more cleanup
This commit is contained in:
parent
8b0bbdda34
commit
2ec4c9d38f
@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',`
|
||||
allow $1 noxattrfs:filesystem associate;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute files on a filesystem that does
|
||||
## not support extended attributes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_exec_noxattr',`
|
||||
gen_require(`
|
||||
attribute noxattrfs;
|
||||
')
|
||||
|
||||
can_exec($1,noxattrfs)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a persistent filesystem which
|
||||
|
@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',`
|
||||
dontaudit $1 domain:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read the process
|
||||
## state (/proc/pid) of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_read_all_domains_state',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file r_file_perms;
|
||||
class process { getattr ptrace };
|
||||
')
|
||||
|
||||
dontaudit $1 domain:dir r_dir_perms;
|
||||
dontaudit $1 domain:lnk_file r_file_perms;
|
||||
dontaudit $1 domain:file r_file_perms;
|
||||
dontaudit $1 domain:process getattr;
|
||||
|
||||
# We need to suppress this denial because procps tries to access
|
||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||
# running in a privileged domain.
|
||||
dontaudit $1 domain:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Do not audit attempts to read the process state
|
||||
@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## <summary>
|
||||
## Get the session ID of all domains.
|
||||
## </desc>
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',`
|
||||
allow $1 domain:process getsession;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## session ID of all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getsession_all_domains',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
class process getsession;
|
||||
')
|
||||
|
||||
allow $1 domain:process getsession;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all domains
|
||||
## sockets, for all socket types.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Get the attributes of all domains
|
||||
## sockets, for all socket types.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is commonly used for domains
|
||||
## that can use lsof on all domains.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_getattr_all_sockets',`
|
||||
gen_require(`
|
||||
gen_require_set(getattr,socket_class_set)
|
||||
')
|
||||
|
||||
allow $1 domain:socket_class_set getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
|
@ -1,13 +1,13 @@
|
||||
## <summary>Miscelaneous files.</summary>
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to create files and dirs in /var/cache/man
|
||||
## and /var/catman/
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Allow process to create files and dirs in /var/cache/man
|
||||
## and /var/catman/
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_rw_man_cache',`
|
||||
gen_require(`
|
||||
@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to read fonts files
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Read fonts
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_fonts',`
|
||||
gen_require(`
|
||||
@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to read localization info
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Allow process to read localization info
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_localization',`
|
||||
gen_require(`
|
||||
@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to read legacy time localization info
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Allow process to read legacy time localization info
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_legacy_read_localization',`
|
||||
gen_require(`
|
||||
@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <desc>
|
||||
## Allow process to read manpages
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## <summary>
|
||||
## Allow process to read man pages
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_man_pages',`
|
||||
gen_require(`
|
||||
@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
|
||||
allow $1 man_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read TeX data
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_read_tetex_data',`
|
||||
gen_require(`
|
||||
type tetex_data_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
class lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
|
||||
# cjp: TeX data can be in either of the above dirs
|
||||
allow $1 tetex_data_t:dir r_dir_perms;
|
||||
allow $1 tetex_data_t:file r_file_perms;
|
||||
