more cleanup
This commit is contained in:
parent
8b0bbdda34
commit
2ec4c9d38f
@ -80,6 +80,23 @@ interface(`fs_associate_noxattr',`
|
|||||||
allow $1 noxattrfs:filesystem associate;
|
allow $1 noxattrfs:filesystem associate;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute files on a filesystem that does
|
||||||
|
## not support extended attributes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_exec_noxattr',`
|
||||||
|
gen_require(`
|
||||||
|
attribute noxattrfs;
|
||||||
|
')
|
||||||
|
|
||||||
|
can_exec($1,noxattrfs)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a persistent filesystem which
|
## Mount a persistent filesystem which
|
||||||
|
@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Read the process state (/proc/pid) of all domains.
|
## Read the process state (/proc/pid) of all domains.
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
@ -331,6 +331,36 @@ interface(`domain_read_all_domains_state',`
|
|||||||
dontaudit $1 domain:process ptrace;
|
dontaudit $1 domain:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read the process
|
||||||
|
## state (/proc/pid) of all domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_dontaudit_read_all_domains_state',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
class process { getattr ptrace };
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 domain:dir r_dir_perms;
|
||||||
|
dontaudit $1 domain:lnk_file r_file_perms;
|
||||||
|
dontaudit $1 domain:file r_file_perms;
|
||||||
|
dontaudit $1 domain:process getattr;
|
||||||
|
|
||||||
|
# We need to suppress this denial because procps tries to access
|
||||||
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
||||||
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
||||||
|
# running in a privileged domain.
|
||||||
|
dontaudit $1 domain:process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <desc>
|
||||||
## Do not audit attempts to read the process state
|
## Do not audit attempts to read the process state
|
||||||
@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Get the session ID of all domains.
|
## Get the session ID of all domains.
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
@ -366,6 +396,51 @@ interface(`domain_getsession_all_domains',`
|
|||||||
allow $1 domain:process getsession;
|
allow $1 domain:process getsession;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to get the
|
||||||
|
## session ID of all domains.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_dontaudit_getsession_all_domains',`
|
||||||
|
gen_require(`
|
||||||
|
attribute domain;
|
||||||
|
class process getsession;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 domain:process getsession;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of all domains
|
||||||
|
## sockets, for all socket types.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Get the attributes of all domains
|
||||||
|
## sockets, for all socket types.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is commonly used for domains
|
||||||
|
## that can use lsof on all domains.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`domain_getattr_all_sockets',`
|
||||||
|
gen_require(`
|
||||||
|
gen_require_set(getattr,socket_class_set)
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 domain:socket_class_set getattr;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to get the attributes
|
## Do not audit attempts to get the attributes
|
||||||
|
@ -1,13 +1,13 @@
|
|||||||
## <summary>Miscelaneous files.</summary>
|
## <summary>Miscelaneous files.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow process to create files and dirs in /var/cache/man
|
## Allow process to create files and dirs in /var/cache/man
|
||||||
## and /var/catman/
|
## and /var/catman/
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`miscfiles_rw_man_cache',`
|
interface(`miscfiles_rw_man_cache',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow process to read fonts files
|
## Read fonts
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`miscfiles_read_fonts',`
|
interface(`miscfiles_read_fonts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow process to read localization info
|
## Allow process to read localization info
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`miscfiles_read_localization',`
|
interface(`miscfiles_read_localization',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow process to read legacy time localization info
|
## Allow process to read legacy time localization info
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`miscfiles_legacy_read_localization',`
|
interface(`miscfiles_legacy_read_localization',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <desc>
