add prelink.
This commit is contained in:
parent
3c4d75944a
commit
2c243586e5
@ -3,7 +3,7 @@
|
||||
- Add apache relay and db connect tunables.
|
||||
- Rename texrel_shlib_t to textrel_shlib_t.
|
||||
- Add swat to samba module.
|
||||
- Miscellaneous fixes from Dan Walsh.
|
||||
- Numerous miscellaneous fixes from Dan Walsh.
|
||||
- Added modules:
|
||||
automount
|
||||
ddcprobe
|
||||
@ -12,6 +12,7 @@
|
||||
lockdev
|
||||
logwatch (Dan Walsh)
|
||||
openct
|
||||
prelink (Dan Walsh)
|
||||
readahead
|
||||
roundup
|
||||
screen
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(amanda,1.1.0)
|
||||
policy_module(amanda,1.1.1)
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -77,6 +77,10 @@ role system_r types amanda_recover_t;
|
||||
type amanda_recover_dir_t;
|
||||
files_type(amanda_recover_dir_t)
|
||||
|
||||
optional_policy(`prelink',`
|
||||
prelink_object_file(amanda_usr_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Amanda local policy
|
||||
|
6
refpolicy/policy/modules/admin/prelink.fc
Normal file
6
refpolicy/policy/modules/admin/prelink.fc
Normal file
@ -0,0 +1,6 @@
|
||||
|
||||
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
||||
|
||||
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
||||
|
||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
92
refpolicy/policy/modules/admin/prelink.if
Normal file
92
refpolicy/policy/modules/admin/prelink.if
Normal file
@ -0,0 +1,92 @@
|
||||
## <summary>Prelink ELF shared library mappings.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the prelink program in the prelink domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`prelink_domtrans',`
|
||||
gen_require(`
|
||||
type prelink_t, prelink_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1, prelink_exec_t, prelink_t)
|
||||
|
||||
allow $1 prelink_t:fd use;
|
||||
allow prelink_t $1:fd use;
|
||||
allow prelink_t $1:fifo_file rw_file_perms;
|
||||
allow prelink_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified file type prelinkable.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## File type to be prelinked.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for misc non-entrypoint objects
|
||||
interface(`prelink_object_file',`
|
||||
gen_require(`
|
||||
attribute prelink_object;
|
||||
')
|
||||
|
||||
typeattribute $1 prelink_object;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the prelink cache.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`prelink_read_cache',`
|
||||
gen_require(`
|
||||
type prelink_cache_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 prelink_cache_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete the prelink cache.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`prelink_delete_cache',`
|
||||
gen_require(`
|
||||
type prelink_cache_t;
|
||||
')
|
||||
|
||||
allow $1 prelink_cache_t:file unlink;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## prelink log files.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`prelink_manage_log',`
|
||||
gen_require(`
|
||||
type prelink_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 prelink_log_t:dir rw_dir_perms;
|
||||
allow $1 prelink_log_t:file create_file_perms;
|
||||
')
|
79
refpolicy/policy/modules/admin/prelink.te
Normal file
79
refpolicy/policy/modules/admin/prelink.te
Normal file
@ -0,0 +1,79 @@
|
||||
|
||||
policy_module(prelink,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
||||
attribute prelink_object;
|
||||
|
||||
type prelink_t;
|
||||
type prelink_exec_t;
|
||||
init_system_domain(prelink_t,prelink_exec_t)
|
||||
|
||||
type prelink_cache_t;
|
||||
files_type(prelink_cache_t)
|
||||
|
||||
type prelink_log_t;
|
||||
logging_log_file(prelink_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow prelink_t self:capability { chown dac_override fowner fsetid };
|
||||
allow prelink_t self:process { execheap execmem execstack };
|
||||
allow prelink_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow prelink_t prelink_cache_t:file manage_file_perms;
|
||||
files_create_etc_config(prelink_t, prelink_cache_t, file)
|
||||
|
||||
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
|
||||
allow prelink_t prelink_log_t:file { create ra_file_perms };
|
||||
allow prelink_t prelink_log_t:lnk_file read;
|
||||
logging_create_log(prelink_t, prelink_log_t)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