allow $1 tetex_data_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute TeX data programs in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`miscfiles_exec_tetex_data',`
|
||||
gen_require(`
|
||||
type fonts_t;
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
files_search_var_lib($1)
|
||||
|
||||
# cjp: TeX data can be in either of the above dirs
|
||||
allow $1 tetex_data_t:dir r_dir_perms;
|
||||
can_exec($1,tetex_data_t)
|
||||
')
|
||||
|
@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',`
|
||||
allow cardmgr_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cardmgr pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`pcmcia_read_pid',`
|
||||
gen_require(`
|
||||
type cardmgr_var_run_t;
|
||||
class dir r_dir_perms;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 cardmgr_var_run_t:dir r_dir_perms;
|
||||
allow $1 cardmgr_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
|
@ -156,6 +156,7 @@ template(`base_user_template',`
|
||||
fs_get_all_fs_quotas($1_t)
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
# for eject
|
||||
storage_getattr_fixed_disk($1_t)
|
||||
@ -171,6 +172,10 @@ template(`base_user_template',`
|
||||
|
||||
domain_exec_all_entry_files($1_t)
|
||||
domain_use_wide_inherit_fd($1_t)
|
||||
# When the user domain runs ps, there will be a number of access
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
domain_dontaudit_read_all_domains_state($1_t)
|
||||
domain_dontaudit_getsession_all_domains($1_t)
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_read_usr_src_files($1_t)
|
||||
@ -188,6 +193,9 @@ template(`base_user_template',`
|
||||
|
||||
miscfiles_read_localization($1_t)
|
||||
miscfiles_rw_man_cache($1_t)
|
||||
# for running TeX programs
|
||||
miscfiles_read_tetex_data($1_t)
|
||||
miscfiles_exec_tetex_data($1_t)
|
||||
|
||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
|
||||
@ -198,6 +206,14 @@ template(`base_user_template',`
|
||||
allow $1_t self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_t)
|
||||
files_read_default_files($1_t)
|
||||
files_read_default_symlinks($1_t)
|
||||
files_read_default_sockets($1_t)
|
||||
files_read_default_pipes($1_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs($1_t)
|
||||
fs_manage_nfs_files($1_t)
|
||||
@ -236,6 +252,11 @@ template(`base_user_template',`
|
||||
nscd_use_socket($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`pcmcia.te',`
|
||||
# to allow monitoring of pcmcia status
|
||||
pcmcia_read_pid($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`rpm.te',`
|
||||
files_getattr_var_lib_dir($1_t)
|
||||
files_search_var_lib($1_t)
|
||||
@ -248,11 +269,6 @@ template(`base_user_template',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# When the user domain runs ps, there will be a number of access
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
dontaudit $1_t domain:dir r_dir_perms;
|
||||
dontaudit $1_t domain:notdevfile_class_set r_file_perms;
|
||||
dontaudit $1_t domain:process { getattr getsession };
|
||||
#
|
||||
# Cups daemon running as user tries to write /etc/printcap
|
||||
#
|
||||
@ -271,11 +287,6 @@ template(`base_user_template',`
|
||||
# /initrd is left mounted, various programs try to look at it
|
||||
dontaudit $1_t ramfs_t:dir getattr;
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
allow $1_t default_t:dir r_dir_perms;
|
||||
allow $1_t default_t:notdevfile_class_set r_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
# Running ifconfig as a user generates the following
|
||||
#
|
||||
@ -303,11 +314,8 @@ template(`base_user_template',`
|
||||
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
|
||||
dontaudit $1_t proc_fs:dir { read search };
|
||||
|
||||
can_exec($1_t, { removable_t noexattrfile } )
|
||||
|
||||
tunable_policy(`user_rw_noexattrfile',`
|
||||
create_dir_file($1_t, noexattrfile)
|
||||
create_dir_file($1_t, removable_t)
|
||||
# Write floppies
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
@ -321,12 +329,6 @@ template(`base_user_template',`
|
||||
|
||||
allow $1_t usbtty_device_t:chr_file read;
|
||||
|
||||
can_exec($1_t, noexattrfile)
|
||||
|
||||
# for running TeX programs
|
||||
r_dir_file($1_t, tetex_data_t)
|
||||
can_exec($1_t, tetex_data_t)
|
||||
|
||||
can_resmgrd_connect($1_t)
|
||||
|
||||
# Grant permissions to access the system DBus
|
||||
@ -350,22 +352,19 @@ template(`base_user_template',`
|
||||
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
|
||||
')
|
||||
|
||||
# Connect to inetd.
|
||||
ifdef(`inetd.te', `
|
||||
# Connect to inetd.
|
||||
can_tcp_connect($1_t, inetd_t)
|
||||
can_udp_send($1_t, inetd_t)
|
||||
can_udp_send(inetd_t, $1_t)
|
||||
# Inherit and use sockets from inetd
|
||||
allow $1_t inetd_t:fd use;
