add fc mls policy
This commit is contained in:
parent
9cc2ccc4ed
commit
31b7c0551d
340
mls/COPYING
Normal file
340
mls/COPYING
Normal file
@ -0,0 +1,340 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
434
mls/ChangeLog
Normal file
434
mls/ChangeLog
Normal file
@ -0,0 +1,434 @@
|
||||
1.27.3 2005-11-17
|
||||
* Removed the seuser policy as suggested by Kevin Carr.
|
||||
* Removed unnecessary allow rule concerning tmpfs_t in the squid
|
||||
policy as suggested by Russell Coker.
|
||||
* Merged a patch from Jonathan Kim which modified the restorecon policy
|
||||
to use the secadmin attribute.
|
||||
* Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd
|
||||
policies. Added the unconfinedtrans attribute for domains that
|
||||
can transistion to unconfined_t. Added httpd_enable_ftp_server,
|
||||
allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp
|
||||
booleans. Created a $1_disable_trans boolean used in the
|
||||
init_service_domain macro to specify whether init should
|
||||
transition to a new domain when executing. Included Chad Hanson's
|
||||
patch which adds the mls* attributes to more domains and makes
|
||||
other changes to support MLS. Included Russell Coker's patch
|
||||
which makes many changes to the sendmail policy. Added rules to
|
||||
allow initscripts to execute scripts that they generate. Added
|
||||
dbus support to the named policy. Made other fixes and cleanups
|
||||
to various policies including amanda, apache, bluetooth, pegasus,
|
||||
postfix, pppd, and slapd. Removed sendmail policy from targeted.
|
||||
1.27.2 2005-10-20
|
||||
* Merged patch from Chad Hanson. Modified MLS constraints.
|
||||
Provided comments for the MLS attributes.
|
||||
* Merged two patches from Thomas Bleher which made some minor
|
||||
fixes and cleanups.
|
||||
* Merged patches from Russell Coker. Added comments to some of the
|
||||
MLS attributes. Added the secure_mode_insmod boolean to determine
|
||||
whether the system permits loading policy, setting enforcing mode,
|
||||
and changing boolean values. Made minor fixes for the cdrecord_domain
|
||||
macro, application_domain, newrole_domain, and daemon_base_domain
|
||||
macros. Added rules to allow the mail server to access the user
|
||||
home directories in the targeted policy and allows the postfix
|
||||
showq program to do DNS lookups. Minor fixes for the MCS
|
||||
policy. Made other minor fixes and cleanups.
|
||||
* Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
|
||||
and roundup policies. Created can_access_pty macro to handle pty
|
||||
output. Created nsswithch_domain macro for domains using
|
||||
nsswitch. Added mcs transition rules. Removed mqueue and added
|
||||
capifs genfscon entries. Added dhcpd and pegasus ports. Added
|
||||
domain transitions from login domains to pam_console and alsa
|
||||
domains. Added rules to allow the httpd and squid domains to
|
||||
relay more protocols. For the targeted policy, removed sysadm_r
|
||||
role from unconfined_t. Made other fixes and cleanups.
|
||||
1.27.1 2005-09-15
|
||||
* Merged small patches from Russell Coker for the apostrophe,
|
||||
dhcpc, fsadm, and setfiles policy.
|
||||
* Merged a patch from Russell Coker with some minor fixes to a
|
||||
multitude of policy files.
|
||||
* Merged patch from Dan Walsh from August 15th. Adds certwatch
|
||||
policy. Adds mcs support to Makefile. Adds mcs file which
|
||||
defines sensitivities and categories for the MSC policy. Creates
|
||||
an authentication_domain macro in global_macros.te for domains
|
||||
that use pam_authentication. Creates the anonymous_domain macro
|
||||
so that the ftpd, rsync, httpd, and smbd domains can share the
|
||||
ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
|
||||
start isolating individual ethernet devices. Changes vpnc from a
|
||||
daemon to an application_domain. Adds audit_control capability to
|
||||
crond_t. Adds dac_override and dac_read_search capabilities to
|
||||
fsadm_t to allow the manipulation of removable media. Adds
|
||||
read_sysctl macro to the base_passwd_domain macro. Adds rules to
|
||||
allow alsa_t to communicate with userspace. Allows networkmanager
|
||||
to communicate with isakmp_port and to use vpnc. For targeted
|
||||
policy, removes transitions of sysadm_t to apm_t, backup_t,
|
||||
bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
|
||||
Makes other minor cleanups and fixes.
|
||||
|
||||
1.26 2005-09-06
|
||||
* Updated version for release.
|
||||
|
||||
1.25.4 2005-08-10
|
||||
* Merged small patches from Russell Coker for the restorecon,
|
||||
kudzu, lvm, radvd, and spamassasin policies.
|
||||
* Added fs_use_trans rule for mqueue from Mark Gebhart to support
|
||||
the work he has done on providing SELinux support for mqueue.
|
||||
* Merged a patch from Dan Walsh. Removes the user_can_mount
|
||||
tunable. Adds disable_evolution_trans and disable_thunderbird_trans
|
||||
booleans. Adds the nscd_client_domain attribute to insmod_t.
|
||||
Removes the user_ping boolean from targeted policy. Adds
|
||||
hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
|
||||
Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
|
||||
Allows getty to run sbin_t for pppd. Allows initrc to write to
|
||||
default_t for booting. Allows Hotplug_t sys_rawio for prism54
|
||||
card at boot. Other minor fixes.
|
||||
|
||||
1.25.3 2005-07-18
|
||||
* Merged patch from Dan Walsh. Adds auth_bool attribute to allow
|
||||
domains to have read access to shadow_t. Creates pppd_can_insmod
|
||||
boolean to control the loading of modem kernel modules. Allows
|
||||
nfs to export noexattrfile types. Allows unix_chpwd to access
|
||||
cert files and random devices for encryption purposes. Other
|
||||
minor cleanups and fixes.
|
||||
|
||||
1.25.2 2005-07-11
|
||||
* Merged patch from Dan Walsh. Added allow_ptrace boolean to
|
||||
allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
|
||||
audit_control and audit_write capabilities. Stops targeted policy
|
||||
from transitioning from unconfined_t to netutils. Allows cupsd to
|
||||
audit messages. Gives prelink the execheap, execmem, and execstack
|
||||
permissions by default. Adds can_winbind boolean and functions to
|
||||
better handle samba and winbind communications. Eliminates
|
||||
allow_execmod checks around texrel_shlib_t libraries. Other minor
|
||||
cleanups and fixes.
|
||||
|
||||
1.25.1 2005-07-05
|
||||
* Moved role_tty_type_change, reach_sysadm, and priv_user macros
|
||||
from user.te to user_macros.te as suggested by Steve.
|
||||
* Modified admin_domain macro so autrace would work and removed
|
||||
privuser attribute for dhcpc as suggested by Russell Coker.
|
||||
* Merged rather large patch from Dan Walsh. Moves
|
||||
targeted/strict/mls policies closer together. Adds local.te for
|
||||
users to customize. Includes minor fixes to auditd, cups,
|
||||
cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
|
||||
that defines all ports in network.te. Ports are always defined
|
||||
now, no ifdefs are used in network.te. Also includes Ivan
|
||||
Gyurdiev's user home directory policy patches. These patches add
|
||||
alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
|
||||
iceauth, orbit, and thunderbird policy. They create read_content,
|
||||
write_trusted, and write_untrusted macros in content.te. They
|
||||
create network_home, write_network_home, read_network_home,
|
||||
base_domain_ro_access, home_domain_access, home_domain, and
|
||||
home_domain_ro macros in home_macros.te. They also create
|
||||
$3_read_content, $3_write_content, and write_untrusted booleans.
|
||||
|
||||
1.24 2005-06-20
|
||||
* Updated version for release.
