trunk: additional whitespace fixes.
This commit is contained in:
Chris PeBenito
parent
88cf0a9c2b
commit
2a98379a24
@ -68,7 +68,7 @@ template(`cdrecord_per_role_template', `
|
||||
|
||||
# allow searching for cdrom-drive
|
||||
dev_list_all_dev_nodes($1_cdrecord_t)
|
||||
|
||||
|
||||
domain_interactive_fd($1_cdrecord_t)
|
||||
domain_use_interactive_fds($1_cdrecord_t)
|
||||
|
||||
@ -80,7 +80,7 @@ template(`cdrecord_per_role_template', `
|
||||
# allow cdrecord to write the CD
|
||||
storage_raw_write_removable_device($1_cdrecord_t)
|
||||
storage_write_scsi_generic($1_cdrecord_t)
|
||||
|
||||
|
||||
libs_use_ld_so($1_cdrecord_t)
|
||||
libs_use_shared_libs($1_cdrecord_t)
|
||||
|
||||
@ -100,7 +100,7 @@ template(`cdrecord_per_role_template', `
|
||||
files_list_home($1_cdrecord_t)
|
||||
fs_read_nfs_files($1_cdrecord_t)
|
||||
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_cdrecord_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
|
||||
@ -119,7 +119,7 @@ template(`cdrecord_per_role_template', `
|
||||
fs_dontaudit_read_cifs_files($1_cdrecord_t)
|
||||
fs_dontaudit_list_cifs($1_cdrecord_t)
|
||||
')
|
||||
|
||||
|
||||
# Handle removable media, /tmp, and /home
|
||||
tunable_policy(`cdrecord_read_content',`
|
||||
userdom_list_user_tmp($1, $1_cdrecord_t)
|
||||
@ -128,7 +128,7 @@ template(`cdrecord_per_role_template', `
|
||||
userdom_search_user_home_dirs($1, $1_cdrecord_t)
|
||||
userdom_read_user_home_content_files($1, $1_cdrecord_t)
|
||||
userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
|
||||
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
',`
|
||||
fs_search_removable($1_cdrecord_t)
|
||||
@ -145,7 +145,7 @@ template(`cdrecord_per_role_template', `
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
|
||||
')
|
||||
|
||||
|
||||
# Handle default_t content
|
||||
tunable_policy(`cdrecord_read_content && read_default_t',`
|
||||
files_list_default($1_cdrecord_t)
|
||||
@ -155,7 +155,7 @@ template(`cdrecord_per_role_template', `
|
||||
files_dontaudit_read_default_files($1_cdrecord_t)
|
||||
files_dontaudit_list_default($1_cdrecord_t)
|
||||
')
|
||||
|
||||
|
||||
# Handle untrusted content
|
||||
tunable_policy(`cdrecord_read_content && read_untrusted_content',`
|
||||
files_list_tmp($1_cdrecord_t)
|
||||
@ -183,7 +183,7 @@ template(`cdrecord_per_role_template', `
|
||||
fs_read_nfs_files($1_cdrecord_t)
|
||||
fs_read_nfs_symlinks($1_cdrecord_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
resmgr_stream_connect($1_cdrecord_t)
|
||||
')
|
||||
|
||||
@ -114,7 +114,7 @@ template(`ethereal_per_role_template',`
|
||||
|
||||
corenet_tcp_connect_generic_port($1_ethereal_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_ethereal_t)
|
||||
|
||||
|
||||
dev_read_urand($1_ethereal_t)
|
||||
|
||||
files_read_etc_files($1_ethereal_t)
|
||||
@ -135,7 +135,7 @@ template(`ethereal_per_role_template',`
|
||||
sysnet_read_config($1_ethereal_t)
|
||||
|
||||
userdom_manage_user_home_content_files($1, $1_ethereal_t)
|
||||
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_ethereal_t)
|
||||
fs_manage_nfs_files($1_ethereal_t)
|
||||
@ -162,7 +162,7 @@ template(`ethereal_per_role_template',`
|
||||
xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets($1_ethereal_t)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Why does it write this?