|
||||
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
# Connect to portmap.
|
||||
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
|
||||
|
||||
# Inherit and use sockets from inetd
|
||||
ifdef(`inetd.te', `
|
||||
allow $1_t inetd_t:fd use;
|
||||
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
# for /tmp/.ICE-unix
|
||||
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
||||
@ -398,11 +397,6 @@ template(`base_user_template',`
|
||||
create_dir_file($1_t, nfsd_rw_t)
|
||||
')
|
||||
|
||||
ifdef(`cardmgr.te', `
|
||||
# to allow monitoring of pcmcia status
|
||||
allow $1_t cardmgr_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
#
|
||||
# Allow graphical boot to check battery lifespan
|
||||
#
|
||||
@ -417,7 +411,7 @@ template(`base_user_template',`
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
')dnl end base_user_domain macro
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -496,6 +490,14 @@ template(`unpriv_user_template', `
|
||||
files_read_etc_files($1_t)
|
||||
files_list_home($1_t)
|
||||
files_read_usr_files($1_t)
|
||||
files_exec_usr_files($1_t)
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
files_list_world_readable($1_t)
|
||||
files_read_world_readable_files($1_t)
|
||||
files_read_world_readable_symlinks($1_t)
|
||||
files_read_world_readable_pipes($1_t)
|
||||
files_read_world_readable_sockets($1_t)
|
||||
|
||||
init_read_script_pid($1_t)
|
||||
# The library functions always try to open read-write first,
|
||||
@ -567,18 +569,6 @@ template(`unpriv_user_template', `
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
allow $1 default_t:dir r_dir_perms;
|
||||
allow $1 default_t:notdevfile_class_set r_file_perms;
|
||||
')
|
||||
|
||||
can_exec($1_t, usr_t)
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
allow $1_t readable_t:dir r_dir_perms;
|
||||
allow $1_t readable_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Stat lost+found.
|
||||
allow $1_t lost_found_t:dir getattr;
|
||||
|
||||
@ -644,8 +634,7 @@ template(`unpriv_user_template', `
|
||||
## rules for the user's tty, pty, home directories,
|
||||
## tmp, and tmpfs files.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <secdesc>
|
||||
## <p>
|
||||
## The privileges given to administrative users are:
|
||||
## <ul>
|
||||
## <li>Raw disk access</li>
|
||||
@ -658,7 +647,8 @@ template(`unpriv_user_template', `
|
||||
## <li>Manage source and binary format SELinux policy</li>
|
||||
## <li>Run insmod</li>
|
||||
## </ul>
|
||||
## </secdesc>
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., sysadm
|
||||
## is the prefix for sysadm_t).
|
||||
@ -724,13 +714,26 @@ template(`admin_user_template',`
|
||||
kernel_read_ring_buffer($1_t)
|
||||
kernel_get_sysvipc_info($1_t)
|
||||
kernel_rw_all_sysctl($1_t)
|
||||
|
||||
# signal unlabeled processes:
|
||||
kernel_kill_unlabeled($1_t)
|
||||
kernel_signal_unlabeled($1_t)
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
# for the administrator to run TCP servers directly
|
||||
kernel_tcp_recvfrom($1_t)
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
corenet_use_tun_tap_device($1_t)
|
||||
|
||||
dev_getattr_generic_blk_file($1_t)
|
||||
dev_getattr_generic_chr_file($1_t)
|
||||
dev_getattr_all_blk_files($1_t)
|
||||
dev_getattr_all_chr_files($1_t)
|
||||
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_set_all_quotas($1_t)
|
||||
|
||||
selinux_set_enforce_mode($1_t)
|
||||
selinux_set_boolean($1_t)
|
||||
@ -743,16 +746,6 @@ template(`admin_user_template',`
|
||||
selinux_compute_relabel_context($1_t)
|
||||
selinux_compute_user_contexts($1_t)
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
|
||||
dev_getattr_generic_blk_file($1_t)
|
||||
dev_getattr_generic_chr_file($1_t)
|
||||
dev_getattr_all_blk_files($1_t)
|
||||
dev_getattr_all_chr_files($1_t)
|
||||
|
||||
fs_getattr_all_fs($1_t)
|
||||
fs_set_all_quotas($1_t)
|
||||
|
||||
storage_raw_read_removable_device($1_t)
|
||||
storage_raw_write_removable_device($1_t)
|
||||
|
||||
@ -761,6 +754,7 @@ template(`admin_user_template',`
|
||||
term_use_all_user_ptys($1_t)
|
||||
term_use_all_user_ttys($1_t)
|
||||
|
||||
auth_getattr_shadow($1_t)
|
||||
# Manage almost all files
|
||||
auth_manage_all_files_except_shadow($1_t)
|
||||
# Relabel almost all files
|
||||
@ -775,6 +769,8 @@ template(`admin_user_template',`
|
||||
domain_sigstop_all_domains($1_t)
|
||||
domain_sigstop_all_domains($1_t)
|
||||
domain_sigchld_all_domains($1_t)
|
||||
# for lsof
|
||||
domain_getattr_all_sockets($1_t)
|
||||
|
||||
files_exec_usr_files($1_t)
|
||||
|
||||
@ -799,44 +795,45 @@ template(`admin_user_template',`
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Let admin stat the shadow file.