|
||||
|
||||
1.23.18 2005-05-31
|
||||
* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
|
||||
* Removed devfsd policy as suggested by Russell Coker.
|
||||
* Merged patch from Dan Walsh. Includes beginnings of Ivan
|
||||
Gyurdiev's Font Config policy. Don't transition to fsadm_t from
|
||||
unconfined_t (sysadm_t) in targeted policy. Add support for
|
||||
debugfs in modutil. Allow automount to create and delete
|
||||
directories in /root and /home dirs. Move can_ypbind to
|
||||
chkpwd_macro.te. Allow useradd to create additional files and
|
||||
types via the skell mechanism. Other minor cleanups and fixes.
|
||||
|
||||
1.23.17 2005-05-23
|
||||
* Merged minor fixes by Petre Rodan to the daemontools, dante,
|
||||
gpg, kerberos, and ucspi-tcp policies.
|
||||
* Merged minor fixes by Russell Coker to the bluetooth, crond,
|
||||
initrc, postfix, and udev policies. Modifies constraints so that
|
||||
newaliases can be run. Modifies types.fc so that objects in
|
||||
lost+found directories will not be relabled.
|
||||
* Modified fc rules for nvidia.
|
||||
* Added Chad Sellers policy for polyinstantiation support, which
|
||||
creates the polydir, polyparent, and polymember attributes. Also
|
||||
added the support_polyinstantiation tunable.
|
||||
* Merged patch from Dan Walsh. Includes mount_point attribute,
|
||||
read_font macros and some other policy fixes from Ivan Gyurdiev.
|
||||
Adds privkmsg and secadmfile attributes and ddcprobe policy.
|
||||
Removes the use_syslogng boolean. Many other minor fixes.
|
||||
|
||||
1.23.16 2005-05-13
|
||||
* Added rdisc policy from Russell Coker.
|
||||
* Merged minor fix to named policy by Petre Rodan.
|
||||
* Merged minor fixes to policy from Russell Coker for kudzu,
|
||||
named, screen, setfiles, telnet, and xdm.
|
||||
* Merged minor fix to Makefile from Russell Coker.
|
||||
|
||||
1.23.15 2005-05-06
|
||||
* Added tripwire and yam policy from David Hampton.
|
||||
* Merged minor fixes to amavid and a clarification to the
|
||||
httpdcontent attribute comments from David Hampton.
|
||||
* Merged patch from Dan Walsh. Includes fixes for restorecon,
|
||||
games, and postfix from Russell Coker. Adds support for debugfs.
|
||||
Restores support for reiserfs. Allows udev to work with tmpfs_t
|
||||
before /dev is labled. Removes transition from sysadm_t
|
||||
(unconfined_t) to ifconfig_t for the targeted policy. Other minor
|
||||
cleanups and fixes.
|
||||
|
||||
1.23.14 2005-04-29
|
||||
* Added afs policy from Andrew Reisse.
|
||||
* Merged patch from Lorenzo Hernández García-Hierro which defines
|
||||
execstack and execheap permissions. The patch excludes these
|
||||
permissions from general_domain_access and updates the macros for
|
||||
X, legacy binaries, users, and unconfined domains.
|
||||
* Added nlmsg_relay permisison where netlink_audit_socket class is
|
||||
used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
|
||||
* Merged some minor cleanups from Russell Coker and David Hampton.
|
||||
* Merged patch from Dan Walsh. Many changes made to allow
|
||||
targeted policy to run closer to strict and now almost all of
|
||||
non-userspace is protected via SELinux. Kernel is now in
|
||||
unconfined_domain for targeted and runs as root:system_r:kernel_t.
|
||||
Added transitionbool to daemon_sub_domain, mainly to turn off
|
||||
httpd_suexec transitioning. Implemented web_client_domain
|
||||
name_connect rules. Added yp support for cups. Now the real
|
||||
hotplug, udev, initial_sid_contexts are used for the targeted
|
||||
policy. Other minor cleanups and fixes. Auditd fixes by Paul
|
||||
Moore.
|
||||
|
||||
1.23.13 2005-04-22
|
||||
* Merged more changes from Dan Walsh to initrc_t for removal of
|
||||
unconfined_domain.
|
||||
* Merged Dan Walsh's split of auditd policy into auditd_t for the
|
||||
audit daemon and auditctl_t for the autoctl program.
|
||||
* Added use of name_connect to uncond_can_ypbind macro by Dan
|
||||
Walsh.
|
||||
* Merged other cleanup and fixes by Dan Walsh.
|
||||
|
||||
1.23.12 2005-04-20
|
||||
* Merged Dan Walsh's Netlink changes to handle new auditing pam
|
||||
modules.
|
||||
* Merged Dan Walsh's patch removing the sysadmfile attribute from
|
||||
policy files to separate sysadm_t from secadm_t.
|
||||
* Added CVS and uucpd policy from Dan Walsh.
|
||||
* Cleanup by Dan Walsh to handle turning off unlimitedRC.
|
||||
* Merged Russell Coker's fixes to ntpd, postgrey, and named
|
||||
policy.
|
||||
* Cleanup of chkpwd_domain and added permissions to su_domain
|
||||
macro due to pam changes to support audit.
|
||||
* Added nlmsg_relay and nlmsg_readpriv permissions to the
|
||||
netlink_audit_socket class.
|
||||
|
||||
1.23.11 2005-04-14
|
||||
* Merged Dan Walsh's separation of the security manager and system
|
||||
administrator.
|
||||
* Removed screensaver.te as suggested by Thomas Bleher
|
||||
* Cleanup of typealiases that are no longer used by Thomas Bleher.
|
||||
* Cleanup of fc files and additional rules for SuSE by Thomas
|
||||
Bleher.
|
||||
* Merged changes to auditd and named policy by Russell Coker.
|
||||
* Merged MLS change from Darrel Goeddel to support the policy
|
||||
hierarchy patch.
|
||||
|
||||
1.23.10 2005-04-08
|
||||
* Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
|
||||
|
||||
1.23.9 2005-04-07
|
||||
* Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
|
||||
of x_client apps.
|
||||
* Added dmidecode policy from Ivan Gyurdiev.
|
||||
|
||||
1.23.8 2005-04-05
|
||||
* Added netlink_kobject_uevent_socket class.
|
||||
* Removed empty files pump.te and pump.fc.
|
||||
* Added NetworkManager policy from Dan Walsh.
|
||||
* Merged Dan Walsh's major restructuring of Apache's policy.
|
||||
|
||||
1.23.7 2005-04-04
|
||||
* Merged David Hampton's amavis and clamav cleanups.
|
||||
* Added David Hampton's dcc, pyzor, and razor policy.
|
||||
|
||||
1.23.6 2005-04-01
|
||||
* Merged cleanup of the Makefile and other stuff from Dan Walsh.
|
||||
Dan's patch includes some desktop changes from Ivan Gyurdiev.
|
||||
* Merged Thomas Bleher's patches which increase the usage of
|
||||
lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
|
||||
DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
|
||||
possible.
|
||||
* Merged Greg Norris's cleanup of fetchmail.
|
||||
|
||||
1.23.5 2005-03-23
|
||||
* Added name_connect support from Dan Walsh.
|
||||
* Added httpd_unconfined_t from Dan Walsh.
|
||||
* Merged cleanup of assert.te to allow unresticted full access
|
||||
from Dan Walsh.
|
||||
|
||||
1.23.4 2005-03-21
|
||||
* Merged diffs from Dan Walsh:
|
||||
* Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
|
||||
Gyurdiev.
|
||||
* Added syslogng support to syslog.te.
|
||||
|
||||
1.23.3 2005-03-15
|
||||
* Added policy for nx_server from Thomas Bleher.
