patch from dan Mon, 12 Jun 2006 15:32:00 -0400
This commit is contained in:
Chris PeBenito
parent
c546864b81
commit
2dbd382425
@ -2,3 +2,4 @@ sysadm_r:sysadm_t
|
||||
secadm_r:secadm_t
|
||||
staff_r:staff_t
|
||||
user_r:user_t
|
||||
auditadm_r:auditadm_t
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
|
||||
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
||||
|
||||
/var/lib/misc/prelink\.* -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
||||
/var/lib/misc/prelink\..* -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
||||
|
||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(prelink,1.1.2)
|
||||
policy_module(prelink,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(rpm,1.3.7)
|
||||
policy_module(rpm,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -341,9 +341,9 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`
|
||||
mono_domtrans(rpm_script_t)
|
||||
')
|
||||
',`
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
unconfined_domtrans(rpm_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -357,6 +357,10 @@ tunable_policy(`allow_execmem',`
|
||||
allow rpm_script_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(rpm_script_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(webalizer,1.2.1)
|
||||
policy_module(webalizer,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,6 +44,7 @@ allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow webalizer_t self:unix_dgram_socket sendto;
|
||||
allow webalizer_t self:unix_stream_socket connectto;
|
||||
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow webalizer_t self:udp_socket { connect connected_socket_perms };
|
||||
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow webalizer_t webalizer_etc_t:file { getattr read };
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.3.8)
|
||||
policy_module(filesystem,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -23,7 +23,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
|
||||
# Requires that a security xattr handler exist for the filesystem.
|
||||
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
|
||||
@ -174,6 +174,7 @@ genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.10)
|
||||
policy_module(kernel,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,6 +28,7 @@ role user_r;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
role secadm_r;
|
||||
role auditadm_r;
|
||||
')
|
||||
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(automount,1.2.5)
|
||||
policy_module(automount,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -30,7 +30,7 @@ files_mountpoint(automount_tmp_t)
|
||||
|
||||
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override };
|
||||
dontaudit automount_t self:capability sys_tty_config;
|
||||
allow automount_t self:process { signal_perms getpgid setpgid setsched };
|
||||
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
|
||||
allow automount_t self:fifo_file rw_file_perms;
|
||||
allow automount_t self:unix_stream_socket create_socket_perms;
|
||||
allow automount_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -58,9 +58,11 @@ allow automount_t automount_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(automount_t,automount_var_run_t,file)
|
||||
|
||||
kernel_read_kernel_sysctls(automount_t)
|
||||
kernel_read_irq_sysctls(automount_t)
|
||||
kernel_read_fs_sysctls(automount_t)
|
||||
kernel_read_proc_symlinks(automount_t)
|
||||
kernel_read_system_state(automount_t)
|
||||
kernel_read_network_state(automount_t)
|
||||
kernel_list_proc(automount_t)
|
||||
|
||||
files_search_boot(automount_t)
|
||||
@ -92,6 +94,7 @@ dev_read_sysfs(automount_t)
|
||||
dev_read_urand(automount_t)
|
||||
|
||||
domain_use_interactive_fds(automount_t)
|
||||
domain_dontaudit_read_all_domains_state(automount_t)
|
||||
|
||||
files_dontaudit_write_var_dirs(automount_t)
|
||||
files_getattr_all_dirs(automount_t)
|
||||
@ -104,11 +107,14 @@ files_getattr_isid_type_dirs(automount_t)
|
||||
files_getattr_default_dirs(automount_t)
|
||||
# because config files can be shell scripts
|
||||
files_exec_etc_files(automount_t)
|
||||
files_mounton_mnt(automount_t)
|
||||
|
||||
fs_getattr_all_fs(automount_t)
|
||||
fs_getattr_all_dirs(automount_t)
|
||||
fs_search_auto_mountpoints(automount_t)
|
||||
fs_manage_auto_mountpoints(automount_t)
|
||||
fs_unmount_autofs(automount_t)