|
||||
optional_policy(`
|
||||
@ -173,7 +173,7 @@ template(`ethereal_per_role_template',`
|
||||
gnome_file_dialog($1_ethereal, $1)
|
||||
# FIXME: policy is incomplete
|
||||
')
|
||||
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -204,7 +204,7 @@ template(`ethereal_admin_template',`
|
||||
allow $1_ethereal_t self:packet_socket create_socket_perms;
|
||||
allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_ethereal_t self:tcp_socket create_socket_perms;
|
||||
|
||||
|
||||
userdom_use_user_terminals($1, $1_ethereal_t)
|
||||
# Ethereal tries to write to user terminal
|
||||
userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
|
||||
|
||||
@ -53,7 +53,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
type $1_evolution_orbit_tmp_t;
|
||||
files_tmp_file($1_evolution_orbit_tmp_t)
|
||||
|
||||
|
||||
type $1_evolution_alarm_t;
|
||||
application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
|
||||
role $3 types $1_evolution_alarm_t;
|
||||
@ -153,7 +153,7 @@ template(`evolution_per_role_template',`
|
||||
allow $1_evolution_t $2:file read;
|
||||
|
||||
domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
|
||||
|
||||
|
||||
allow $2 $1_evolution_t:unix_stream_socket connectto;
|
||||
allow $2 $1_evolution_t:process noatsecure;
|
||||
allow $2 $1_evolution_t:process signal_perms;
|
||||
@ -267,7 +267,7 @@ template(`evolution_per_role_template',`
|
||||
files_list_home($1_evolution_t)
|
||||
fs_read_nfs_files($1_evolution_t)
|
||||
fs_read_nfs_symlinks($1_evolution_t)
|
||||
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_evolution_t)
|
||||
@ -294,7 +294,7 @@ template(`evolution_per_role_template',`
|
||||
userdom_search_user_home_dirs($1, $1_evolution_t)
|
||||
userdom_read_user_home_content_files($1, $1_evolution_t)
|
||||
userdom_read_user_home_content_symlinks($1, $1_evolution_t)
|
||||
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable($1_evolution_t)
|
||||
fs_read_removable_files($1_evolution_t)
|
||||
@ -324,7 +324,7 @@ template(`evolution_per_role_template',`
|
||||
files_list_tmp($1_evolution_t)
|
||||
files_list_home($1_evolution_t)
|
||||
userdom_search_user_home_dirs($1,$1_evolution_t)
|
||||
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_evolution_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
|
||||
@ -343,7 +343,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_t)
|
||||
fs_manage_nfs_dirs($1_evolution_t)
|
||||
fs_manage_nfs_files($1_evolution_t)
|
||||
@ -356,7 +356,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
|
||||
fs_search_auto_mountpoints($1_evolution_t)
|
||||
fs_manage_cifs_dirs($1_evolution_t)
|
||||
fs_manage_cifs_files($1_evolution_t)
|
||||
@ -369,7 +369,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
files_search_home($1_evolution_t)
|
||||
|
||||
|
||||
userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
|
||||
userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
|
||||
userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
|
||||
@ -377,7 +377,7 @@ template(`evolution_per_role_template',`
|
||||
',`
|
||||
files_dontaudit_list_home($1_evolution_t)
|
||||
files_dontaudit_list_tmp($1_evolution_t)
|
||||
|
||||
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
|
||||
#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
|
||||
#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
|
||||
@ -449,12 +449,12 @@ template(`evolution_per_role_template',`
|
||||
# (different from home, not directly accessible from ROLE_t)
|
||||
type $1_evolutioin_secret_t;
|
||||
userdom_user_home_content($1,$1_evolutioin_secret_t)
|
||||
|
||||
|
||||
# Put secret files in .gnome2_private
|
||||
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
|
||||
allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
|
||||
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
|
||||
|
||||
|
||||
allow $2 $1_evolution_secret_t:file unlink;
|
||||
|
||||
ifdef(`TODO',`
|
||||
@ -503,7 +503,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
libs_use_ld_so($1_evolution_alarm_t)
|
||||