|
||||
* Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
|
||||
publicfile from Petre Rodan.
|
||||
|
||||
1.23.2 2005-03-14
|
||||
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
|
||||
gift policy.
|
||||
* Made sysadm_r the first role for root, so root's home will be labled
|
||||
as sysadm_home_dir_t instead of staff_home_dir_t.
|
||||
* Modified fs_use and Makefile to reflect jfs now supporting security
|
||||
xattrs.
|
||||
|
||||
1.23.1 2005-03-10
|
||||
* Merged diffs from Dan Walsh. Dan's patch includes Ivan
|
||||
Gyurdiev's cleanup of homedir macros and more extensive use of
|
||||
read_sysctl()
|
||||
|
||||
1.22 2005-03-09
|
||||
* Updated version for release.
|
||||
|
||||
1.21 2005-02-24
|
||||
* Added secure_file_type attribute from Dan Walsh
|
||||
* Added access_terminal() macro from Ivan Gyurdiev
|
||||
* Updated capability access vector for audit capabilities.
|
||||
* Added mlsconvert Makefile target to help generate MLS policies
|
||||
(see selinux-doc/README.MLS for instructions).
|
||||
* Changed policy Makefile to still generate policy.18 as well,
|
||||
and use it for make load if the kernel doesn't support 19.
|
||||
* Merged enhanced MLS support from Darrel Goeddel (TCS).
|
||||
* Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
|
||||
* Merged man pages from Dan Walsh.
|
||||
|
||||
1.20 2005-01-04
|
||||
* Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
|
||||
Petre Rodan.
|
||||
* Merged can_create() macro used for file_type_{,auto_}trans()
|
||||
from Thomas Bleher.
|
||||
* Merged dante and stunnel policy by Petre Rodan.
|
||||
* Merged $1_file_type attribute from Thomas Bleher.
|
||||
* Merged network_macros from Dan Walsh.
|
||||
|
||||
1.18 2004-10-25
|
||||
* Merged diffs from Russell Coker and Dan Walsh.
|
||||
* Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
|
||||
* Added reserved_port_t type and portcon entries to map all other
|
||||
reserved ports to this type.
|
||||
* Added distro_ prefix to distro tunables to avoid conflicts.
|
||||
* Merged diffs from Russell Coker.
|
||||
|
||||
1.16 2004-08-16
|
||||
* Added nscd definitions.
|
||||
* Converted many tunables to policy booleans.
|
||||
* Added crontab permission.
|
||||
* Merged diffs from Dan Walsh.
|
||||
This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
|
||||
* Merged diffs from Russell Coker.
|
||||
* Adjusted constraints for crond restart.
|
||||
* Merged dbus/userspace object manager policy from Colin Walters.
|
||||
* Merged dbus definitions from Matthew Rickard.
|
||||
* Merged dnsmasq policy from Greg Norris.
|
||||
* Merged gpg-agent policy from Thomas Bleher.
|
||||
|
||||
1.14 2004-06-28
|
||||
* Removed vmware-config.pl from vmware.fc.
|
||||
* Added crond entry to root_default_contexts.
|
||||
* Merged patch from Dan Walsh.
|
||||
* Merged mdadm and postfix changes from Colin Walters.
|
||||
* Merged reiserfs and rpm changes from Russell Coker.
|
||||
* Merged runaway .* glob fix from Valdis Kletnieks.
|
||||
* Merged diff from Dan Walsh.
|
||||
* Merged fine-grained netlink classes and permissions.
|
||||
* Merged changes for new /etc/selinux layout.
|
||||
* Changed mkaccess_vector.sh to provide stable order.
|
||||
* Merged diff from Dan Walsh.
|
||||
* Fix restorecon path in restorecon.fc.
|
||||
* Merged pax class and access vector definition from Joshua Brindle.
|
||||
|
||||
1.12 2004-05-12
|
||||
* Added targeted policy.
|
||||
* Merged atd/at into crond/crontab domains.
|
||||
* Exclude bind mounts from relabeling to avoid aliasing.
|
||||
* Removed some obsolete types and remapped their initial SIDs to unlabeled.
|
||||
* Added SE-X related security classes and policy framework.
|
||||
* Added devnull initial SID and context.
|
||||
* Merged diffs from Fedora policy.
|
||||
|
||||
1.10 2004-04-07
|
||||
* Merged ipv6 support from James Morris of RedHat.
|
||||
* Merged policy diffs from Dan Walsh.
|
||||
* Updated call to genhomedircon to reflect new usage.
|
||||
* Merged policy diffs from Dan Walsh and Russell Coker.
|
||||
* Removed config-users and config-services per Dan's request.
|
||||
|
||||
1.8 2004-03-09
|
||||
* Merged genhomedircon patch from Karl MacMillan of Tresys.
|
||||
* Added restorecon domain.
|
||||
* Added unconfined_domain macro.
|
||||
* Added default_t for /.* file_contexts entry and replaced some
|
||||
uses of file_t with default_t in the policy.
|
||||
* Added su_restricted_domain() macro and use it for initrc_t.
|
||||
* Merged policy diffs from Dan Walsh and Russell Coker.
|
||||
These included a merge of an earlier patch by Chris PeBenito
|
||||
to rename the etc types to be consistent with other types.
|
||||
|
||||
1.6 2004-02-18
|
||||
* Merged xfs support from Chris PeBenito.
|
||||
* Merged conditional rules for ping.te.
|
||||
* Defined setbool permission, added can_setbool macro.
|
||||
* Partial network policy cleanup.
|
||||
* Merged with Russell Coker's policy.
|
||||
* Renamed netscape macro and domain to mozilla and renamed
|
||||
ipchains domain to iptables for consistency with Russell.
|
||||
* Merged rhgb macro and domain from Russell Coker.
|
||||
* Merged tunable.te from Russell Coker.
|
||||
Only define direct_sysadm_daemon by default in our copy.
|
||||
* Added rootok permission to passwd class.
|
||||
* Merged Makefile change from Dan Walsh to generate /home
|
||||
file_contexts entries for staff users.
|
||||
* Added automatic role and domain transitions for init scripts and
|
||||
daemons. Added an optional third argument (nosysadm) to
|
||||
daemon_domain to omit the direct transition from sysadm_r when
|
||||
the same executable is also used as an application, in which
|
||||
case the daemon must be restarted via the init script to obtain
|
||||
the proper security context. Added system_r to the authorized roles
|
||||
for admin users at least until support for automatic user identity
|
||||
transitions exist so that a transition to system_u can be provided
|
||||
transparently.
|
||||
* Added support to su domain for using pam_selinux.
|
||||
Added entries to default_contexts for the su domains to
|
||||
provide reasonable defaults. Removed user_su_t.
|
||||
* Tighten restriction on user identity and role transitions in constraints.
|
||||
* Merged macro for newrole-like domains from Russell Coker.
|
||||
* Merged stub dbusd domain from Russell Coker.
|
||||
* Merged stub prelink domain from Dan Walsh.
|
||||
* Merged updated userhelper and config tool domains from Dan Walsh.
|
||||
* Added send_msg/recv_msg permissions to can_network macro.
|
||||
* Merged patch by Chris PeBenito for sshd subsystems.
|
||||
* Merged patch by Chris PeBenito for passing class to var_run_domain.
|
||||
* Merged patch by Yuichi Nakamura for append_log_domain macros.
|
||||
* Merged patch by Chris PeBenito for rpc_pipefs labeling.
|
||||
* Merged patch by Colin Walters to apply m4 once so that
|
||||
source file info is preserved for checkpolicy.
|
||||
|
||||
1.4 2003-12-01
|
||||
* Merged patches from Russell Coker.
|
||||
* Revised networking permissions.
|
||||
* Added new node_bind permission.