|
## <summary>
|
||||||
## Allow process to read manpages
|
## Allow process to read man pages
|
||||||
## </desc>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## Type type of the process performing this action.
|
## Type type of the process performing this action.
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`miscfiles_read_man_pages',`
|
interface(`miscfiles_read_man_pages',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
|
|||||||
allow $1 man_t:lnk_file r_file_perms;
|
allow $1 man_t:lnk_file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read TeX data
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_read_tetex_data',`
|
||||||
|
gen_require(`
|
||||||
|
type tetex_data_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
class lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
files_search_var_lib($1)
|
||||||
|
|
||||||
|
# cjp: TeX data can be in either of the above dirs
|
||||||
|
allow $1 tetex_data_t:dir r_dir_perms;
|
||||||
|
allow $1 tetex_data_t:file r_file_perms;
|
||||||
|
allow $1 tetex_data_t:lnk_file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute TeX data programs in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`miscfiles_exec_tetex_data',`
|
||||||
|
gen_require(`
|
||||||
|
type fonts_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var($1)
|
||||||
|
files_search_var_lib($1)
|
||||||
|
|
||||||
|
# cjp: TeX data can be in either of the above dirs
|
||||||
|
allow $1 tetex_data_t:dir r_dir_perms;
|
||||||
|
can_exec($1,tetex_data_t)
|
||||||
|
')
|
||||||
|
@ -74,6 +74,26 @@ interface(`pcmcia_run_cardctl',`
|
|||||||
allow cardmgr_t $3:chr_file rw_term_perms;
|
allow cardmgr_t $3:chr_file rw_term_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read cardmgr pid files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`pcmcia_read_pid',`
|
||||||
|
gen_require(`
|
||||||
|
type cardmgr_var_run_t;
|
||||||
|
class dir r_dir_perms;
|
||||||
|
class file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 cardmgr_var_run_t:dir r_dir_perms;
|
||||||
|
allow $1 cardmgr_var_run_t:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete
|
## Create, read, write, and delete
|
||||||
|
@ -156,6 +156,7 @@ template(`base_user_template',`
|
|||||||
fs_get_all_fs_quotas($1_t)
|
fs_get_all_fs_quotas($1_t)
|
||||||
fs_getattr_all_fs($1_t)
|
fs_getattr_all_fs($1_t)
|
||||||
fs_search_auto_mountpoints($1_t)
|
fs_search_auto_mountpoints($1_t)
|
||||||
|
fs_exec_noxattr($1_t)
|
||||||
|
|
||||||
# for eject
|
# for eject
|
||||||
storage_getattr_fixed_disk($1_t)
|
storage_getattr_fixed_disk($1_t)
|
||||||
@ -171,6 +172,10 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
domain_exec_all_entry_files($1_t)
|
domain_exec_all_entry_files($1_t)
|
||||||
domain_use_wide_inherit_fd($1_t)
|
domain_use_wide_inherit_fd($1_t)
|
||||||
|
# When the user domain runs ps, there will be a number of access
|
||||||
|
# denials when ps tries to search /proc. Do not audit these denials.
|
||||||
|
domain_dontaudit_read_all_domains_state($1_t)
|
||||||
|
domain_dontaudit_getsession_all_domains($1_t)
|
||||||
|
|
||||||
files_exec_etc_files($1_t)
|
files_exec_etc_files($1_t)
|
||||||
files_read_usr_src_files($1_t)
|
files_read_usr_src_files($1_t)
|
||||||
@ -188,6 +193,9 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
miscfiles_read_localization($1_t)
|
miscfiles_read_localization($1_t)
|
||||||
miscfiles_rw_man_cache($1_t)
|
miscfiles_rw_man_cache($1_t)
|
||||||
|
# for running TeX programs
|
||||||
|
miscfiles_read_tetex_data($1_t)
|
||||||
|
miscfiles_exec_tetex_data($1_t)
|
||||||
|
|
||||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
|
|
||||||
@ -198,6 +206,14 @@ template(`base_user_template',`
|
|||||||
allow $1_t self:process execmem;
|
allow $1_t self:process execmem;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`read_default_t',`
|
||||||
|
files_list_default($1_t)
|
||||||
|
files_read_default_files($1_t)
|
||||||
|
files_read_default_symlinks($1_t)
|
||||||
|
files_read_default_sockets($1_t)
|
||||||
|
files_read_default_pipes($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs($1_t)
|
fs_manage_nfs_dirs($1_t)
|
||||||
fs_manage_nfs_files($1_t)
|
fs_manage_nfs_files($1_t)
|
||||||
@ -236,6 +252,11 @@ template(`base_user_template',`
|
|||||||
nscd_use_socket($1_t)
|
nscd_use_socket($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`pcmcia.te',`
|
||||||
|
# to allow monitoring of pcmcia status
|
||||||
|
pcmcia_read_pid($1_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`rpm.te',`
|
optional_policy(`rpm.te',`
|
||||||
files_getattr_var_lib_dir($1_t)
|
files_getattr_var_lib_dir($1_t)
|
||||||
files_search_var_lib($1_t)
|
files_search_var_lib($1_t)