libs_use_shared_libs($1_evolution_alarm_t)
|
||||
|
||||
|
||||
miscfiles_read_localization($1_evolution_alarm_t)
|
||||
|
||||
# Access evolution home
|
||||
@ -588,7 +588,7 @@ template(`evolution_per_role_template',`
|
||||
|
||||
# Transition from user domain
|
||||
domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
|
||||
|
||||
|
||||
kernel_read_network_state($1_evolution_exchange_t)
|
||||
kernel_read_net_sysctls($1_evolution_exchange_t)
|
||||
|
||||
@ -607,7 +607,7 @@ template(`evolution_per_role_template',`
|
||||
libs_use_shared_libs($1_evolution_exchange_t)
|
||||
|
||||
miscfiles_read_localization($1_evolution_exchange_t)
|
||||
|
||||
|
||||
# Access evolution home
|
||||
userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
|
||||
# FIXME: suppress access to .local/.icons/.themes until properly implemented
|
||||
@ -629,7 +629,7 @@ template(`evolution_per_role_template',`
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_evolution_exchange_t)
|
||||
')
|
||||
@ -740,7 +740,7 @@ template(`evolution_per_role_template',`
|
||||
#
|
||||
|
||||
allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
|
||||
|
||||
|
||||
# X/evolution common stuff
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
|
||||
allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
|
||||
|
||||
@ -55,7 +55,7 @@ template(`games_per_role_template',`
|
||||
|
||||
type $1_games_tmp_t;
|
||||
files_tmp_file($1_games_tmp_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -136,7 +136,7 @@ template(`games_per_role_template',`
|
||||
userdom_manage_user_tmp_sockets($1,$1_games_t)
|
||||
# Suppress .icons denial until properly implemented
|
||||
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
|
||||
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow $1_games_t self:process execmem;
|
||||
')
|
||||
|
||||
@ -108,7 +108,7 @@ template(`gnome_per_role_template',`
|
||||
xserver_rw_xdm_pipes($1_gconfd_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## gconf connection template.
|
||||
|
||||
@ -55,7 +55,7 @@ template(`irc_per_role_template',`
|
||||
|
||||
type $1_irc_tmp_t;
|
||||
userdom_user_home_content($1, $1_irc_tmp_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -80,13 +80,13 @@ template(`irc_per_role_template',`
|
||||
|
||||
# Transition from the user domain to the derived domain.
|
||||
domtrans_pattern($2, irc_exec_t, $1_irc_t)
|
||||
|
||||
|
||||
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
|
||||
|
||||
# allow ps to show irc
|
||||
ps_process_pattern($2, $1_irc_t)
|
||||
allow $2 $1_irc_t:process signal;
|
||||
|
||||
|
||||
kernel_read_proc_symlinks($1_irc_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_irc_t)
|
||||
|
||||
@ -36,7 +36,7 @@ template(`java_per_role_template',`
|
||||
gen_require(`
|
||||
type java_exec_t;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
@ -45,13 +45,13 @@ template(`java_per_role_template',`
|
||||
type $1_javaplugin_t;
|
||||
application_domain($1_javaplugin_t, java_exec_t)
|
||||
role $3 types $1_javaplugin_t;
|
||||
|
||||
|
||||
type $1_javaplugin_tmp_t;
|
||||
files_tmp_file($1_javaplugin_tmp_t)
|
||||
|
||||
type $1_javaplugin_tmpfs_t;
|
||||
files_tmpfs_file($1_javaplugin_tmpfs_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -61,7 +61,7 @@ template(`java_per_role_template',`
|
||||
allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
|
||||
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
|
||||
allow $1_javaplugin_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
||||
allow $1_javaplugin_t $2:unix_stream_socket connectto;
|
||||
allow $1_javaplugin_t $2:unix_stream_socket { read write };
|
||||
userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
|
||||
@ -80,14 +80,14 @@ template(`java_per_role_template',`
|
||||
read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
|
||||
|
||||
can_exec($1_javaplugin_t, java_exec_t)
|
||||
|
||||
|
||||
# The user role is authorized for this domain.
|
||||
domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
|
||||
allow $1_javaplugin_t $2:fd use;