|
||||
* Added new siginh, rlimitinh, and setrlimit permissions.
|
||||
* Added proc_t:file read permission for new is_selinux_enabled logic.
|
||||
* Added failsafe_context configuration file to appconfig.
|
||||
* Moved newrules.pl to policycoreutils, renamed to audit2allow.
|
||||
* Merged newrules.pl patch from Yuichi Nakamura.
|
||||
|
||||
1.2 2003-09-30
|
||||
* More policy merging with Russell Coker.
|
||||
* Transferred newrules.pl script from the old SELinux.
|
||||
* Merged MLS configuration patch from Karl MacMillan of Tresys.
|
||||
* Limit staff_t to reading /proc entries for unpriv_userdomain.
|
||||
* Updated Makefile and spec file to allow non-root builds,
|
||||
based on patch by Paul Nasrat.
|
||||
|
||||
1.1 2003-08-13
|
||||
* Merged Makefile check-all and te-includes patches from Colin Walters.
|
||||
* Merged x-debian-packages.patch from Colin Walters.
|
||||
* Folded read permission into domain_trans.
|
||||
|
||||
1.0 2003-07-11
|
||||
* Initial public release.
|
||||
|
356
mls/Makefile
Normal file
356
mls/Makefile
Normal file
@ -0,0 +1,356 @@
|
||||
#
|
||||
# Makefile for the security policy.
|
||||
#
|
||||
# Targets:
|
||||
#
|
||||
# install - compile and install the policy configuration, and context files.
|
||||
# load - compile, install, and load the policy configuration.
|
||||
# reload - compile, install, and load/reload the policy configuration.
|
||||
# relabel - relabel filesystems based on the file contexts configuration.
|
||||
# policy - compile the policy configuration locally for testing/development.
|
||||
#
|
||||
# The default target is 'install'.
|
||||
#
|
||||
|
||||
# Set to y if MLS is enabled in the policy.
|
||||
MLS=y
|
||||
|
||||
# Set to y if MCS is enabled in the policy
|
||||
MCS=n
|
||||
|
||||
FLASKDIR = flask/
|
||||
PREFIX = /usr
|
||||
BINDIR = $(PREFIX)/bin
|
||||
SBINDIR = $(PREFIX)/sbin
|
||||
LOADPOLICY = $(SBINDIR)/load_policy
|
||||
CHECKPOLICY = $(BINDIR)/checkpolicy
|
||||
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
|
||||
SETFILES = $(SBINDIR)/setfiles
|
||||
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
|
||||
PREVERS := 20
|
||||
KERNVERS := $(shell cat /selinux/policyvers)
|
||||
MLSENABLED := $(shell cat /selinux/mls)
|
||||
POLICYVER := policy.$(VERS)
|
||||
TOPDIR = $(DESTDIR)/etc/selinux
|
||||
TYPE=mls
|
||||
|
||||
INSTALLDIR = $(TOPDIR)/$(TYPE)
|
||||
POLICYPATH = $(INSTALLDIR)/policy
|
||||
SRCPATH = $(INSTALLDIR)/src
|
||||
USERPATH = $(INSTALLDIR)/users
|
||||
CONTEXTPATH = $(INSTALLDIR)/contexts
|
||||
LOADPATH = $(POLICYPATH)/$(POLICYVER)
|
||||
FCPATH = $(CONTEXTPATH)/files/file_contexts
|
||||
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
|
||||
|
||||
ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
|
||||
ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
|
||||
ALL_TYPES := $(wildcard types/*.te)
|
||||
ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
|
||||
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
|
||||
TE_RBAC_FILES := $(ALLTEFILES) rbac
|
||||
ALL_TUNABLES := $(wildcard tunables/*.tun )
|
||||
USER_FILES := users
|
||||
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
|
||||
ifeq ($(MLS),y)
|
||||
POLICYFILES += mls
|
||||
CHECKPOLMLS += -M
|
||||
endif
|
||||
ifeq ($(MCS), y)
|
||||
POLICYFILES += mcs
|
||||
CHECKPOLMLS += -M
|
||||
endif
|
||||
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
|
||||
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
|
||||
POLICYFILES += $(USER_FILES)
|
||||
POLICYFILES += constraints
|
||||
POLICYFILES += $(DEFCONTEXTFILES)
|
||||
CONTEXTFILES = $(DEFCONTEXTFILES)
|
||||
POLICY_DIRS = domains domains/program domains/misc macros macros/program
|
||||
|
||||
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
|
||||
|
||||
FC = file_contexts/file_contexts
|
||||
HOMEDIR_TEMPLATE = file_contexts/homedir_template
|
||||
FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
|
||||
CONTEXTFILES += $(FCFILES)
|
||||
|
||||
APPDIR=$(CONTEXTPATH)
|
||||
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
|
||||
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
|
||||
|
||||
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
|
||||
|
||||
all: policy
|
||||
|
||||
tmp/valid_fc: $(LOADPATH) $(FC)
|
||||
@echo "Validating file contexts files ..."
|
||||
$(SETFILES) -q -c $(LOADPATH) $(FC)
|
||||
@touch tmp/valid_fc
|
||||
|
||||
install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
|
||||
|
||||
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
|
||||
@mkdir -p $(USERPATH)
|
||||
@echo "# " > tmp/system.users
|
||||
@echo "# Do not edit this file. " >> tmp/system.users
|
||||
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
|
||||
@echo "# Please edit local.users to make local changes." >> tmp/system.users
|
||||
@echo "#" >> tmp/system.users
|
||||
@m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
|
||||
install -m 644 tmp/system.users $@
|
||||
|
||||
$(USERPATH)/local.users: local.users
|
||||
@mkdir -p $(USERPATH)
|
||||
install -b -m 644 $< $@
|
||||
|
||||
$(CONTEXTPATH)/files/media: appconfig/media
|
||||
@mkdir -p $(CONTEXTPATH)/files/
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/default_contexts: appconfig/default_contexts
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/removable_context: appconfig/removable_context
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/customizable_types: policy.conf
|
||||
@mkdir -p $(APPDIR)
|
||||
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
|
||||
install -m 644 tmp/customizable_types $@
|
||||
|
||||
$(APPDIR)/port_types: policy.conf
|
||||
@mkdir -p $(APPDIR)
|
||||
@grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
|
||||
install -m 644 tmp/port_types $@
|
||||
|
||||
$(APPDIR)/default_type: appconfig/default_type
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/userhelper_context: appconfig/userhelper_context
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/initrc_context: appconfig/initrc_context
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/failsafe_context: appconfig/failsafe_context
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
|
||||
@mkdir -p $(APPDIR)
|
||||
install -m 644 $< $@
|
||||
|
||||
$(APPDIR)/users/root: appconfig/root_default_contexts
|
||||
@mkdir -p $(APPDIR)/users
|
||||
install -m 644 $< $@
|
||||
|
||||
$(LOADPATH): policy.conf $(CHECKPOLICY)
|
||||
@echo "Compiling policy ..."
|
||||
@mkdir -p $(POLICYPATH)
|
||||
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
|
||||
ifneq ($(VERS),$(PREVERS))
|
||||
$(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
|
||||
endif
|
||||
|
||||
# Note: Can't use install, so not sure how to deal with mode, user, and group
|
||||
# other than by default.
|
||||
|
||||
policy: $(POLICYVER)
|
||||
|
||||
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
|
||||
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
|
||||
@echo "Validating file contexts files ..."
|
||||
$(SETFILES) -q -c $(POLICYVER) $(FC)
|
||||
|
||||
reload tmp/load: $(LOADPATH)
|
||||
@echo "Loading Policy ..."
