)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
logadm_role_change(staff_r)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
webadm_role_change(staff_r)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerneloops_manage_tmp_files(staff_t)
|
kerneloops_manage_tmp_files(staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
logadm_role_change(staff_r)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
bluetooth_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cdrecord_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cron_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
dbus_role_template(staff, staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
evolution_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
games_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gift_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gnome_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gpg_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
irc_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
java_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
lockdev_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
lpd_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mozilla_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mplayer_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mta_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
oident_manage_user_content(staff_t)
|
|
||||||
oident_relabel_user_content(staff_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
postgresql_role(staff_r, staff_t)
|
postgresql_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rtkit_scheduled(staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
pyzor_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
razor_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rssh_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
screen_role_template(staff, staff_r, staff_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
secadm_role_change(staff_r)
|
secadm_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
spamassassin_role(staff_r, staff_t)
|
unconfined_role_change(staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rtkit_scheduled(staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
screen_role_template(staff, staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_role_template(staff, staff_r, staff_t)
|
ssh_role_template(staff, staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
su_role_template(staff, staff_r, staff_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
sudo_role_template(staff, staff_r, staff_t)
|
sudo_role_template(staff, staff_r, staff_t)
|
||||||
')
|
')
|
||||||
@ -190,59 +113,127 @@ optional_policy(`
|
|||||||
telepathy_dbus_session_role(staff_r, staff_t)
|
telepathy_dbus_session_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
thunderbird_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
tvtime_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
uml_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
userhelper_role_template(staff, staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
vmware_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
wireshark_role(staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
unconfined_role_change(staff_r)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
webadm_role_change(staff_r)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_role(staff_r, staff_t)
|
xserver_role(staff_r, staff_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
domain_read_all_domains_state(staff_usertype)
|
ifndef(`distro_redhat',`
|
||||||
domain_getattr_all_domains(staff_usertype)
|
optional_policy(`
|
||||||
domain_obj_id_change_exemption(staff_t)
|
auth_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
files_read_kernel_modules(staff_usertype)
|
optional_policy(`
|
||||||
|
bluetooth_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
kernel_read_fs_sysctls(staff_usertype)
|
optional_policy(`
|
||||||
|
cdrecord_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
modutils_read_module_config(staff_usertype)
|
optional_policy(`
|
||||||
modutils_read_module_deps(staff_usertype)
|
cron_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
miscfiles_read_hwdata(staff_usertype)
|
optional_policy(`
|
||||||
|
dbus_role_template(staff, staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
term_use_unallocated_ttys(staff_usertype)
|
optional_policy(`
|
||||||
|
evolution_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
games_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gift_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gnome_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gpg_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
irc_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lockdev_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lpd_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mozilla_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mplayer_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
oident_manage_user_content(staff_t)
|
||||||
|
oident_relabel_user_content(staff_t)
|
||||||
|
')
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
razor_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rssh_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
spamassassin_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
su_role_template(staff, staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
thunderbird_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tvtime_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
uml_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
userhelper_role_template(staff, staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
vmware_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
wireshark_role(staff_r, staff_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
accountsd_dbus_chat(staff_t)
|
accountsd_dbus_chat(staff_t)
|
||||||
@ -273,10 +264,6 @@ optional_policy(`
|
|||||||
sandbox_transition(staff_t, staff_r)
|