|
||||
# Unrestricted inheritance from the caller.
|
||||
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1_javaplugin_t $2:process signull;
|
||||
|
||||
|
||||
kernel_read_all_sysctls($1_javaplugin_t)
|
||||
kernel_search_vm_sysctl($1_javaplugin_t)
|
||||
kernel_read_network_state($1_javaplugin_t)
|
||||
|
||||
@ -68,14 +68,14 @@ template(`lockdev_per_role_template',`
|
||||
files_read_all_locks($1_lockdev_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_lockdev_t)
|
||||
|
||||
|
||||
libs_use_ld_so($1_lockdev_t)
|
||||
libs_use_shared_libs($1_lockdev_t)
|
||||
|
||||
logging_send_syslog_msg($1_lockdev_t)
|
||||
|
||||
userdom_use_user_terminals($1, $1_lockdev_t)
|
||||
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg($1_t)
|
||||
')
|
||||
|
||||
@ -111,7 +111,7 @@ template(`mozilla_per_role_template',`
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2, $1_mozilla_t)
|
||||
allow $2 $1_mozilla_t:process signal_perms;
|
||||
|
||||
|
||||
kernel_read_kernel_sysctls($1_mozilla_t)
|
||||
kernel_read_network_state($1_mozilla_t)
|
||||
# Access /proc, sysctl
|
||||
@ -171,7 +171,7 @@ template(`mozilla_per_role_template',`
|
||||
fs_rw_tmpfs_files($1_mozilla_t)
|
||||
|
||||
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
|
||||
|
||||
|
||||
libs_use_ld_so($1_mozilla_t)
|
||||
libs_use_shared_libs($1_mozilla_t)
|
||||
|
||||
@ -183,14 +183,14 @@ template(`mozilla_per_role_template',`
|
||||
# Browse the web, connect to printer
|
||||
sysnet_dns_name_resolve($1_mozilla_t)
|
||||
sysnet_read_config($1_mozilla_t)
|
||||
|
||||
|
||||
userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
|
||||
userdom_manage_user_home_content_files($1, $1_mozilla_t)
|
||||
userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
|
||||
userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
|
||||
userdom_manage_user_tmp_files($1, $1_mozilla_t)
|
||||
userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
|
||||
|
||||
|
||||
xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
|
||||
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
|
||||
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
|
||||
@ -217,7 +217,7 @@ template(`mozilla_per_role_template',`
|
||||
files_list_home($1_mozilla_t)
|
||||
fs_read_nfs_files($1_mozilla_t)
|
||||
fs_read_nfs_symlinks($1_mozilla_t)
|
||||
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_mozilla_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
|
||||
@ -244,7 +244,7 @@ template(`mozilla_per_role_template',`
|
||||
userdom_search_user_home_dirs($1, $1_mozilla_t)
|
||||
userdom_read_user_home_content_files($1, $1_mozilla_t)
|
||||
userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
|
||||
|
||||
|
||||
ifdef(`enable_mls',`',`
|
||||
fs_search_removable($1_mozilla_t)
|
||||
fs_read_removable_files($1_mozilla_t)
|
||||
@ -274,7 +274,7 @@ template(`mozilla_per_role_template',`
|
||||
files_list_tmp($1_mozilla_t)
|
||||
files_list_home($1_mozilla_t)
|
||||
userdom_search_user_home_dirs($1, $1_mozilla_t)
|
||||
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_mozilla_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
|
||||
@ -389,7 +389,7 @@ template(`mozilla_per_role_template',`
|
||||
#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
|
||||
#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
|
||||
#')
|
||||
|
||||
|
||||
# Macros for mozilla/mozilla (or other browser) domains.
|
||||
# FIXME: Rules were removed to centralize policy in a gnome_app macro
|
||||
# A similar thing might be necessary for mozilla compiled without GNOME
|
||||
|
||||
@ -70,7 +70,7 @@ template(`mplayer_per_role_template',`
|
||||
allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
|
||||
read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
|
||||
|
||||
|
||||
# domain transition
|
||||
domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
|
||||
|
||||
@ -150,7 +150,7 @@ template(`mplayer_per_role_template',`
|
||||
files_list_home($1_mencoder_t)
|
||||
fs_read_nfs_files($1_mencoder_t)
|
||||
fs_read_nfs_symlinks($1_mencoder_t)
|
||||
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_mencoder_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
|
||||
@ -182,7 +182,7 @@ template(`mplayer_per_role_template',`
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
files_list_tmp($1_mencoder_t)
|
||||
files_list_home($1_mencoder_t)
|
||||
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_mencoder_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
|
||||
@ -342,7 +342,7 @@ template(`mplayer_per_role_template',`
|
||||
userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
|
||||
|
||||
xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
|
||||
|
||||
|
||||