|
||||
$(LOADPOLICY)
|
||||
touch tmp/load
|
||||
|
||||
load: tmp/load $(FCPATH)
|
||||
|
||||
enableaudit: policy.conf
|
||||
grep -v dontaudit policy.conf > policy.audit
|
||||
mv policy.audit policy.conf
|
||||
|
||||
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
|
||||
@echo "Building policy.conf ..."
|
||||
@mkdir -p tmp
|
||||
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
|
||||
@mv $@.tmp $@
|
||||
|
||||
install-src:
|
||||
rm -rf $(SRCPATH)/policy.old
|
||||
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
|
||||
@mkdir -p $(SRCPATH)/policy
|
||||
cp -R . $(SRCPATH)/policy
|
||||
|
||||
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
|
||||
@mkdir -p tmp
|
||||
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
|
||||
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
|
||||
mv $@.tmp $@
|
||||
|
||||
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
|
||||
|
||||
checklabels: $(SETFILES)
|
||||
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
|
||||
|
||||
restorelabels: $(SETFILES)
|
||||
$(SETFILES) -v $(FC) $(FILESYSTEMS)
|
||||
|
||||
relabel: $(FC) $(SETFILES)
|
||||
$(SETFILES) $(FC) $(FILESYSTEMS)
|
||||
|
||||
file_contexts/misc:
|
||||
@mkdir -p file_contexts/misc
|
||||
|
||||
$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
|
||||
@echo "Installing file contexts files..."
|
||||
@mkdir -p $(CONTEXTPATH)/files
|
||||
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
|
||||
install -m 644 $(FC) $(FCPATH)
|
||||
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
|
||||
|
||||
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
|
||||
@echo "Building file contexts files..."
|
||||
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
|
||||
@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
|
||||
@grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
|
||||
@-rm $@.tmp
|
||||
|
||||
# Create a tags-file for the policy:
|
||||
# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
|
||||
pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
|
||||
CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
|
||||
ifeq ($(strip $(CTAGS)),)
|
||||
CTAGS := $(call pathsearch,ctags) # suse naming scheme
|
||||
endif
|
||||
|
||||
tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
|
||||
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
|
||||
@LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
|
||||
--regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
|
||||
--regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
|
||||
--regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
|
||||
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
|
||||
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
|
||||
|
||||
clean:
|
||||
rm -f policy.conf $(POLICYVER)
|
||||
rm -f tags
|
||||
rm -f tmp/*
|
||||
rm -f $(FC)
|
||||
rm -f flask/*.h
|
||||
# for the policy regression tester
|
||||
find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
|
||||
|
||||
# Policy regression tester.
|
||||
# Written by Colin Walters <walters@debian.org>
|
||||
cur_te = $(filter-out %/,$(subst /,/ ,$@))
|
||||
|
||||
TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
|
||||
|
||||
define compute_depends
|
||||
export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
|
||||
endef
|
||||
|
||||
|
||||
ifeq ($(TE_DEPENDS_DEFINED),)
|
||||
ifeq ($(MAKECMDGOALS),check-all)
|
||||
GENRULES := $(TESTED_TE_FILES)
|
||||
export TE_DEPENDS_DEFINED := yes
|
||||
else
|
||||
# Handle the case where checkunused/blah.te is run directly.
|
||||
ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
|
||||
GENRULES := $(TESTED_TE_FILES)
|
||||
export TE_DEPENDS_DEFINED := yes
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
# Test for a new enough version of GNU Make.
|
||||
$(eval have_eval := yes)
|
||||
ifneq ($(GENRULES),)
|
||||
ifeq ($(have_eval),)
|
||||
$(error Need GNU Make 3.80 or better!)
|
||||
Need GNU Make 3.80 or better
|
||||
endif
|
||||
endif
|
||||
$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
|
||||
|
||||
PHONIES :=
|
||||
|
||||
define compute_presymlinks
|
||||
PHONIES += presymlink/$(1)
|
||||
presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
|
||||
@if ! test -L domains/program/$(1); then \
|
||||
cd domains/program && ln -s unused/$(1) .; \
|
||||
fi
|
||||
endef
|
||||
|
||||
# Compute dependencies.
|
||||
$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
|
||||
|
||||
PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
|
||||
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
|
||||
@$(MAKE) -s clean
|
||||
|
||||
$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
|
||||
@if test -n "$(TE_DEPENDS_$(cur_te))"; then \
|
||||
echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
|
||||
fi
|
||||
@echo "Testing $(cur_te)...";
|
||||
@if ! make -s policy 1>/dev/null; then \
|
||||
echo "Testing $(cur_te)...FAILED"; \
|
||||
exit 1; \
|
||||
fi;
|
||||
@echo "Testing $(cur_te)...success."; \
|
||||
|
||||
check-all:
|
||||
@for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
|
||||
$(MAKE) --no-print-directory $$goal; \
|
||||
done
|
||||
|
||||
.PHONY: clean $(PHONIES)
|
||||
|
||||
mlsconvert:
|
||||
@for file in $(CONTEXTFILES); do \
|
||||
echo "Converting $$file"; \
|
||||
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
|
||||
mv $$file.new $$file; \
|
||||
done
|
||||
@for file in $(USER_FILES); do \
|
||||
echo "Converting $$file"; \
|
||||
sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
|
||||
mv $$file.new $$file; \
|
||||
done
|
||||
@sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
|
||||
@echo "Enabling MLS in the Makefile"
|
||||
@sed "s/MLS=y/MLS=y/" Makefile > Makefile.new
|
||||
@mv Makefile.new Makefile
|
||||
@echo "Done"
|
||||
|
||||
mcsconvert:
|
||||
@for file in $(CONTEXTFILES); do \
|
||||
echo "Converting $$file"; \
|
||||
sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
|
||||
mv $$file.new $$file; \
|
||||
done
|
||||
@for file in $(USER_FILES); do \
|
||||
echo "Converting $$file"; \
|
||||
sed -r -e 's/\;/ level s0 range s0;/' $$file | \
|
||||
sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
|
||||
mv $$file.new $$file; \
|
||||
done
|
||||
@echo "Enabling MCS in the Makefile"
|
||||
@sed "s/MCS=n/MCS=y/" Makefile > Makefile.new
|
||||
@mv Makefile.new Makefile
|
||||
@echo "Done"
|
||||
|
125
mls/README
Normal file
125
mls/README
Normal file
@ -0,0 +1,125 @@
|
||||
The Makefile targets are:
|
||||
policy - compile the policy configuration.
|
||||
install - compile and install the policy configuration.
|
||||
load - compile, install, and load the policy configuration.
|
||||
relabel - relabel the filesystem.
|
||||
check-all - check individual additional policy files in domains/program/unused.
|
||||
checkunused/FILE.te - check individual file FILE from domains/program/unused.
|
||||
|
||||
If you have configured MLS into your module, then set MLS=y in the
|
||||
Makefile prior to building the policy. Of course, you must have also
|
||||
built checkpolicy with MLS enabled.
|
||||
|
||||
Three of the configuration files are independent of the particular
|
||||
security policy:
|
||||
1) flask/security_classes -
|
||||
This file has a simple declaration for each security class.
|
||||
The corresponding symbol definitions are in the automatically
|
||||
generated header file <selinux/flask.h>.
|
||||
|
||||
2) flask/initial_sids -
|
||||
This file has a simple declaration for each initial SID.
|
||||
The corresponding symbol definitions are in the automatically
|
||||
generated header file <selinux/flask.h>.
|
||||
|
||||
3) access_vectors -
|
||||
This file defines the access vectors. Common prefixes for
|
||||
access vectors may be defined at the beginning of the file.
|
||||
After the common prefixes are defined, an access vector
|
||||
may be defined for each security class.
|
||||
The corresponding symbol definitions are in the automatically
|
||||
generated header file <selinux/av_permissions.h>.