sandbox_transition(staff_t, staff_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
screen_role_template(staff, staff_r, staff_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
setroubleshoot_stream_connect(staff_t)
|
setroubleshoot_stream_connect(staff_t)
|
||||||
setroubleshoot_dbus_chat(staff_t)
|
setroubleshoot_dbus_chat(staff_t)
|
||||||
|
@ -24,11 +24,14 @@ ifndef(`enable_mls',`
|
|||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
kernel_read_fs_sysctls(sysadm_t)
|
||||||
|
|
||||||
corecmd_exec_shell(sysadm_t)
|
corecmd_exec_shell(sysadm_t)
|
||||||
|
|
||||||
domain_dontaudit_read_all_domains_state(sysadm_t)
|
domain_dontaudit_read_all_domains_state(sysadm_t)
|
||||||
|
|
||||||
|
files_read_kernel_modules(sysadm_t)
|
||||||
|
|
||||||
mls_process_read_up(sysadm_t)
|
mls_process_read_up(sysadm_t)
|
||||||
mls_file_read_to_clearance(sysadm_t)
|
mls_file_read_to_clearance(sysadm_t)
|
||||||
mls_process_write_to_clearance(sysadm_t)
|
mls_process_write_to_clearance(sysadm_t)
|
||||||
@ -42,6 +45,11 @@ application_exec(sysadm_t)
|
|||||||
init_exec(sysadm_t)
|
init_exec(sysadm_t)
|
||||||
init_exec_script_files(sysadm_t)
|
init_exec_script_files(sysadm_t)
|
||||||
init_dbus_chat(sysadm_t)
|
init_dbus_chat(sysadm_t)
|
||||||
|
init_script_role_transition(sysadm_r)
|
||||||
|
|
||||||
|
modutils_read_module_deps(sysadm_t)
|
||||||
|
|
||||||
|
miscfiles_read_hwdata(sysadm_t)
|
||||||
|
|
||||||
# Add/remove user home directories
|
# Add/remove user home directories
|
||||||
userdom_manage_user_home_dirs(sysadm_t)
|
userdom_manage_user_home_dirs(sysadm_t)
|
||||||
@ -83,9 +91,6 @@ optional_policy(`
|
|||||||
apache_run_helper(sysadm_t, sysadm_r)
|
apache_run_helper(sysadm_t, sysadm_r)
|
||||||
#apache_run_all_scripts(sysadm_t, sysadm_r)
|
#apache_run_all_scripts(sysadm_t, sysadm_r)
|
||||||
#apache_domtrans_sys_script(sysadm_t)
|
#apache_domtrans_sys_script(sysadm_t)
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
apache_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -101,12 +106,6 @@ optional_policy(`
|
|||||||
auditadm_role_change(sysadm_r)
|
auditadm_role_change(sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
auth_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
backup_run(sysadm_t, sysadm_r)
|
backup_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -115,22 +114,10 @@ optional_policy(`
|
|||||||
bind_run_ndc(sysadm_t, sysadm_r)
|
bind_run_ndc(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
bluetooth_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
bootloader_run(sysadm_t, sysadm_r)
|
bootloader_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
cdrecord_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
certmonger_dbus_chat(sysadm_t)
|
certmonger_dbus_chat(sysadm_t)
|
||||||
')
|
')
|
||||||
@ -151,16 +138,6 @@ optional_policy(`
|
|||||||
consoletype_run(sysadm_t, sysadm_r)
|
consoletype_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
cron_admin_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
daemonstools_run_start(sysadm_t, sysadm_r)
|
daemonstools_run_start(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -187,12 +164,6 @@ optional_policy(`
|
|||||||
dpkg_run(sysadm_t, sysadm_r)
|
dpkg_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
evolution_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
firstboot_run(sysadm_t, sysadm_r)
|
firstboot_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -201,24 +172,6 @@ optional_policy(`
|
|||||||
fstools_run(sysadm_t, sysadm_r)
|
fstools_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
games_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gift_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gnome_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gpg_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
hostname_run(sysadm_t, sysadm_r)
|
hostname_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -248,16 +201,6 @@ optional_policy(`
|
|||||||
kerberos_exec_kadmind(sysadm_t)
|
kerberos_exec_kadmind(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
irc_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
java_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kudzu_run(sysadm_t, sysadm_r)
|
kudzu_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -266,12 +209,6 @@ optional_policy(`
|
|||||||
libs_run_ldconfig(sysadm_t, sysadm_r)
|
libs_run_ldconfig(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
lockdev_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
logrotate_run(sysadm_t, sysadm_r)
|
logrotate_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -296,16 +233,6 @@ optional_policy(`
|
|||||||
mount_run_showmount(sysadm_t, sysadm_r)
|
mount_run_showmount(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
mozilla_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mplayer_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mta_role(sysadm_r, sysadm_t)
|
mta_role(sysadm_r, sysadm_t)
|
||||||
')
|
')
|
||||||
@ -359,12 +286,6 @@ optional_policy(`
|
|||||||
prelink_run(sysadm_t, sysadm_r)
|
prelink_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
pyzor_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
quota_run(sysadm_t, sysadm_r)
|
quota_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -373,12 +294,6 @@ optional_policy(`
|
|||||||
raid_domtrans_mdadm(sysadm_t)
|
raid_domtrans_mdadm(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
razor_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpc_domtrans_nfsd(sysadm_t)
|
rpc_domtrans_nfsd(sysadm_t)
|
||||||
')
|
')
|
||||||
@ -387,11 +302,6 @@ optional_policy(`
|
|||||||
rpm_run(sysadm_t, sysadm_r)
|
rpm_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
rssh_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rsync_exec(sysadm_t)
|
rsync_exec(sysadm_t)
|
||||||
@ -419,11 +329,6 @@ optional_policy(`
|
|||||||
shutdown_run(sysadm_t, sysadm_r)
|
shutdown_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
spamassassin_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ssh_role_template(sysadm, sysadm_r, sysadm_t)
|
ssh_role_template(sysadm, sysadm_r, sysadm_t)