# Read songs
|
||||
ifdef(`enable_mls',`',`
|
||||
fs_search_removable($1_mplayer_t)
|
||||
@ -384,7 +384,7 @@ template(`mplayer_per_role_template',`
|
||||
files_list_home($1_mplayer_t)
|
||||
fs_read_nfs_files($1_mplayer_t)
|
||||
fs_read_nfs_symlinks($1_mplayer_t)
|
||||
|
||||
|
||||
',`
|
||||
files_dontaudit_list_home($1_mplayer_t)
|
||||
fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
|
||||
@ -416,7 +416,7 @@ template(`mplayer_per_role_template',`
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
files_list_tmp($1_mplayer_t)
|
||||
files_list_home($1_mplayer_t)
|
||||
|
||||
|
||||
userdom_list_user_untrusted_content($1, $1_mplayer_t)
|
||||
userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
|
||||
userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)
|
||||
|
||||
@ -55,7 +55,7 @@ template(`screen_per_role_template',`
|
||||
|
||||
type $1_screen_var_run_t;
|
||||
files_pid_file($1_screen_var_run_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -97,7 +97,7 @@ template(`screen_per_role_template',`
|
||||
relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
|
||||
relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
|
||||
relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
|
||||
|
||||
|
||||
kernel_read_system_state($1_screen_t)
|
||||
kernel_read_kernel_sysctls($1_screen_t)
|
||||
|
||||
|
||||
@ -49,7 +49,7 @@ template(`thunderbird_per_role_template',`
|
||||
|
||||
type $1_thunderbird_tmpfs_t;
|
||||
files_tmpfs_file($1_thunderbird_tmpfs_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -94,12 +94,12 @@ template(`thunderbird_per_role_template',`
|
||||
relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
|
||||
relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
|
||||
relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
|
||||
|
||||
|
||||
# Allow netstat
|
||||
kernel_read_network_state($1_thunderbird_t)
|
||||
kernel_read_net_sysctls($1_thunderbird_t)
|
||||
kernel_read_system_state($1_thunderbird_t)
|
||||
|
||||
|
||||
# Startup shellscript
|
||||
corecmd_exec_shell($1_thunderbird_t)
|
||||
|
||||
@ -144,7 +144,7 @@ template(`thunderbird_per_role_template',`
|
||||
fs_list_inotifyfs($1_thunderbird_t)
|
||||
# Access ~/.thunderbird
|
||||
fs_search_auto_mountpoints($1_thunderbird_t)
|
||||
|
||||
|
||||
auth_use_nsswitch($1_thunderbird_t)
|
||||
|
||||
libs_use_shared_libs($1_thunderbird_t)
|
||||
@ -204,14 +204,14 @@ template(`thunderbird_per_role_template',`
|
||||
fs_dontaudit_read_cifs_files($1_thunderbird_t)
|
||||
fs_dontaudit_list_cifs($1_thunderbird_t)
|
||||
')
|
||||
|
||||
|
||||
tunable_policy(`mail_read_content',`
|
||||
userdom_list_user_tmp($1, $1_thunderbird_t)
|
||||
userdom_read_user_tmp_files($1, $1_thunderbird_t)
|
||||
userdom_read_user_tmp_symlinks($1, $1_thunderbird_t)
|
||||
userdom_search_user_home_dirs($1, $1_thunderbird_t)
|
||||
userdom_read_user_home_content_files($1, $1_thunderbird_t)
|
||||
|
||||
|
||||
ifndef(`enable_mls',`
|
||||
fs_search_removable($1_thunderbird_t)
|
||||
fs_read_removable_files($1_thunderbird_t)
|
||||
@ -229,7 +229,7 @@ template(`thunderbird_per_role_template',`
|
||||
userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
|
||||
userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t)
|
||||
')
|
||||
|
||||
|
||||
tunable_policy(`mail_read_content && read_default_t',`
|
||||
files_list_default($1_thunderbird_t)
|
||||
files_read_default_files($1_thunderbird_t)
|
||||
@ -238,7 +238,7 @@ template(`thunderbird_per_role_template',`
|
||||
files_dontaudit_read_default_files($1_thunderbird_t)
|
||||
files_dontaudit_list_default($1_thunderbird_t)
|
||||
')
|
||||
|
||||
|
||||
tunable_policy(`mail_read_content && read_untrusted_content',`
|
||||
files_list_tmp($1_thunderbird_t)
|
||||
files_list_home($1_thunderbird_t)
|
||||
@ -274,7 +274,7 @@ template(`thunderbird_per_role_template',`
|
||||
fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
|
||||
fs_dontaudit_manage_nfs_files($1_thunderbird_t)
|
||||
')
|
||||
|
||||
|
||||
# Manage samba homedirs
|
||||
tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
|
||||
files_search_home($1_thunderbird_t)
|
||||
@ -288,7 +288,7 @@ template(`thunderbird_per_role_template',`
|
||||
fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
|
||||
fs_dontaudit_manage_cifs_files($1_thunderbird_t)
|
||||
')
|
||||
|
||||
|
||||
# Manage /tmp and /home
|
||||
tunable_policy(`write_untrusted_content',`
|
||||
files_search_home($1_thunderbird_t)
|
||||
|
||||
@ -55,7 +55,7 @@ template(`tvtime_per_role_template',`
|
||||
|
||||
type $1_tvtime_tmpfs_t;
|
||||
files_tmpfs_file($1_tvtime_tmpfs_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -96,7 +96,7 @@ template(`tvtime_per_role_template',`