|
||||
|
||||
In addition to being read by the security server, these configuration
|
||||
files are used during the kernel build to automatically generate
|
||||
symbol definitions used by the kernel for security classes, initial
|
||||
SIDs and permissions. Since the symbol definitions generated from
|
||||
these files are used during the kernel build, the values of existing
|
||||
security classes and permissions may not be modified by load_policy.
|
||||
However, new classes may be appended to the list of classes and new
|
||||
permissions may be appended to the list of permissions associated with
|
||||
each access vector definition.
|
||||
|
||||
The policy-dependent configuration files are:
|
||||
1) tmp/all.te -
|
||||
This file defines the Type Enforcement (TE) configuration.
|
||||
This file is automatically generated from a collection of files.
|
||||
|
||||
The macros subdirectory contains a collection of m4 macro definitions
|
||||
used by the TE configuration. The global_macros.te file contains global
|
||||
macros used throughout the configuration for common groupings of classes
|
||||
and permissions and for common sets of rules. The user_macros.te file
|
||||
contains macros used in defining user domains. The admin_macros.te file
|
||||
contains macros used in defining admin domains. The macros/program
|
||||
subdirectory contains macros that are used to instantiate derived domains
|
||||
for certain programs that encode information about both the calling user
|
||||
domain and the program, permitting the policy to maintain separation
|
||||
between different instances of the program.
|
||||
|
||||
The types subdirectory contains several files with declarations for
|
||||
general types (types not associated with a particular domain) and
|
||||
some rules defining relationships among those types. Related types
|
||||
are grouped together into each file in this directory, e.g. all
|
||||
device type declarations are in the device.te file.
|
||||
|
||||
The domains subdirectory contains several files and directories
|
||||
with declarations and rules for each domain. User domains are defined in
|
||||
user.te. Administrator domains are defined in admin.te. Domains for
|
||||
specific programs, including both system daemons and other programs, are
|
||||
in the .te files within the domains/program subdirectory. The domains/misc
|
||||
subdirectory is for miscellaneous domains such as the kernel domain and
|
||||
the kernel module loader domain.
|
||||
|
||||
The assert.te file contains assertions that are checked after evaluating
|
||||
the entire TE configuration.
|
||||
|
||||
2) rbac -
|
||||
This file defines the Role-Based Access Control (RBAC) configuration.
|
||||
|
||||
3) mls -
|
||||
This file defines the Multi-Level Security (MLS) configuration.
|
||||
|
||||
4) users -
|
||||
This file defines the users recognized by the security policy.
|
||||
|
||||
5) constraints -
|
||||
This file defines additional constraints on permissions
|
||||
in the form of boolean expressions that must be satisfied in order
|
||||
for specified permissions to be granted. These constraints
|
||||
are used to further refine the type enforcement tables and
|
||||
the role allow rules. Typically, these constraints are used
|
||||
to restrict changes in user identity or role to certain domains.
|
||||
|
||||
6) initial_sid_contexts -
|
||||
This file defines the security context for each initial SID.
|
||||
A security context consists of a user identity, a role, a type and
|
||||
optionally a MLS range if the MLS policy is enabled. If left unspecified,
|
||||
the high MLS level defaults to the low MLS level. The syntax of a valid
|
||||
security context is:
|
||||
|
||||
user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
|
||||
|
||||
7) fs_use -
|
||||
This file defines the labeling behavior for inodes in particular
|
||||
filesystem types.
|
||||
|
||||
8) genfs_contexts -
|
||||
This file defines security contexts for files in filesystems that
|
||||
cannot support persistent label mappings or use one of the fixed
|
||||
labeling schemes specified in fs_use.
|
||||
|
||||
8) net_contexts -
|
||||
This file defines the security contexts of network objects
|
||||
such as ports, interfaces, and nodes.
|
||||
|
||||
9) file_contexts/{types.fc,program/*.fc}
|
||||
These files define the security contexts for persistent files.
|
||||
|
||||
It is possible to test the security server functions on a given policy
|
||||
configuration by running the checkpolicy program with the -d option.
|
||||
This program is built from the same sources as the security server
|
||||
component of the kernel, so it may be used both to verify that a
|
||||
policy configuration will load successfully and to determine how the
|
||||
security server would respond if it were using that policy
|
||||
configuration. A menu-based interface is provided for calling any of
|
||||
the security server functions after the policy is loaded.
|
1
mls/VERSION
Normal file
1
mls/VERSION
Normal file
@ -0,0 +1 @@
|
||||
1.27.3
|
6
mls/appconfig/dbus_contexts
Normal file
6
mls/appconfig/dbus_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
12
mls/appconfig/default_contexts
Normal file
12
mls/appconfig/default_contexts
Normal file
@ -0,0 +1,12 @@
|
||||
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
|
||||
user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
|
4
mls/appconfig/default_type
Normal file
4
mls/appconfig/default_type
Normal file
@ -0,0 +1,4 @@
|
||||
secadm_r:secadm_t
|
||||
sysadm_r:sysadm_t
|
||||
staff_r:staff_t
|
||||
user_r:user_t
|
1
mls/appconfig/failsafe_context
Normal file
1
mls/appconfig/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
sysadm_r:sysadm_t:s0
|
1
mls/appconfig/initrc_context
Normal file
1
mls/appconfig/initrc_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:system_r:initrc_t:s0
|
3
mls/appconfig/media
Normal file
3
mls/appconfig/media
Normal file
@ -0,0 +1,3 @@
|
||||
cdrom system_u:object_r:removable_device_t:s0
|
||||
floppy system_u:object_r:removable_device_t:s0
|
||||
disk system_u:object_r:fixed_disk_device_t:s0
|
1
mls/appconfig/removable_context
Normal file
1
mls/appconfig/removable_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:object_r:removable_t:s0
|
9
mls/appconfig/root_default_contexts
Normal file
9
mls/appconfig/root_default_contexts
Normal file
@ -0,0 +1,9 @@
|
||||
system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
|
||||
staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
#
|
||||
# Uncomment if you want to automatically login as sysadm_r
|
||||
#
|
||||
#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
1
mls/appconfig/userhelper_context
Normal file
1
mls/appconfig/userhelper_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:sysadm_r:sysadm_t:s0
|
156
mls/assert.te
Normal file
156
mls/assert.te
Normal file
@ -0,0 +1,156 @@
|
||||
##############################
|
||||
#
|
||||
# Assertions for the type enforcement (TE) configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
#
|
||||
|
||||
##################################
|
||||
#
|
||||
# Access vector assertions.
|
||||
#
|
||||
# An access vector assertion specifies permissions that should not be in
|
||||
# an access vector based on a source type, a target type, and a class.
|
||||
# If any of the specified permissions are in the corresponding access
|
||||
# vector, then the policy compiler will reject the policy configuration.
|
||||
# Currently, there is only one kind of access vector assertion, neverallow,
|
||||
# but support for the other kinds of vectors could be easily added. Access
|
||||
# vector assertions use the same syntax as access vector rules.
|
||||
#
|
||||
|
||||
#
|
||||
# Verify that every type that can be entered by
|
||||
# a domain is also tagged as a domain.
|
||||
#
|
||||
neverallow domain ~domain:process { transition dyntransition };