|
||||
|
||||
kernel_read_system_state(prelink_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(prelink_t)
|
||||
kernel_dontaudit_search_sysctl(prelink_t)
|
||||
|
||||
corecmd_manage_bin_files(prelink_t)
|
||||
corecmd_relabel_bin_files(prelink_t)
|
||||
corecmd_mmap_bin_files(prelink_t)
|
||||
corecmd_manage_sbin_files(prelink_t)
|
||||
corecmd_relabel_sbin_files(prelink_t)
|
||||
corecmd_mmap_sbin_files(prelink_t)
|
||||
|
||||
dev_read_urand(prelink_t)
|
||||
|
||||
domain_manage_all_entry_files(prelink_t)
|
||||
domain_relabel_all_entry_files(prelink_t)
|
||||
domain_mmap_all_entry_files(prelink_t)
|
||||
|
||||
files_list_all(prelink_t)
|
||||
files_getattr_all_files(prelink_t)
|
||||
files_write_non_security_dir(prelink_t)
|
||||
files_read_etc_runtime_files(prelink_t)
|
||||
|
||||
fs_getattr_xattr_fs(prelink_t)
|
||||
|
||||
libs_use_ld_so(prelink_t)
|
||||
libs_manage_ld_so(prelink_t)
|
||||
libs_relabel_ld_so(prelink_t)
|
||||
libs_use_shared_libs(prelink_t)
|
||||
libs_manage_shared_libs(prelink_t)
|
||||
libs_relabel_shared_libs(prelink_t)
|
||||
libs_use_lib(prelink_t)
|
||||
libs_manage_lib_files(prelink_t)
|
||||
libs_relabel_lib_files(prelink_t)
|
||||
|
||||
miscfiles_read_localization(prelink_t)
|
||||
|
||||
optional_policy(`cron',`
|
||||
cron_system_entry(prelink_t, prelink_exec_t)
|
||||
')
|
@ -188,6 +188,57 @@ interface(`corecmd_exec_bin',`
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete bin files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_manage_bin_files',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir rw_dir_perms;
|
||||
allow $1 bin_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the bin type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_relabel_bin_files',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap a bin file as executable.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_mmap_bin_files',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
allow $1 bin_t:dir search_dir_perms;
|
||||
allow $1 bin_t:file { getattr read execute };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a file in a bin directory
|
||||
@ -389,7 +440,60 @@ interface(`corecmd_exec_sbin',`
|
||||
allow $1 sbin_t:dir r_dir_perms;
|
||||
allow $1 sbin_t:lnk_file r_file_perms;
|
||||
can_exec($1,sbin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete sbin files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_manage_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir rw_dir_perms;
|
||||
allow $1 sbin_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the sbin type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_relabel_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap a sbin file as executable.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`corecmd_mmap_sbin_files',`
|
||||
gen_require(`
|
||||
type sbin_t;
|
||||
')
|
||||
|
||||
allow $1 sbin_t:dir search_dir_perms;
|
||||
allow $1 sbin_t:file { getattr read execute };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.1.0)
|
||||
policy_module(corecommands,1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1019,6 +1019,59 @@ interface(`domain_exec_all_entry_files',`
|
||||
can_exec($1,entry_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete all
|
||||
## entrypoint files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`domain_manage_all_entry_files',`
|
||||
gen_require(`
|
||||
attribute entry_type;
|
||||
')
|
||||
|
||||
allow $1 entry_type:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from all entry point
|
||||
## file types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`domain_relabel_all_entry_files',`
|
||||
gen_require(`
|
||||
attribute entry_type;
|
||||
')
|
||||
|
||||
allow $1 entry_type:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap all entry point files as executable.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`domain_mmap_all_entry_files',`
|
||||
gen_require(`
|
||||
attribute entry_type;
|
||||
')
|
||||
|
||||
allow $1 entry_type:file { getattr read execute };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to domains.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(domain,1.0.0)
|
||||
policy_module(domain,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.1.1)
|
||||
policy_module(apache,1.1.2)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -122,6 +122,10 @@ ifdef(`targeted_policy',`