|
||||||
@ -446,12 +351,6 @@ optional_policy(`
|
|||||||
sysnet_run_dhcpc(sysadm_t, sysadm_r)
|
sysnet_run_dhcpc(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
thunderbird_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tripwire_run_siggen(sysadm_t, sysadm_r)
|
tripwire_run_siggen(sysadm_t, sysadm_r)
|
||||||
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
||||||
@ -459,22 +358,10 @@ optional_policy(`
|
|||||||
tripwire_run_twprint(sysadm_t, sysadm_r)
|
tripwire_run_twprint(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
tvtime_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tzdata_domtrans(sysadm_t)
|
tzdata_domtrans(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
uml_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domtrans(sysadm_t)
|
unconfined_domtrans(sysadm_t)
|
||||||
')
|
')
|
||||||
@ -487,23 +374,12 @@ optional_policy(`
|
|||||||
usbmodules_run(sysadm_t, sysadm_r)
|
usbmodules_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
userhelper_role_template(sysadm, sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
||||||
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
||||||
usermanage_run_useradd(sysadm_t, sysadm_r)
|
usermanage_run_useradd(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
vmware_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
vpn_run(sysadm_t, sysadm_r)
|
vpn_run(sysadm_t, sysadm_r)
|
||||||
@ -521,16 +397,6 @@ optional_policy(`
|
|||||||
virt_stream_connect(sysadm_t)
|
virt_stream_connect(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
wireshark_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
xserver_role(sysadm_r, sysadm_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
yam_run(sysadm_t, sysadm_r)
|
yam_run(sysadm_t, sysadm_r)
|
||||||
')
|
')
|
||||||
@ -539,9 +405,111 @@ optional_policy(`
|
|||||||
zebra_stream_connect(sysadm_t)
|
zebra_stream_connect(sysadm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
init_script_role_transition(sysadm_r)
|
ifndef(`distro_redhat',`
|
||||||
|
optional_policy(`
|
||||||
|
apache_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
optional_policy(`
|
||||||
|
auth_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
files_read_kernel_modules(sysadm_t)
|
optional_policy(`
|
||||||
kernel_read_fs_sysctls(sysadm_t)
|
bluetooth_role(sysadm_r, sysadm_t)
|
||||||
modutils_read_module_deps(sysadm_t)
|
')
|
||||||
miscfiles_read_hwdata(sysadm_t)
|
|
||||||
|
optional_policy(`
|
||||||
|
cdrecord_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cron_admin_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
evolution_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
games_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gift_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gnome_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gpg_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
irc_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lockdev_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mozilla_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mplayer_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
razor_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rssh_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
spamassassin_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
thunderbird_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tvtime_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
uml_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
userhelper_role_template(sysadm, sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
vmware_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
wireshark_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
xserver_role(sysadm_r, sysadm_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
@ -22,97 +22,6 @@ optional_policy(`
|
|||||||
mozilla_run_plugin(user_t, user_r)
|
mozilla_run_plugin(user_t, user_r)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
auth_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
bluetooth_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cdrecord_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
cron_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
dbus_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
evolution_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
games_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gift_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gnome_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
gpg_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
irc_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
java_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
lockdev_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
lpd_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mozilla_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mplayer_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
mta_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
oident_manage_user_content(user_t)
|
|
||||||
oident_relabel_user_content(user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
postgresql_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
pyzor_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
razor_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
rssh_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_dontaudit_dbus_chat(user_t)
|
rpm_dontaudit_dbus_chat(user_t)
|
||||||
')
|
')
|
||||||
@ -133,49 +42,6 @@ optional_policy(`
|
|||||||
telepathy_dbus_session_role(user_r, user_t)
|
telepathy_dbus_session_role(user_r, user_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifndef(`distro_redhat',`
|
|
||||||
optional_policy(`
|
|
||||||
spamassassin_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
ssh_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
su_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
sudo_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
thunderbird_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
tvtime_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