|
||||
|
||||
#
|
||||
# Verify that only the insmod_t and kernel_t domains
|
||||
# have the sys_module capability.
|
||||
#
|
||||
neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
|
||||
|
||||
#
|
||||
# Verify that executable types, the system dynamic loaders, and the
|
||||
# system shared libraries can only be modified by administrators.
|
||||
#
|
||||
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
|
||||
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
|
||||
|
||||
#
|
||||
# Verify that only appropriate domains can access /etc/shadow
|
||||
neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
|
||||
neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
|
||||
|
||||
#
|
||||
# Verify that only appropriate domains can write to /etc (IE mess with
|
||||
# /etc/passwd)
|
||||
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
|
||||
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
|
||||
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
|
||||
|
||||
#
|
||||
# Verify that other system software can only be modified by administrators.
|
||||
#
|
||||
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
|
||||
neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
|
||||
|
||||
#
|
||||
# Verify that only certain domains have access to the raw disk devices.
|
||||
#
|
||||
neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
|
||||
|
||||
#
|
||||
# Verify that only the X server and klogd have access to memory devices.
|
||||
#
|
||||
neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
|
||||
|
||||
#
|
||||
# Verify that only domains with the privlog attribute can actually syslog
|
||||
#
|
||||
neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
|
||||
|
||||
#
|
||||
# Verify that /proc/kmsg is only accessible to klogd.
|
||||
#
|
||||
neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
|
||||
|
||||
#
|
||||
# Verify that /proc/kcore is inaccessible.
|
||||
#
|
||||
|
||||
neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
|
||||
|
||||
#
|
||||
# Verify that sysctl variables are only changeable
|
||||
# by initrc and administrators.
|
||||
#
|
||||
neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
|
||||
neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
|
||||
neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
|
||||
|
||||
#
|
||||
# Verify that certain domains are limited to only being
|
||||
# entered by their entrypoint types and to only executing
|
||||
# the dynamic loader without a transition to another domain.
|
||||
#
|
||||
|
||||
define(`assert_execute', `
|
||||
ifelse($#, 0, ,
|
||||
$#, 1,
|
||||
``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
|
||||
`assert_execute($1) assert_execute(shift($@))')')
|
||||
|
||||
ifdef(`getty.te', `assert_execute(getty)')
|
||||
ifdef(`klogd.te', `assert_execute(klogd)')
|
||||
ifdef(`tcpd.te', `assert_execute(tcpd)')
|
||||
ifdef(`portmap.te', `assert_execute(portmap)')
|
||||
ifdef(`syslogd.te', `assert_execute(syslogd)')
|
||||
ifdef(`rpcd.te', `assert_execute(rpcd)')
|
||||
ifdef(`rlogind.te', `assert_execute(rlogind)')
|
||||
ifdef(`ypbind.te', `assert_execute(ypbind)')
|
||||
ifdef(`xfs.te', `assert_execute(xfs)')
|
||||
ifdef(`gpm.te', `assert_execute(gpm)')
|
||||
ifdef(`ifconfig.te', `assert_execute(ifconfig)')
|
||||
ifdef(`iptables.te', `assert_execute(iptables)')
|
||||
|
||||
ifdef(`login.te', `
|
||||
neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
|
||||
neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
|
||||
')
|
||||
|
||||
#
|
||||
# Verify that the passwd domain can only be entered by its
|
||||
# entrypoint type and can only execute the dynamic loader
|
||||
# and the ordinary passwd program without a transition to another domain.
|
||||
#
|
||||
ifdef(`passwd.te', `
|
||||
neverallow passwd_t ~passwd_exec_t:file entrypoint;
|
||||
neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
|
||||
neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
|
||||
')
|
||||
|
||||
#
|
||||
# Verify that only the admin domains and initrc_t have setenforce.
|
||||
#
|
||||
neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
|
||||
|
||||
#
|
||||
# Verify that only the kernel and load_policy_t have load_policy.
|
||||
#
|
||||
|
||||
neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
|
||||
|
||||
#
|
||||
# for gross mistakes in policy
|
||||
neverallow * domain:dir ~r_dir_perms;
|
||||
neverallow * domain:file_class_set ~rw_file_perms;
|
||||
neverallow { domain unlabeled_t } file_type:process *;
|
||||
neverallow ~{ domain unlabeled_t } *:process *;
|
562
mls/attrib.te
Normal file
562
mls/attrib.te
Normal file
@ -0,0 +1,562 @@
|
||||
#
|
||||
# Declarations for type attributes.
|
||||
#
|
||||
|
||||
# A type attribute can be used to identify a set of types with a similar
|
||||
# property. Each type can have any number of attributes, and each
|
||||
# attribute can be associated with any number of types. Attributes are
|
||||
# explicitly declared here, and can then be associated with particular
|
||||
# types in type declarations. Attribute names can then be used throughout
|
||||
# the configuration to express the set of types that are associated with
|
||||
# the attribute. Attributes have no implicit meaning to SELinux. The
|
||||
# meaning of all attributes are completely defined through their
|
||||
# usage within the configuration, but should be documented here as
|
||||
# comments preceding the attribute declaration.
|
||||
|
||||
#####################
|
||||
# Attributes for MLS:
|
||||
#
|
||||
|
||||
# Common Terminology
|
||||
# MLS Range: low-high
|
||||
# low referred to as "Effective Sensitivity Label (SL)"
|
||||
# high referred to as "Clearance SL"
|
||||
|
||||
|
||||
#
|
||||
# File System MLS attributes/privileges
|
||||
#
|
||||
# Grant MLS read access to files not dominated by the process Effective SL
|
||||
attribute mlsfileread;
|
||||
# Grant MLS read access to files dominated by the process Clearance SL
|
||||
attribute mlsfilereadtoclr;
|
||||
# Grant MLS write access to files not equal to the Effective SL
|
||||
attribute mlsfilewrite;
|
||||
# Grant MLS write access to files which dominate the process Effective SL
|
||||
# and are dominated by the process Clearance SL
|
||||
attribute mlsfilewritetoclr;
|
||||
# Grant MLS ability to change file label to a new label which dominates
|
||||
# the old label
|
||||
attribute mlsfileupgrade;
|
||||
# Grant MLS ability to change file label to a new label which is
|
||||
# dominated by or incomparable to the old label
|
||||
attribute mlsfiledowngrade;
|
||||
|
||||
#
|
||||
# Network MLS attributes/privileges
|
||||
#
|
||||
# Grant MLS read access to packets not dominated by the process Effective SL
|
||||
attribute mlsnetread;
|
||||
# Grant MLS read access to packets dominated by the process Clearance SL
|
||||
attribute mlsnetreadtoclr;
|
||||
# Grant MLS write access to packets not equal to the Effective SL
|
||||
attribute mlsnetwrite;
|
||||
# Grant MLS write access to packets which dominate the Effective SL
|
||||
# and are dominated by the process Clearance SL
|
||||
attribute mlsnetwritetoclr;
|
||||
# Grant MLS read access to packets from hosts or interfaces which dominate
|
||||
# or incomparable to the process Effective SL
|
||||
attribute mlsnetrecvall;
|
||||
# Grant MLS ability to change socket label to a new label which dominates
|
||||
# the old label
|
||||
attribute mlsnetupgrade;
|
||||
# Grant MLS ability to change socket label to a new label which is
|
||||
# dominated by or incomparable to the old label
|
||||
attribute mlsnetdowngrade;
|
||||
|
||||
#
|
||||
# IPC MLS attributes/privileges
|
||||
#
|
||||
# Grant MLS read access to IPC objects not dominated by the process Effective SL
|
||||
attribute mlsipcread;
|
||||
# Grant MLS read access to IPC objects dominated by the process Clearance SL
|
||||
attribute mlsipcreadtoclr;
|
||||
# Grant MLS write access to IPC objects not equal to the process Effective SL
|