|
||||
allow $1_t shadow_t:file getattr;
|
||||
|
||||
# for lsof
|
||||
allow $1_t mtrr_device_t:file getattr;
|
||||
|
||||
# for lsof
|
||||
allow $1_t eventpollfs_t:file getattr;
|
||||
|
||||
allow $1_t serial_device:chr_file setattr;
|
||||
|
||||
# allow setting up tunnels
|
||||
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
|
||||
|
||||
allow $1_t ptyfile:chr_file getattr;
|
||||
|
||||
# Run programs from staff home directories.
|
||||
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
||||
can_exec($1_t, staff_home_t)
|
||||
|
||||
# Run admin programs that require different permissions in their own domain.
|
||||
# These rules were moved into the appropriate program domain file.
|
||||
|
||||
ifdef(`startx.te', `
|
||||
ifdef(`xserver.te', `
|
||||
# Create files in /tmp/.X11-unix with our X servers derived
|
||||
# tmp type rather than user_xserver_tmp_t.
|
||||
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
|
||||
')
|
||||
ifdef(`xserver.te', `
|
||||
# Create files in /tmp/.X11-unix with our X servers derived
|
||||
# tmp type rather than user_xserver_tmp_t.
|
||||
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
|
||||
')
|
||||
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
ifdef(`xauth.te', `
|
||||
tunable_policy(`xdm_sysadm_login',`
|
||||
allow xdm_t $1_home_t:lnk_file read;
|
||||
allow xdm_t $1_home_t:dir search;
|
||||
')
|
||||
allow $1_t xdm_t:fifo_file rw_file_perms;
|
||||
tunable_policy(`xdm_sysadm_login',`
|
||||
allow xdm_t $1_home_t:lnk_file read;
|
||||
allow xdm_t $1_home_t:dir search;
|
||||
')
|
||||
allow $1_t xdm_t:fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
# Connect data port to ftpd.
|
||||
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
||||
|
||||
# Connect second port to rshd.
|
||||
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
||||
|
||||
# Allow MAKEDEV to work
|
||||
allow $1_t device_t:dir rw_dir_perms;
|
||||
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
||||
allow $1_t device_t:lnk_file { create read };
|
||||
|
||||
#
|
||||
# A user who is authorized for sysadm_t may nonetheless have
|
||||
# a home directory labeled with user_home_t if the user is expected
|
||||
@ -850,23 +847,9 @@ template(`admin_user_template',`
|
||||
allow $1_gph_t user_home_type:file create_file_perms;
|
||||
')
|
||||
|
||||
# for the administrator to run TCP servers directly
|
||||
allow $1_t kernel_t:tcp_socket recvfrom;
|
||||
|
||||
# Connect data port to ftpd.
|
||||
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
||||
|
||||
# Connect second port to rshd.
|
||||
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
||||
|
||||
# Allow MAKEDEV to work
|
||||
allow $1_t device_t:dir rw_dir_perms;
|
||||
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
||||
allow $1_t device_t:lnk_file { create read };
|
||||
|
||||
# for lsof
|
||||
allow $1_t domain:socket_class_set getattr;
|
||||
allow $1_t eventpollfs_t:file getattr;
|
||||
# Run programs from staff home directories.
|
||||
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
||||
can_exec($1_t, staff_home_t)
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user