|
||||||
@ -248,11 +269,6 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
# When the user domain runs ps, there will be a number of access
|
|
||||||
# denials when ps tries to search /proc. Do not audit these denials.
|
|
||||||
dontaudit $1_t domain:dir r_dir_perms;
|
|
||||||
dontaudit $1_t domain:notdevfile_class_set r_file_perms;
|
|
||||||
dontaudit $1_t domain:process { getattr getsession };
|
|
||||||
#
|
#
|
||||||
# Cups daemon running as user tries to write /etc/printcap
|
# Cups daemon running as user tries to write /etc/printcap
|
||||||
#
|
#
|
||||||
@ -271,11 +287,6 @@ template(`base_user_template',`
|
|||||||
# /initrd is left mounted, various programs try to look at it
|
# /initrd is left mounted, various programs try to look at it
|
||||||
dontaudit $1_t ramfs_t:dir getattr;
|
dontaudit $1_t ramfs_t:dir getattr;
|
||||||
|
|
||||||
tunable_policy(`read_default_t',`
|
|
||||||
allow $1_t default_t:dir r_dir_perms;
|
|
||||||
allow $1_t default_t:notdevfile_class_set r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Running ifconfig as a user generates the following
|
# Running ifconfig as a user generates the following
|
||||||
#
|
#
|
||||||
@ -303,11 +314,8 @@ template(`base_user_template',`
|
|||||||
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
|
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
|
||||||
dontaudit $1_t proc_fs:dir { read search };
|
dontaudit $1_t proc_fs:dir { read search };
|
||||||
|
|
||||||
can_exec($1_t, { removable_t noexattrfile } )
|
|
||||||
|
|
||||||
tunable_policy(`user_rw_noexattrfile',`
|
tunable_policy(`user_rw_noexattrfile',`
|
||||||
create_dir_file($1_t, noexattrfile)
|
create_dir_file($1_t, noexattrfile)
|
||||||
create_dir_file($1_t, removable_t)
|
|
||||||
# Write floppies
|
# Write floppies
|
||||||
storage_raw_read_removable_device($1_t)
|
storage_raw_read_removable_device($1_t)
|
||||||
storage_raw_write_removable_device($1_t)
|
storage_raw_write_removable_device($1_t)
|
||||||
@ -321,12 +329,6 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
allow $1_t usbtty_device_t:chr_file read;
|
allow $1_t usbtty_device_t:chr_file read;
|
||||||
|
|
||||||
can_exec($1_t, noexattrfile)
|
|
||||||
|
|
||||||
# for running TeX programs
|
|
||||||
r_dir_file($1_t, tetex_data_t)
|
|
||||||
can_exec($1_t, tetex_data_t)
|
|
||||||
|
|
||||||
can_resmgrd_connect($1_t)
|
can_resmgrd_connect($1_t)
|
||||||
|
|
||||||
# Grant permissions to access the system DBus
|
# Grant permissions to access the system DBus
|
||||||
@ -350,22 +352,19 @@ template(`base_user_template',`
|
|||||||
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
|
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Connect to inetd.
|
|
||||||
ifdef(`inetd.te', `
|
ifdef(`inetd.te', `
|
||||||
|
# Connect to inetd.
|
||||||
can_tcp_connect($1_t, inetd_t)
|
can_tcp_connect($1_t, inetd_t)
|
||||||
can_udp_send($1_t, inetd_t)
|
can_udp_send($1_t, inetd_t)
|
||||||
can_udp_send(inetd_t, $1_t)
|
can_udp_send(inetd_t, $1_t)
|
||||||
|
# Inherit and use sockets from inetd
|
||||||
|
allow $1_t inetd_t:fd use;
|
||||||
|
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Connect to portmap.