|
||||
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
|
||||
')
|
||||
|
||||
optional_policy(`prelink',`
|
||||
prelink_object_file(httpd_modules_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Apache server local policy
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.1.3)
|
||||
policy_module(cron,1.1.4)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -397,6 +397,12 @@ ifdef(`targeted_policy',`
|
||||
nscd_use_socket(system_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`prelink',`
|
||||
prelink_read_cache(system_crond_t)
|
||||
prelink_manage_log(system_crond_t)
|
||||
prelink_delete_cache(system_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba',`
|
||||
samba_read_config(system_crond_t)
|
||||
samba_read_log(system_crond_t)
|
||||
|
@ -319,6 +319,10 @@ allow xdm_xserver_t var_lib_t:dir search;
|
||||
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
|
||||
can_exec(xdm_xserver_t, xkb_var_lib_t)
|
||||
|
||||
optional_policy(`prelink',`
|
||||
prelink_object_file(xkb_var_lib_t)
|
||||
')
|
||||
|
||||
# Insert video drivers.
|
||||
allow xdm_xserver_t self:capability mknod;
|
||||
allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
|
||||
|
@ -113,6 +113,44 @@ interface(`libs_exec_ld_so',`
|
||||
can_exec($1,ld_so_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete the
|
||||
## dynamic link/loader.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_manage_ld_so',`
|
||||
gen_require(`
|
||||
type lib_t, ld_so_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir rw_dir_perms;
|
||||
allow $1 ld_so_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the type used for
|
||||
## the dynamic link/loader.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_relabel_ld_so',`
|
||||
gen_require(`
|
||||
type lib_t, ld_so_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir search_dir_perms;
|
||||
allow $1 ld_so_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Modify the dynamic link/loader's cached listing
|
||||
@ -212,6 +250,25 @@ interface(`libs_use_lib',`
|
||||
allow $1 lib_t:file rx_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete generic
|
||||
## files in library directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_manage_lib_files',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir search_dir_perms;
|
||||
allow $1 lib_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel files to the type used in library directories.
|
||||
@ -226,9 +283,47 @@ interface(`libs_relabelto_lib_files',`
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir search_dir_perms;
|
||||
allow $1 lib_t:file relabelto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the type used
|
||||
## for generic lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_relabel_lib_files',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir search_dir_perms;
|
||||
allow $1 lib_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete shared libraries.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_manage_shared_libs',`
|
||||
gen_require(`
|
||||
type lib_t, shlib_t, textrel_shlib_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir rw_dir_perms;
|
||||
allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Load and execute functions from shared libraries.
|
||||
@ -269,3 +364,21 @@ interface(`libs_legacy_use_shared_libs',`
|
||||
allow $1 { shlib_t textrel_shlib_t }:file execmod;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to and from the type used for
|
||||
## shared libraries.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# cjp: added for prelink
|
||||
interface(`libs_relabel_shared_libs',`
|
||||
gen_require(`
|
||||
type lib_t, shlib_t, textrel_shlib_t;
|
||||
')
|
||||
|
||||
allow $1 lib_t:dir search_dir_perms;
|
||||
allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,1.1.3)
|
||||
policy_module(libraries,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined,1.1.4)
|
||||
policy_module(unconfined,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -129,10 +129,6 @@ ifdef(`targeted_policy',`
|
||||
sendmail_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`su',`
|
||||
su_per_userdomain_template(sysadm,unconfined_t,system_r)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork',`
|
||||
sysnet_domtrans_dhcpc(unconfined_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user