|
||||
fs_mount_autofs(automount_t)
|
||||
|
||||
term_dontaudit_use_console(automount_t)
|
||||
term_dontaudit_getattr_pty_dirs(automount_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cron,1.3.8)
|
||||
policy_module(cron,1.3.9)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -353,6 +353,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
tunable_policy(`cron_can_relabel',`
|
||||
seutil_domtrans_setfiles(system_crond_t)
|
||||
seutil_domtrans_restorecon(system_crond_t)
|
||||
',`
|
||||
selinux_get_fs_mount(system_crond_t)
|
||||
selinux_validate_context(system_crond_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.3.7)
|
||||
policy_module(cups,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -629,6 +629,10 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_files(hplip_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_send_nfs_client_request(hplip_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(hplip_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ftp,1.2.5)
|
||||
policy_module(ftp,1.2.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -57,8 +57,9 @@ allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
|
||||
allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
|
||||
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow ftpd_t ftpd_var_run_t:file create_file_perms;
|
||||
allow ftpd_t ftpd_var_run_t:file manage_file_perms;
|
||||
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
|
||||
allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
|
||||
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.3.8)
|
||||
policy_module(hal,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -114,6 +114,8 @@ term_dontaudit_use_console(hald_t)
|
||||
term_dontaudit_use_generic_ptys(hald_t)
|
||||
term_use_unallocated_ttys(hald_t)
|
||||
|
||||
auth_use_nsswitch(hald_t)
|
||||
|
||||
init_use_fds(hald_t)
|
||||
init_use_script_ptys(hald_t)
|
||||
init_domtrans_script(hald_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kerberos,1.1.2)
|
||||
policy_module(kerberos,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -188,6 +188,7 @@ kernel_read_system_state(krb5kdc_t)
|
||||
kernel_read_kernel_sysctls(krb5kdc_t)
|
||||
kernel_list_proc(krb5kdc_t)
|
||||
kernel_read_proc_symlinks(krb5kdc_t)
|
||||
kernel_read_network_state(krb5kdc_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(krb5kdc_t)
|
||||
corenet_tcp_sendrecv_all_if(krb5kdc_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mysql,1.2.3)
|
||||
policy_module(mysql,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -34,7 +34,6 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bin
|
||||
dontaudit mysqld_t self:capability sys_tty_config;
|
||||
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
|
||||
allow mysqld_t self:fifo_file { read write };
|
||||
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
||||
allow mysqld_t self:udp_socket create_socket_perms;
|
||||
@ -91,6 +90,8 @@ files_read_etc_files(mysqld_t)
|
||||
files_read_usr_files(mysqld_t)
|
||||
files_search_var_lib(mysqld_t)
|
||||
|
||||
auth_use_nsswitch(mysqld_t)
|
||||
|
||||
init_use_fds(mysqld_t)
|
||||
init_use_script_ptys(mysqld_t)
|
||||
|
||||
@ -101,7 +102,6 @@ logging_send_syslog_msg(mysqld_t)
|
||||
|
||||
miscfiles_read_localization(mysqld_t)
|
||||
|
||||
sysnet_use_ldap(mysqld_t)
|
||||
sysnet_read_config(mysqld_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(networkmanager,1.3.3)
|
||||
policy_module(networkmanager,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -160,6 +160,10 @@ optional_policy(`
|
||||
nscd_signal(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(NetworkManager_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ntp,1.1.1)
|
||||
policy_module(ntp,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -86,6 +86,8 @@ fs_search_auto_mountpoints(ntpd_t)
|
||||
|
||||
term_dontaudit_use_console(ntpd_t)
|
||||
|
||||
auth_use_nsswitch(ntpd_t)
|
||||
|
||||
corecmd_exec_bin(ntpd_t)
|
||||
corecmd_exec_sbin(ntpd_t)
|
||||
corecmd_exec_ls(ntpd_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(procmail,1.2.2)
|
||||
policy_module(procmail,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -76,6 +76,10 @@ ifdef(`targeted_policy', `
|
||||
files_getattr_tmp_dirs(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(procmail_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pyzor,1.0.3)