|
# Connect to portmap.
|
||||||
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
|
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
|
||||||
|
|
||||||
# Inherit and use sockets from inetd
|
|
||||||
ifdef(`inetd.te', `
|
|
||||||
allow $1_t inetd_t:fd use;
|
|
||||||
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`xserver.te', `
|
ifdef(`xserver.te', `
|
||||||
# for /tmp/.ICE-unix
|
# for /tmp/.ICE-unix
|
||||||
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
|
||||||
@ -398,11 +397,6 @@ template(`base_user_template',`
|
|||||||
create_dir_file($1_t, nfsd_rw_t)
|
create_dir_file($1_t, nfsd_rw_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`cardmgr.te', `
|
|
||||||
# to allow monitoring of pcmcia status
|
|
||||||
allow $1_t cardmgr_var_run_t:file r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Allow graphical boot to check battery lifespan
|
# Allow graphical boot to check battery lifespan
|
||||||
#
|
#
|
||||||
@ -417,7 +411,7 @@ template(`base_user_template',`
|
|||||||
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
')dnl end base_user_domain macro
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -496,6 +490,14 @@ template(`unpriv_user_template', `
|
|||||||
files_read_etc_files($1_t)
|
files_read_etc_files($1_t)
|
||||||
files_list_home($1_t)
|
files_list_home($1_t)
|
||||||
files_read_usr_files($1_t)
|
files_read_usr_files($1_t)
|
||||||
|
files_exec_usr_files($1_t)
|
||||||
|
# Read directories and files with the readable_t type.
|
||||||
|
# This type is a general type for "world"-readable files.
|
||||||
|
files_list_world_readable($1_t)
|
||||||
|
files_read_world_readable_files($1_t)
|
||||||
|
files_read_world_readable_symlinks($1_t)
|
||||||
|
files_read_world_readable_pipes($1_t)
|
||||||
|
files_read_world_readable_sockets($1_t)
|
||||||
|
|
||||||
init_read_script_pid($1_t)
|
init_read_script_pid($1_t)
|
||||||
# The library functions always try to open read-write first,
|
# The library functions always try to open read-write first,
|
||||||
@ -567,18 +569,6 @@ template(`unpriv_user_template', `
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`read_default_t',`
|
|
||||||
allow $1 default_t:dir r_dir_perms;
|
|
||||||
allow $1 default_t:notdevfile_class_set r_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
can_exec($1_t, usr_t)
|
|
||||||
|
|
||||||
# Read directories and files with the readable_t type.
|
|
||||||
# This type is a general type for "world"-readable files.
|
|
||||||
allow $1_t readable_t:dir r_dir_perms;
|
|
||||||
allow $1_t readable_t:notdevfile_class_set r_file_perms;
|
|
||||||
|
|
||||||
# Stat lost+found.
|
# Stat lost+found.
|
||||||
allow $1_t lost_found_t:dir getattr;
|
allow $1_t lost_found_t:dir getattr;