|
||||
# Allow the user domain to signal/ps.
|
||||
ps_process_pattern($2,$1_tvtime_t)
|
||||
allow $2 $1_tvtime_t:process signal_perms;
|
||||
|
||||
|
||||
kernel_read_all_sysctls($1_tvtime_t)
|
||||
kernel_get_sysvipc_info($1_tvtime_t)
|
||||
|
||||
@ -111,7 +111,7 @@ template(`tvtime_per_role_template',`
|
||||
|
||||
# X access, Home files
|
||||
fs_search_auto_mountpoints($1_tvtime_t)
|
||||
|
||||
|
||||
libs_use_ld_so($1_tvtime_t)
|
||||
libs_use_shared_libs($1_tvtime_t)
|
||||
|
||||
@ -120,7 +120,7 @@ template(`tvtime_per_role_template',`
|
||||
|
||||
userdom_use_user_terminals($1, $1_tvtime_t)
|
||||
userdom_read_user_home_content_files($1, $1_tvtime_t)
|
||||
|
||||
|
||||
# X access, Home files
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_tvtime_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
## <summary>Policy for UML</summary>
|
||||
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per role template for the uml module.
|
||||
@ -142,7 +142,7 @@ template(`uml_per_role_template',`
|
||||
# for mconsole
|
||||
allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
|
||||
allow $1_uml_t $2:unix_dgram_socket sendto;
|
||||
|
||||
|
||||
kernel_read_system_state($1_uml_t)
|
||||
# for SKAS - need something better
|
||||
kernel_write_proc_files($1_uml_t)
|
||||
@ -161,7 +161,7 @@ template(`uml_per_role_template',`
|
||||
corenet_tcp_connect_all_ports($1_uml_t)
|
||||
corenet_sendrecv_all_client_packets($1_uml_t)
|
||||
corenet_rw_tun_tap_dev($1_uml_t)
|
||||
|
||||
|
||||
domain_use_interactive_fds($1_uml_t)
|
||||
|
||||
# for xterm
|
||||
|
||||
@ -49,7 +49,7 @@ template(`userhelper_per_role_template',`
|
||||
domain_interactive_fd($1_userhelper_t)
|
||||
domain_subj_id_change_exemption($1_userhelper_t)
|
||||
role $3 types $1_userhelper_t;
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -78,7 +78,7 @@ template(`userhelper_per_role_template',`
|
||||
can_exec($1_userhelper_t, userhelper_exec_t)
|
||||
|
||||
dontaudit $2 $1_userhelper_t:process signal;
|
||||
|
||||
|
||||
kernel_read_all_sysctls($1_userhelper_t)
|
||||
kernel_getattr_debugfs($1_userhelper_t)
|
||||
kernel_read_system_state($1_userhelper_t)
|
||||
@ -164,7 +164,7 @@ template(`userhelper_per_role_template',`
|
||||
sysadm_bin_spec_domtrans($1_userhelper_t)
|
||||
sysadm_entry_spec_domtrans($1_userhelper_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
ethereal_domtrans_user_ethereal($1, $1_userhelper_t)
|
||||
')
|
||||
|
||||
@ -114,7 +114,7 @@ template(`wireshark_per_role_template',`
|
||||
|
||||
corenet_tcp_connect_generic_port($1_wireshark_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_wireshark_t)
|
||||
|
||||
|
||||
dev_read_urand($1_wireshark_t)
|
||||
|
||||
files_read_etc_files($1_wireshark_t)
|
||||
@ -135,7 +135,7 @@ template(`wireshark_per_role_template',`
|
||||
sysnet_read_config($1_wireshark_t)
|
||||
|
||||
userdom_manage_user_home_content_files($1, $1_wireshark_t)
|
||||
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_wireshark_t)
|
||||
fs_manage_nfs_files($1_wireshark_t)
|
||||
@ -162,7 +162,7 @@ template(`wireshark_per_role_template',`
|
||||
xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t)
|
||||
xserver_create_xdm_tmp_sockets($1_wireshark_t)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Why does it write this?