|
||||
policy_module(pyzor,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,6 +119,10 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
|
||||
|
||||
mta_manage_spool(pyzord_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
userdom_read_generic_user_home_content_files(pyzord_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(pyzord_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xfs,1.0.2)
|
||||
policy_module(xfs,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -58,6 +58,8 @@ files_read_usr_files(xfs_t)
|
||||
|
||||
term_dontaudit_use_console(xfs_t)
|
||||
|
||||
auth_use_nsswitch(xfs_t)
|
||||
|
||||
init_use_fds(xfs_t)
|
||||
init_use_script_ptys(xfs_t)
|
||||
|
||||
|
||||
@ -1284,6 +1284,8 @@ interface(`auth_use_nsswitch',`
|
||||
type var_auth_t;
|
||||
')
|
||||
|
||||
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow $1 var_auth_t:dir r_dir_perms;
|
||||
allow $1 var_auth_t:file create_file_perms;
|
||||
files_list_var_lib($1)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.3.4)
|
||||
policy_module(authlogin,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0)
|
||||
/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
|
||||
|
||||
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
@ -25,7 +24,7 @@ ifdef(`distro_suse', `
|
||||
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.3.6)
|
||||
policy_module(logging,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -70,6 +70,7 @@ libs_use_shared_libs(auditctl_t)
|
||||
|
||||
allow auditctl_t etc_t:file { getattr read };
|
||||
|
||||
allow auditctl_t auditd_etc_t:dir r_dir_perms;
|
||||
allow auditctl_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
# Needed for adding watches
|
||||
@ -111,6 +112,7 @@ allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow auditd_t auditd_etc_t:dir r_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
allow auditd_t auditd_log_t:dir rw_dir_perms;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(selinuxutil,1.2.7)
|
||||
policy_module(selinuxutil,1.2.8)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
@ -115,6 +115,9 @@ files_type(semanage_store_t)
|
||||
type semanage_read_lock_t;
|
||||
files_type(semanage_read_lock_t)
|
||||
|
||||
type semanage_tmp_t;
|
||||
files_tmp_file(semanage_tmp_t)
|
||||
|
||||
type semanage_trans_lock_t;
|
||||
files_type(semanage_trans_lock_t)
|
||||
|
||||
@ -531,12 +534,17 @@ ifdef(`targeted_policy',`',`
|
||||
# semodule local policy
|
||||
#
|
||||
|
||||
allow semanage_t self:capability dac_override;
|
||||
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
|
||||
allow semanage_t semanage_tmp_t:dir create_dir_perms;
|
||||
allow semanage_t semanage_tmp_t:file create_file_perms;
|
||||
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(semanage_t)
|
||||
kernel_read_kernel_sysctls(semanage_t)
|
||||
|
||||
|
||||
@ -473,35 +473,6 @@ template(`base_user_template',`
|
||||
# gnome-session creates socket under /tmp/.ICE-unix/
|
||||
xserver_create_xdm_tmp_sockets($1_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
#
|
||||
# Cups daemon running as user tries to write /etc/printcap
|
||||
#
|
||||
dontaudit $1_t usr_t:file setattr;
|
||||
|
||||
# /initrd is left mounted, various programs try to look at it
|
||||
dontaudit $1_t ramfs_t:dir getattr;
|
||||
|
||||
#
|
||||
# Running ifconfig as a user generates the following
|
||||
#
|
||||
dontaudit $1_t sysctl_net_t:dir search;
|
||||
|
||||
r_dir_file($1_t, usercanread)
|
||||
|
||||
# old browser_domain():
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
|
||||
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
|
||||
|
||||
allow $1_t usbtty_device_t:chr_file read;
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow $1_t xdm_var_lib_t:file r_file_perms;
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -1,11 +1,12 @@
|
||||
|
||||
policy_module(userdomain,1.3.27)
|
||||
policy_module(userdomain,1.3.28)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
role secadm_r;
|
||||
role auditadm_r;
|
||||
')
|
||||
')
|
||||
|
||||
@ -67,6 +68,7 @@ ifdef(`targeted_policy',`
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
unconfined_alias_domain(secadm_t)
|
||||
unconfined_alias_domain(auditadm_t)
|
||||
unconfined_alias_domain(sysadm_t)