|
||||||
|
|
||||||
@ -644,8 +634,7 @@ template(`unpriv_user_template', `
|
|||||||
## rules for the user's tty, pty, home directories,
|
## rules for the user's tty, pty, home directories,
|
||||||
## tmp, and tmpfs files.
|
## tmp, and tmpfs files.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## <p>
|
||||||
## <secdesc>
|
|
||||||
## The privileges given to administrative users are:
|
## The privileges given to administrative users are:
|
||||||
## <ul>
|
## <ul>
|
||||||
## <li>Raw disk access</li>
|
## <li>Raw disk access</li>
|
||||||
@ -658,7 +647,8 @@ template(`unpriv_user_template', `
|
|||||||
## <li>Manage source and binary format SELinux policy</li>
|
## <li>Manage source and binary format SELinux policy</li>
|
||||||
## <li>Run insmod</li>
|
## <li>Run insmod</li>
|
||||||
## </ul>
|
## </ul>
|
||||||
## </secdesc>
|
## </p>
|
||||||
|
## </desc>
|
||||||
## <param name="userdomain_prefix">
|
## <param name="userdomain_prefix">
|
||||||
## The prefix of the user domain (e.g., sysadm
|
## The prefix of the user domain (e.g., sysadm
|
||||||
## is the prefix for sysadm_t).
|
## is the prefix for sysadm_t).
|
||||||
@ -724,13 +714,26 @@ template(`admin_user_template',`
|
|||||||
kernel_read_ring_buffer($1_t)
|
kernel_read_ring_buffer($1_t)
|
||||||
kernel_get_sysvipc_info($1_t)
|
kernel_get_sysvipc_info($1_t)
|
||||||
kernel_rw_all_sysctl($1_t)
|
kernel_rw_all_sysctl($1_t)
|
||||||
|
|
||||||
# signal unlabeled processes:
|
# signal unlabeled processes:
|
||||||
kernel_kill_unlabeled($1_t)
|
kernel_kill_unlabeled($1_t)
|
||||||
kernel_signal_unlabeled($1_t)
|
kernel_signal_unlabeled($1_t)
|
||||||
kernel_sigstop_unlabeled($1_t)
|
kernel_sigstop_unlabeled($1_t)
|
||||||
kernel_signull_unlabeled($1_t)
|
kernel_signull_unlabeled($1_t)
|
||||||
kernel_sigchld_unlabeled($1_t)
|
kernel_sigchld_unlabeled($1_t)
|
||||||
|
# for the administrator to run TCP servers directly
|
||||||
|
kernel_tcp_recvfrom($1_t)
|
||||||
|
|
||||||
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
|
# allow setting up tunnels
|
||||||
|
corenet_use_tun_tap_device($1_t)
|
||||||
|
|
||||||
|
dev_getattr_generic_blk_file($1_t)
|
||||||
|
dev_getattr_generic_chr_file($1_t)
|
||||||
|
dev_getattr_all_blk_files($1_t)
|
||||||
|
dev_getattr_all_chr_files($1_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs($1_t)
|
||||||
|
fs_set_all_quotas($1_t)
|
||||||
|
|
||||||
selinux_set_enforce_mode($1_t)
|
selinux_set_enforce_mode($1_t)
|
||||||
selinux_set_boolean($1_t)
|
selinux_set_boolean($1_t)
|
||||||
@ -743,16 +746,6 @@ template(`admin_user_template',`
|
|||||||
selinux_compute_relabel_context($1_t)
|
selinux_compute_relabel_context($1_t)
|
||||||
selinux_compute_user_contexts($1_t)
|
selinux_compute_user_contexts($1_t)
|
||||||
|
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
|
||||||
|
|
||||||
dev_getattr_generic_blk_file($1_t)
|
|
||||||
dev_getattr_generic_chr_file($1_t)
|
|
||||||
dev_getattr_all_blk_files($1_t)
|
|
||||||
dev_getattr_all_chr_files($1_t)
|
|
||||||
|
|
||||||
fs_getattr_all_fs($1_t)
|
|
||||||
fs_set_all_quotas($1_t)
|
|
||||||
|
|
||||||
storage_raw_read_removable_device($1_t)
|
storage_raw_read_removable_device($1_t)
|
||||||
storage_raw_write_removable_device($1_t)
|
storage_raw_write_removable_device($1_t)
|
||||||
|
|
||||||
@ -761,6 +754,7 @@ template(`admin_user_template',`
|
|||||||
term_use_all_user_ptys($1_t)
|
term_use_all_user_ptys($1_t)
|
||||||
term_use_all_user_ttys($1_t)
|
term_use_all_user_ttys($1_t)
|
||||||
|
|
||||||
|
auth_getattr_shadow($1_t)
|
||||||
# Manage almost all files
|
# Manage almost all files
|
||||||
auth_manage_all_files_except_shadow($1_t)
|
auth_manage_all_files_except_shadow($1_t)
|
||||||
# Relabel almost all files
|
# Relabel almost all files
|
||||||
@ -775,6 +769,8 @@ template(`admin_user_template',`
|
|||||||
domain_sigstop_all_domains($1_t)
|
domain_sigstop_all_domains($1_t)
|
||||||
domain_sigstop_all_domains($1_t)
|
domain_sigstop_all_domains($1_t)
|
||||||
domain_sigchld_all_domains($1_t)
|
domain_sigchld_all_domains($1_t)
|
||||||
|
# for lsof
|
||||||
|
domain_getattr_all_sockets($1_t)
|
||||||
|
|
||||||
files_exec_usr_files($1_t)
|
files_exec_usr_files($1_t)
|
||||||
|
|
||||||
@ -799,44 +795,45 @@ template(`admin_user_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