uml_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
userhelper_role_template(user, user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
vmware_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
wireshark_role(user_r, user_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
setroubleshoot_dontaudit_stream_connect(user_t)
|
setroubleshoot_dontaudit_stream_connect(user_t)
|
||||||
')
|
')
|
||||||
@ -183,3 +49,134 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_role(user_r, user_t)
|
xserver_role(user_r, user_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifndef(`distro_redhat',`
|
||||||
|
optional_policy(`
|
||||||
|
auth_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
bluetooth_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cdrecord_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
cron_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_role_template(user, user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
evolution_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
games_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gift_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gnome_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
gpg_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
irc_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
java_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lockdev_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lpd_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mozilla_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mplayer_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
oident_manage_user_content(user_t)
|
||||||
|
oident_relabel_user_content(user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
postgresql_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
pyzor_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
razor_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rssh_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
spamassassin_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
ssh_role_template(user, user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
su_role_template(user, user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
sudo_role_template(user, user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
thunderbird_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tvtime_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
uml_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
userhelper_role_template(user, user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
vmware_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
wireshark_role(user_r, user_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
@ -131,9 +131,9 @@ interface(`abrt_domtrans_helper',`
|
|||||||
|
|
||||||
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
|
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
|
||||||
|
|
||||||
ifdef(`hide_broken_symptoms', `
|
ifdef(`hide_broken_symptoms', `
|
||||||
dontaudit abrt_helper_t $1:socket_class_set { read write };
|
dontaudit abrt_helper_t $1:socket_class_set { read write };
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -172,7 +172,7 @@ interface(`abrt_run_helper',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`abrt_append_cache_files',`
|
interface(`abrt_cache_append',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type abrt_var_cache_t;
|
type abrt_var_cache_t;
|
||||||
')
|
')
|
||||||
@ -190,7 +190,7 @@ interface(`abrt_append_cache_files',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`abrt_manage_cache_files',`
|
interface(`abrt_cache_manage',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type abrt_var_cache_t;
|
type abrt_var_cache_t;
|
||||||
')
|
')
|
||||||
|
@ -638,7 +638,7 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
cobbler_list_config(httpd_t)
|
cobbler_list_config(httpd_t)
|
||||||
cobbler_read_config(httpd_t)
|
cobbler_read_config(httpd_t)
|
||||||
cobbler_read_content(httpd_t)
|
cobbler_read_lib_files(httpd_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_cobbler',`
|
tunable_policy(`httpd_can_network_connect_cobbler',`
|
||||||
corenet_tcp_connect_cobbler_port(httpd_t)
|
corenet_tcp_connect_cobbler_port(httpd_t)
|
||||||
|
@ -5,28 +5,28 @@
|
|||||||
|
|
||||||
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
|
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
|
|
||||||
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
|
|
||||||
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
|
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
|
||||||
|
|
||||||
# This should removable when cobbler package installs /var/www/cobbler/rendered
|
# This should removable when cobbler package installs /var/www/cobbler/rendered
|
||||||
/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
|
/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_var_lib_t,s0)
|
||||||
|
|
||||||
/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0)
|
/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
||||||
|
|
||||||
|
@ -1,4 +1,14 @@
|
|||||||
## <summary>Cobbler installation server.</summary>
|
## <summary>Cobbler installation server.</summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Cobbler is a Linux installation server that allows for
|
||||||
|
## rapid setup of network installation environments. It
|
||||||
|
## glues together and automates many associated Linux
|
||||||
|
## tasks so you do not have to hop between lots of various
|
||||||
|
## commands and applications when rolling out new systems,
|
||||||
|
## and, in some cases, changing existing ones.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -52,7 +62,7 @@ interface(`cobbler_list_config',`
|
|||||||
type cobbler_etc_t;
|
type cobbler_etc_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
list_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
|
list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -77,7 +87,7 @@ interface(`cobbler_read_config',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Manage cobbler content.