|
||||
|
||||
# User home directory type.
|
||||
@ -82,6 +84,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
# compatibility for switching from strict
|
||||
# dominance { role secadm_r { role system_r; }}
|
||||
# dominance { role auditadm_r { role system_r; }}
|
||||
# dominance { role sysadm_r { role system_r; }}
|
||||
# dominance { role user_r { role system_r; }}
|
||||
# dominance { role staff_r { role system_r; }}
|
||||
@ -105,8 +108,10 @@ ifdef(`targeted_policy',`
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
allow secadm_r system_r;
|
||||
allow auditadm_r system_r;
|
||||
allow secadm_r user_r;
|
||||
allow staff_r secadm_r;
|
||||
allow staff_r auditadm_r;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -126,9 +131,19 @@ ifdef(`targeted_policy',`
|
||||
role_change(staff, sysadm)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
admin_user_template(secadm)
|
||||
unpriv_user_template(secadm)
|
||||
unpriv_user_template(auditadm)
|
||||
|
||||
role_change(staff,auditadm)
|
||||
role_change(staff,secadm)
|
||||
|
||||
role_change(sysadm,secadm)
|
||||
role_change(sysadm,auditadm)
|
||||
|
||||
role_change(auditadm,secadm)
|
||||
role_change(auditadm,sysadm)
|
||||
|
||||
role_change(secadm,auditadm)
|
||||
role_change(secadm,sysadm)
|
||||
')
|
||||
|
||||
@ -172,19 +187,33 @@ ifdef(`targeted_policy',`
|
||||
')
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||
domain_kill_all_domains(auditadm_t)
|
||||
seutil_read_bin_policy(auditadm_t)
|
||||
corecmd_exec_shell(auditadm_t)
|
||||
logging_read_generic_logs(auditadm_t)
|
||||
logging_manage_audit_log(auditadm_t)
|
||||
logging_manage_audit_config(auditadm_t)
|
||||
logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
|
||||
logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
|
||||
|
||||
allow secadm_t self:capability dac_override;
|
||||
corecmd_exec_shell(secadm_t)
|
||||
domain_obj_id_change_exemption(secadm_t)
|
||||
mls_process_read_up(secadm_t)
|
||||
mls_file_read_up(secadm_t)
|
||||
mls_file_write_down(secadm_t)
|
||||
mls_file_upgrade(secadm_t)
|
||||
mls_file_downgrade(secadm_t)
|
||||
auth_relabel_all_files_except_shadow(secadm_t)
|
||||
auth_relabel_shadow(secadm_t)
|
||||
init_exec(secadm_t)
|
||||
logging_read_audit_log(secadm_t)
|
||||
logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
|
||||
logging_read_generic_logs(secadm_t)
|
||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||
files_relabel_all_files(secadm_t)
|
||||
auth_relabel_shadow(secadm_t)
|
||||
', `
|
||||
logging_read_audit_log(sysadm_t)
|
||||
logging_manage_audit_log(sysadm_t)
|
||||
logging_manage_audit_config(sysadm_t)
|
||||
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
@ -252,6 +281,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
consoletype_exec(secadm_t)
|
||||
consoletype_exec(auditadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
@ -270,6 +300,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
dmesg_exec(secadm_t)
|
||||
dmesg_exec(auditadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -15,5 +15,6 @@ ifdef(`strict_policy',`
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
secadm_r secadm secadm_t
|
||||
auditadm_r auditadm auditadm_t
|
||||
')
|
||||
')
|
||||
|
||||
@ -29,7 +29,7 @@ ifdef(`targeted_policy',`
|
||||
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
')
|
||||
|
||||
@ -44,8 +44,8 @@ ifdef(`targeted_policy',`
|
||||
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
')
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user