|
||||
optional_policy(`
|
||||
@ -173,7 +173,7 @@ template(`wireshark_per_role_template',`
|
||||
gnome_file_dialog($1_wireshark, $1)
|
||||
# FIXME: policy is incomplete
|
||||
')
|
||||
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -204,7 +204,7 @@ template(`wireshark_admin_template',`
|
||||
allow $1_wireshark_t self:packet_socket create_socket_perms;
|
||||
allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_wireshark_t self:tcp_socket create_socket_perms;
|
||||
|
||||
|
||||
userdom_use_user_terminals($1, $1_wireshark_t)
|
||||
# wireshark tries to write to user terminal
|
||||
userdom_dontaudit_use_user_terminals($1, $1_wireshark_t)
|
||||
|
||||
@ -19,7 +19,6 @@ interface(`aide_domtrans',`
|
||||
domtrans_pattern($1, aide_exec_t, aide_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute aide programs in the AIDE domain.
|
||||
|
||||
@ -37,7 +37,6 @@ interface(`apcupsd_read_pid_files',`
|
||||
allow $1 apcupsd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read apcupsd's log files.
|
||||
|
||||
@ -110,10 +110,10 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
apache_content_template(apcupsd_cgi)
|
||||
|
||||
|
||||
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
|
||||
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
|
||||
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
|
||||
@ -123,6 +123,6 @@ optional_policy(`
|
||||
corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
|
||||
corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
|
||||
|
||||
|
||||
sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
|
||||
')
|
||||
|
||||
@ -14,7 +14,6 @@ type apm_exec_t;
|
||||
application_domain(apm_t, apm_exec_t)
|
||||
role system_r types apm_t;
|
||||
|
||||
|
||||
type apmd_log_t;
|
||||
logging_log_file(apmd_log_t)
|
||||
|
||||
|
||||
@ -284,9 +284,9 @@ interface(`bind_admin',`
|
||||
|
||||
allow $1 named_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, named_t)
|
||||
|
||||
|
||||
allow $1 ndc_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ndc_t)
|
||||
|
||||
|
||||
bind_run_ndc($1, $2, $3)
|
||||
')
|
||||
|
||||
@ -41,7 +41,7 @@ template(`bluetooth_per_role_template',`
|
||||
type $1_bluetooth_t, bluetooth_helper_domain;
|
||||
application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
|
||||
role $3 types $1_bluetooth_t;
|
||||
|
||||
|
||||
type $1_bluetooth_tmp_t;
|
||||
files_tmp_file($1_bluetooth_tmp_t)
|
||||
|
||||
|
||||
@ -63,7 +63,7 @@ interface(`cvs_admin',`
|
||||
|
||||
allow $1 cvs_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cvs_t)
|
||||
|
||||
|
||||
# Allow cvs_t to restart the apache service
|
||||
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -20,7 +20,6 @@ interface(`cyrus_manage_data',`
|
||||
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to Cyrus using a unix domain stream socket.
|
||||
@ -81,4 +80,3 @@ interface(`cyrus_admin',`
|
||||
admin_pattern($1, cyrus_var_run_t)
|
||||
')
|
||||
|
||||
|
||||
|
||||
@ -34,6 +34,3 @@ ifdef(`distro_redhat', `
|
||||
|
||||
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -283,7 +283,6 @@ interface(`hal_read_pid_files',`
|
||||
allow $1 hald_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/Write hald PID files.
|
||||
|
||||
@ -156,7 +156,6 @@ interface(`inn_dgram_send',`
|
||||
allow $1 innd_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute inn in the inn domain.
|
||||
|
||||
@ -53,7 +53,6 @@ interface(`ldap_use',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to slapd over an unix stream socket.