# Let admin stat the shadow file.
|
|
||||||
allow $1_t shadow_t:file getattr;
|
|
||||||
|
|
||||||
# for lsof
|
# for lsof
|
||||||
allow $1_t mtrr_device_t:file getattr;
|
allow $1_t mtrr_device_t:file getattr;
|
||||||
|
|
||||||
|
# for lsof
|
||||||
|
allow $1_t eventpollfs_t:file getattr;
|
||||||
|
|
||||||
allow $1_t serial_device:chr_file setattr;
|
allow $1_t serial_device:chr_file setattr;
|
||||||
|
|
||||||
# allow setting up tunnels
|
|
||||||
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
allow $1_t ptyfile:chr_file getattr;
|
allow $1_t ptyfile:chr_file getattr;
|
||||||
|
|
||||||
# Run programs from staff home directories.
|
|
||||||
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
|
||||||
can_exec($1_t, staff_home_t)
|
|
||||||
|
|
||||||
# Run admin programs that require different permissions in their own domain.
|
# Run admin programs that require different permissions in their own domain.
|
||||||
# These rules were moved into the appropriate program domain file.
|
# These rules were moved into the appropriate program domain file.
|
||||||
|
|
||||||
ifdef(`startx.te', `
|
ifdef(`xserver.te', `
|
||||||
ifdef(`xserver.te', `
|
# Create files in /tmp/.X11-unix with our X servers derived
|
||||||
# Create files in /tmp/.X11-unix with our X servers derived
|
# tmp type rather than user_xserver_tmp_t.
|
||||||
# tmp type rather than user_xserver_tmp_t.
|
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
|
||||||
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
|
|
||||||
')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te', `
|
||||||
ifdef(`xauth.te', `
|
tunable_policy(`xdm_sysadm_login',`
|
||||||
tunable_policy(`xdm_sysadm_login',`
|
allow xdm_t $1_home_t:lnk_file read;
|
||||||
allow xdm_t $1_home_t:lnk_file read;
|
allow xdm_t $1_home_t:dir search;
|
||||||
allow xdm_t $1_home_t:dir search;
|
|
||||||
')
|
|
||||||
allow $1_t xdm_t:fifo_file rw_file_perms;
|
|
||||||
')
|
')
|
||||||
|
allow $1_t xdm_t:fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
# Connect data port to ftpd.
|
||||||
|
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
||||||
|
|
||||||
|
# Connect second port to rshd.
|
||||||
|
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
||||||
|
|
||||||
|
# Allow MAKEDEV to work
|
||||||
|
allow $1_t device_t:dir rw_dir_perms;
|
||||||
|
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
||||||
|
allow $1_t device_t:lnk_file { create read };
|
||||||
|
|
||||||
#
|
#
|
||||||
# A user who is authorized for sysadm_t may nonetheless have
|
# A user who is authorized for sysadm_t may nonetheless have
|
||||||
# a home directory labeled with user_home_t if the user is expected
|
# a home directory labeled with user_home_t if the user is expected
|
||||||
@ -850,23 +847,9 @@ template(`admin_user_template',`
|
|||||||
allow $1_gph_t user_home_type:file create_file_perms;
|
allow $1_gph_t user_home_type:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
# for the administrator to run TCP servers directly
|
# Run programs from staff home directories.
|
||||||
allow $1_t kernel_t:tcp_socket recvfrom;
|
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
||||||
|
can_exec($1_t, staff_home_t)
|
||||||
# Connect data port to ftpd.
|
|
||||||
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
|
||||||
|
|
||||||
# Connect second port to rshd.
|
|
||||||
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
|
||||||
|
|
||||||
# Allow MAKEDEV to work
|
|
||||||
allow $1_t device_t:dir rw_dir_perms;
|
|
||||||
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
|
||||||
allow $1_t device_t:lnk_file { create read };
|
|
||||||
|
|
||||||
# for lsof
|
|
||||||
allow $1_t domain:socket_class_set getattr;
|
|
||||||
allow $1_t eventpollfs_t:file getattr;
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user