|
## Search cobbler dirs in /var/lib
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -85,20 +95,19 @@ interface(`cobbler_read_config',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`cobbler_manage_content',`
|
interface(`cobbler_search_lib',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type cobbler_content_t;
|
type cobbler_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
|
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
manage_files_pattern($1, cobbler_content_t, cobbler_content_t)
|
read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read cobbler content.
|
## Read cobbler files in /var/lib
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -106,19 +115,19 @@ interface(`cobbler_manage_content',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`cobbler_read_content',`
|
interface(`cobbler_read_lib_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type cobbler_content_t;
|
type cobbler_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1, cobbler_content_t, cobbler_content_t)
|
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
|
read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search cobbler content.
|
## Manage cobbler files in /var/lib
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -126,13 +135,14 @@ interface(`cobbler_read_content',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`cobbler_search_content',`
|
interface(`cobbler_manage_lib_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type cobbler_content_t;
|
type cobbler_var_lib_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
search_dirs_pattern($1, cobbler_content_t, cobbler_content_t)
|
manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t)
|
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
|
manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -193,44 +203,37 @@ interface(`cobbler_dontaudit_rw_log',`
|
|||||||
#
|
#
|
||||||
interface(`cobblerd_admin',`
|
interface(`cobblerd_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type cobblerd_t, cobbler_var_log_t;
|
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
|
||||||
type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t;
|
type cobbler_etc_t, cobblerd_initrc_exec_t;
|
||||||
|
type httpd_cobbler_content_t;
|
||||||
|
type httpd_cobbler_content_ra_t;
|
||||||
|
type httpd_cobbler_content_rw_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
|
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
|
||||||
read_files_pattern($1, cobblerd_t, cobblerd_t)
|
read_files_pattern($1, cobblerd_t, cobblerd_t)
|
||||||
|
|
||||||
|
files_search_etc($1)
|
||||||
|
admin_pattern($1, cobbler_etc_t)
|
||||||
|
|
||||||
|
files_list_var_lib($1)
|
||||||
|
admin_pattern($1, cobbler_var_lib_t)
|
||||||
|
|
||||||
|
logging_search_logs($1)
|
||||||
|
admin_pattern($1, cobbler_var_log_t)
|
||||||
|
|
||||||
|
apache_search_sys_content($1)
|
||||||
|
admin_pattern($1, httpd_cobbler_content_t)
|
||||||
|
admin_pattern($1, httpd_cobbler_content_ra_t)
|
||||||
|
admin_pattern($1, httpd_cobbler_content_rw_t)
|
||||||
|
|
||||||
cobblerd_initrc_domtrans($1)
|
cobblerd_initrc_domtrans($1)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 cobblerd_initrc_exec_t system_r;
|
role_transition $2 cobblerd_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
|
|
||||||
admin_pattern($1, cobbler_etc_t)
|
|
||||||
files_search_etc($1)
|
|
||||||
|
|
||||||
admin_pattern($1, cobbler_content_t)
|
|
||||||
files_list_var_lib($1)
|
|
||||||
|
|
||||||
admin_pattern($1, cobbler_var_log_t)
|
|
||||||
logging_search_logs($1)