|
||||
|
||||
@ -62,7 +62,7 @@ template(`lpd_per_role_template',`
|
||||
allow $1_lpr_t self:tcp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:udp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
|
||||
can_exec($1_lpr_t,lpr_exec_t)
|
||||
|
||||
tunable_policy(`use_lpd_server',`
|
||||
@ -133,7 +133,7 @@ template(`lpd_per_role_template',`
|
||||
# Access the terminal.
|
||||
term_use_controlling_term($1_lpr_t)
|
||||
term_use_generic_ptys($1_lpr_t)
|
||||
|
||||
|
||||
libs_use_ld_so($1_lpr_t)
|
||||
libs_use_shared_libs($1_lpr_t)
|
||||
|
||||
|
||||
@ -7,4 +7,3 @@ HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
|
||||
|
||||
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
|
||||
|
||||
|
||||
|
||||
@ -331,7 +331,7 @@ interface(`ppp_admin',`
|
||||
|
||||
allow $1 pppd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, pppd_t)
|
||||
|
||||
|
||||
files_list_tmp($1)
|
||||
manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t)
|
||||
|
||||
|
||||
@ -37,7 +37,6 @@ interface(`rpcbind_read_pid_files',`
|
||||
allow $1 rpcbind_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search rpcbind lib directories.
|
||||
@ -121,7 +120,7 @@ interface(`rpcbind_admin',`
|
||||
|
||||
allow $1 rpcbind_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, rpcbind_t)
|
||||
|
||||
|
||||
init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 rpcbind_initrc_exec_t system_r;
|
||||
|
||||
@ -57,7 +57,6 @@ interface(`rwho_read_log_files',`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search rwho spool directories.
|
||||
|
||||
@ -491,7 +491,7 @@ interface(`samba_stream_connect_winbind',`
|
||||
files_search_pids($1)
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
||||
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
gen_require(`
|
||||
type winbind_tmp_t;
|
||||
|
||||
@ -650,7 +650,6 @@ optional_policy(`
|
||||
# Winbind local policy
|
||||
#
|
||||
|
||||
|
||||
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
allow winbind_t self:process signal_perms;
|
||||
|
||||
@ -105,7 +105,7 @@ interface(`snmp_admin',`
|
||||
|
||||
allow $1 snmpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, snmpd_t)
|
||||
|
||||
|
||||
logging_list_logs($1)
|
||||
manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
|
||||
|
||||
|
||||
@ -195,7 +195,7 @@ interface(`squid_admin',`
|
||||
|
||||
allow $1 squid_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, squid_t)
|
||||
|
||||
|
||||
init_labeled_script_domtrans($1, squid_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 squid_initrc_exec_t system_r;
|
||||
|
||||
@ -19,7 +19,7 @@ interface(`tftp_admin',`
|
||||
|
||||
allow $1 tftpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, tftpd_t)
|
||||
|
||||
|
||||
admin_pattern($1, tftpdir_rw_t)
|
||||
|
||||
admin_pattern($1, tftpdir_t)
|
||||
|
||||
@ -82,7 +82,7 @@ interface(`uucp_admin',`
|
||||
|
||||
allow $1 uucpd_t:process { ptrace signal_perms getattr };
|
||||
ps_process_pattern($1, uucpd_t)
|
||||
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, uucpd_log_t)
|
||||
|
||||
|
||||
@ -102,12 +102,12 @@ interface(`zabbix_admin',`
|
||||
|
||||
allow $1 zabbix_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zabbix_t)
|
||||
|
||||
|
||||
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 zabbix_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, zabbix_log_t)
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ interface(`zebra_admin',`
|
||||
|
||||
allow $1 zebra_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zebra_t)
|
||||
|
||||
|
||||
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 zebra_initrc_exec_t system_r;
|
||||
@ -56,7 +56,7 @@ interface(`zebra_admin',`
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, zebra_conf_t)
|
||||
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, zebra_log_t)
|
||||
|
||||
|
||||
@ -307,7 +307,7 @@ ifdef(`distro_ubuntu',`
|
||||
unconfined_domain(ifconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
|
||||
@ -1272,7 +1272,7 @@ template(`userdom_admin_user_template',`
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
domain_system_change_exemption($1_t)
|
||||
')
|
||||
|
||||
|
||||
typeattribute $1_devpts_t admin_terminal;
|
||||
|
||||
typeattribute $1_tty_device_t admin_terminal;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user