|
|
||||||
|
|
||||||
# below may want to be removed.
|
|
||||||
tunable_policy(`cobbler_anon_write',`
|
|
||||||
miscfiles_manage_public_files($1)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
gen_require(`
|
# traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
|
||||||
type httpd_cobbler_content_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
# manage /var/www/cobbler
|
|
||||||
admin_pattern($1, httpd_cobbler_content_t)
|
|
||||||
apache_search_sys_content($1)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
# traverse /var/lib/tftpdir to get to cobbler_content_t there.
|
|
||||||
tftp_search_rw_content($1)
|
tftp_search_rw_content($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
policy_module(cobbler, 1.1.0)
|
policy_module(cobbler, 1.1.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -46,21 +45,18 @@ init_script_file(cobblerd_initrc_exec_t)
|
|||||||
type cobbler_etc_t;
|
type cobbler_etc_t;
|
||||||
files_config_file(cobbler_etc_t)
|
files_config_file(cobbler_etc_t)
|
||||||
|
|
||||||
type cobbler_content_t;
|
|
||||||
typealias cobbler_content_t alias cobbler_var_lib_t;
|
|
||||||
files_type(cobbler_content_t)
|
|
||||||
|
|
||||||
type cobbler_var_log_t;
|
type cobbler_var_log_t;
|
||||||
logging_log_file(cobbler_var_log_t)
|
logging_log_file(cobbler_var_log_t)
|
||||||
|
|
||||||
|
type cobbler_var_lib_t alias cobbler_content_t;
|
||||||
|
files_type(cobbler_var_lib_t)
|
||||||
|
|
||||||
type cobbler_tmp_t;
|
type cobbler_tmp_t;
|
||||||
files_tmp_file(cobbler_tmp_t)
|
files_tmp_file(cobbler_tmp_t)
|
||||||
|
|
||||||
# Cobbler check is not supported and is silently ignored.
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Cobbler local policy.
|
# Cobbler personal policy.
|
||||||
#
|
#
|
||||||
|
|
||||||
allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
|
allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
|
||||||
@ -76,13 +72,13 @@ allow cobblerd_t self:unix_dgram_socket create_socket_perms;
|
|||||||
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
|
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
|
||||||
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
|
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
|
||||||
|
|
||||||
# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
|
# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
|
||||||
dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms;
|
dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
|
||||||
|
|
||||||
manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
|
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
|
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t)
|
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
||||||
files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file })
|
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
|
||||||
|
|
||||||
# Something really needs to write to cobbler.log. Ideally this should not be happening.
|
# Something really needs to write to cobbler.log. Ideally this should not be happening.
|
||||||
allow cobblerd_t cobbler_var_log_t:file write;
|
allow cobblerd_t cobbler_var_log_t:file write;
|
||||||
@ -105,13 +101,13 @@ corecmd_exec_shell(cobblerd_t)
|
|||||||
|
|
||||||
corenet_all_recvfrom_netlabel(cobblerd_t)
|
corenet_all_recvfrom_netlabel(cobblerd_t)
|
||||||
corenet_all_recvfrom_unlabeled(cobblerd_t)
|
corenet_all_recvfrom_unlabeled(cobblerd_t)
|
||||||
|
corenet_sendrecv_cobbler_server_packets(cobblerd_t)
|
||||||
|
corenet_tcp_bind_cobbler_port(cobblerd_t)
|
||||||
corenet_tcp_bind_generic_node(cobblerd_t)
|
corenet_tcp_bind_generic_node(cobblerd_t)
|
||||||
corenet_tcp_sendrecv_generic_if(cobblerd_t)
|
corenet_tcp_sendrecv_generic_if(cobblerd_t)
|
||||||
corenet_tcp_sendrecv_generic_node(cobblerd_t)
|
corenet_tcp_sendrecv_generic_node(cobblerd_t)
|
||||||
corenet_tcp_sendrecv_generic_port(cobblerd_t)
|
corenet_tcp_sendrecv_generic_port(cobblerd_t)
|
||||||
corenet_tcp_bind_cobbler_port(cobblerd_t)
|
|
||||||
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
|
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
|
||||||
corenet_sendrecv_cobbler_server_packets(cobblerd_t)
|
|
||||||
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
|
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
|
||||||
corenet_tcp_connect_ftp_port(cobblerd_t)
|
corenet_tcp_connect_ftp_port(cobblerd_t)
|
||||||
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
|
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
|
||||||
@ -226,7 +222,7 @@ optional_policy(`
|
|||||||
# 2. no FILES in /var/lib/TFTPDIR are hard linked.
|
# 2. no FILES in /var/lib/TFTPDIR are hard linked.
|
||||||
# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
|
# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
|
||||||
# are any of those hard linked?
|
# are any of those hard linked?
|
||||||
tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file })
|
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -234,18 +230,6 @@ optional_policy(`
|
|||||||
# Cobbler web local policy.
|
# Cobbler web local policy.
|
||||||
#
|
#
|
||||||
|
|
||||||
# This should be removable when cobbler package installs /var/www/cobbler/rendered.
|
apache_content_template(cobbler)
|
||||||
optional_policy(`
|
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
|
||||||
gen_require(`
|
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
|
||||||
attribute httpdcontent;
|
|
||||||
')
|
|
||||||
|
|
||||||
apache_content_template(cobbler)
|
|
||||||
# To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t.
|
|
||||||
# I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type
|
|
||||||
# httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but
|
|
||||||
# that directory should have been labeled cobbler_content_t.
|
|
||||||
filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file })
|
|
||||||
# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t.
|
|
||||||
dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms;
|
|
||||||
')
|
|
||||||
|
@ -92,7 +92,7 @@ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
|||||||
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cobbler_read_content(dnsmasq_t)
|
cobbler_read_lib_files(dnsmasq_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
policy_module(mojomojo, 1.0)
|
policy_module(mojomojo, 1.0.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -22,20 +22,18 @@ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomo
|
|||||||
files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
|
files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
|
||||||
|
|
||||||
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
|
corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
|
||||||
corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
|
|
||||||
|
|
||||||
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
|
corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
|
||||||
corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
|
|
||||||
|
|
||||||
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
|
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
|
||||||
|
corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
|
||||||
|
corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
|
||||||
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
||||||
|
|
||||||
files_search_var_lib(httpd_mojomojo_script_t)
|
files_search_var_lib(httpd_mojomojo_script_t)
|
||||||
|
|
||||||
mta_send_mail(httpd_mojomojo_script_t)
|
|
||||||
|
|
||||||
sysnet_dns_name_resolve(httpd_mojomojo_script_t)
|
sysnet_dns_name_resolve(httpd_mojomojo_script_t)
|
||||||
|
|
||||||
|
mta_send_mail(httpd_mojomojo_script_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_mojomojo_script_t)
|
mysql_stream_connect(httpd_mojomojo_script_t)
|
||||||
')
|
')
|
||||||
|
@ -94,7 +94,7 @@ tunable_policy(`tftp_anon_write',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
cobbler_read_content(tftpd_t)
|
cobbler_read_lib_files(tftpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -26,7 +26,7 @@ files_pid_file(iptables_var_run_t)
|
|||||||
|
|
||||||
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
|
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
|
||||||
dontaudit iptables_t self:capability sys_tty_config;
|
dontaudit iptables_t self:capability sys_tty_config;
|
||||||
allow iptables_t self:fifo_file rw_file_perms;
|
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
# needed by ipvsadm
|
# needed by ipvsadm
|
||||||
allow iptables_t self:netlink_socket create_socket_perms;
|
allow iptables_t self:netlink_socket create_socket_perms;
|
||||||
|
@ -68,8 +68,8 @@ endif
|
|||||||
|
|
||||||
# default MLS/MCS sensitivity and category settings.
|
# default MLS/MCS sensitivity and category settings.
|
||||||
MLS_SENS ?= 16
|
MLS_SENS ?= 16
|
||||||
MLS_CATS ?= 256
|
MLS_CATS ?= 1024
|
||||||
MCS_CATS ?= 256
|
MCS_CATS ?= 1024
|
||||||
|
|
||||||
ifeq ($(QUIET),y)
|
ifeq ($(QUIET),y)
|
||||||
verbose := @
|
verbose := @
|
||||||
|
Loading…
Reference in New Issue
Block a user