||||
attribute mlsipcwrite;
|
||||
# Grant MLS write access to IPC objects which dominate the process Effective SL
|
||||
# and are dominated by the process Clearance SL
|
||||
attribute mlsipcwritetoclr;
|
||||
|
||||
#
|
||||
# Process MLS attributes/privileges
|
||||
#
|
||||
# Grant MLS read access to processes not dominated by the process Effective SL
|
||||
attribute mlsprocread;
|
||||
# Grant MLS read access to processes dominated by the process Clearance SL
|
||||
attribute mlsprocreadtoclr;
|
||||
# Grant MLS write access to processes not equal to the Effective SL
|
||||
attribute mlsprocwrite;
|
||||
# Grant MLS write access to processes which dominate the process Effective SL
|
||||
# and are dominated by the process Clearance SL
|
||||
attribute mlsprocwritetoclr;
|
||||
# Grant MLS ability to change Effective SL or Clearance SL of process to a
|
||||
# label dominated by the Clearance SL
|
||||
attribute mlsprocsetsl;
|
||||
|
||||
#
|
||||
# X Window MLS attributes/privileges
|
||||
#
|
||||
# Grant MLS read access to X objects not dominated by the process Effective SL
|
||||
attribute mlsxwinread;
|
||||
# Grant MLS read access to X objects dominated by the process Clearance SL
|
||||
attribute mlsxwinreadtoclr;
|
||||
# Grant MLS write access to X objects not equal to the process Effective SL
|
||||
attribute mlsxwinwrite;
|
||||
# Grant MLS write access to X objects which dominate the process Effective SL
|
||||
# and are dominated by the process Clearance SL
|
||||
attribute mlsxwinwritetoclr;
|
||||
# Grant MLS read access to X properties not dominated by
|
||||
# the process Effective SL
|
||||
attribute mlsxwinreadproperty;
|
||||
# Grant MLS write access to X properties not equal to the process Effective SL
|
||||
attribute mlsxwinwriteproperty;
|
||||
# Grant MLS read access to X colormaps not dominated by
|
||||
# the process Effective SL
|
||||
attribute mlsxwinreadcolormap;
|
||||
# Grant MLS write access to X colormaps not equal to the process Effective SL
|
||||
attribute mlsxwinwritecolormap;
|
||||
# Grant MLS write access to X xinputs not equal to the process Effective SL
|
||||
attribute mlsxwinwritexinput;
|
||||
|
||||
# Grant MLS read/write access to objects which internally arbitrate MLS
|
||||
attribute mlstrustedobject;
|
||||
|
||||
#
|
||||
# Both of the following attributes are needed for a range transition to succeed
|
||||
#
|
||||
# Grant ability for the current domain to change SL upon process transition
|
||||
attribute privrangetrans;
|
||||
# Grant ability for the new process domain to change SL upon process transition
|
||||
attribute mlsrangetrans;
|
||||
|
||||
#########################
|
||||
# Attributes for domains:
|
||||
#
|
||||
|
||||
# The domain attribute identifies every type that can be
|
||||
# assigned to a process. This attribute is used in TE rules
|
||||
# that should be applied to all domains, e.g. permitting
|
||||
# init to kill all processes.
|
||||
attribute domain;
|
||||
|
||||
# The daemon attribute identifies domains for system processes created via
|
||||
# the daemon_domain, daemon_base_domain, and init_service_domain macros.
|
||||
attribute daemon;
|
||||
|
||||
# The privuser attribute identifies every domain that can
|
||||
# change its SELinux user identity. This attribute is used
|
||||
# in the constraints configuration. NOTE: This attribute
|
||||
# is not required for domains that merely change the Linux
|
||||
# uid attributes, only for domains that must change the
|
||||
# SELinux user identity. Also note that this attribute makes
|
||||
# no sense without the privrole attribute.
|
||||
attribute privuser;
|
||||
|
||||
# The privrole attribute identifies every domain that can
|
||||
# change its SELinux role. This attribute is used in the
|
||||
# constraints configuration.
|
||||
attribute privrole;
|
||||
|
||||
# The userspace_objmgr attribute identifies every domain
|
||||
# which enforces its own policy.
|
||||
attribute userspace_objmgr;
|
||||
|
||||
# The priv_system_role attribute identifies every domain that can
|
||||
# change role from a user role to system_r role, and identity from a user
|
||||
# identity to system_u. It is used in the constraints configuration.
|
||||
attribute priv_system_role;
|
||||
|
||||
# The privowner attribute identifies every domain that can
|
||||
# assign a different SELinux user identity to a file, or that
|
||||
# can create a file with an identity that is not the same as the
|
||||
# process identity. This attribute is used in the constraints
|
||||
# configuration.
|
||||
attribute privowner;
|
||||
|
||||
# The privlog attribute identifies every domain that can
|
||||
# communicate with syslogd through its Unix domain socket.
|
||||
# There is an assertion that other domains can not do it,
|
||||
# and an allow rule to permit it
|
||||
attribute privlog;
|
||||
|
||||
# The privmodule attribute identifies every domain that can run
|
||||
# modprobe, there is an assertion that other domains can not do it,
|
||||
# and an allow rule to permit it
|
||||
attribute privmodule;
|
||||
|
||||
# The privsysmod attribute identifies every domain that can have the
|
||||
# sys_module capability
|
||||
attribute privsysmod;
|
||||
|
||||
# The privmem attribute identifies every domain that can
|
||||
# access kernel memory devices.
|
||||
# This attribute is used in the TE assertions to verify
|
||||
# that such access is limited to domains that are explicitly
|
||||
# tagged with this attribute.
|
||||
attribute privmem;
|
||||
|
||||
# The privkmsg attribute identifies every domain that can
|
||||
# read kernel messages (/proc/kmsg)
|
||||
# This attribute is used in the TE assertions to verify
|
||||
# that such access is limited to domains that are explicitly
|
||||
# tagged with this attribute.
|
||||
attribute privkmsg;
|
||||
|
||||
# The privfd attribute identifies every domain that should have
|
||||
# file handles inherited widely (IE sshd_t and getty_t).
|
||||
attribute privfd;
|
||||
|
||||
# The privhome attribute identifies every domain that can create files under
|
||||
# regular user home directories in the regular context (IE act on behalf of
|
||||
# a user in writing regular files)
|
||||
attribute privhome;
|
||||
|
||||
# The auth attribute identifies every domain that needs
|
||||
# to read /etc/shadow, and grants the permission.
|
||||
attribute auth;
|
||||
|
||||
# The auth_bool attribute identifies every domain that can
|
||||
# read /etc/shadow if its boolean is set;
|
||||
attribute auth_bool;
|
||||
|
||||
# The auth_write attribute identifies every domain that can have write or
|
||||
# relabel access to /etc/shadow, but does not grant it.
|
||||
attribute auth_write;
|
||||
|
||||
# The auth_chkpwd attribute identifies every system domain that can
|
||||
# authenticate users by running unix_chkpwd
|
||||
attribute auth_chkpwd;
|
||||
|
||||
# The change_context attribute identifies setfiles_t, restorecon_t, and other
|
||||
# system domains that change the context of most/all files on the system
|
||||
attribute change_context;
|
||||
|
||||
# The etc_writer attribute identifies every domain that can write to etc_t
|
||||
attribute etc_writer;
|
||||
|
||||
# The sysctl_kernel_writer attribute identifies domains that can write to
|
||||
# sysctl_kernel_t, in addition the admin attribute is permitted write access
|
||||
attribute sysctl_kernel_writer;
|
||||
|
||||
# the sysctl_net_writer attribute identifies domains that can write to
|
||||
# sysctl_net_t files.
|
||||
attribute sysctl_net_writer;
|
||||
|
||||
# The sysctl_type attribute identifies every type that is assigned
|
||||
# to a sysctl entry. This can be used in allow rules to grant
|
||||
# permissions to all sysctl entries without enumerating each individual
|
||||
# type, but should be used with care.
|
||||
attribute sysctl_type;
|
||||
|
||||
# The admin attribute identifies every administrator domain.
|
||||
# It is used in TE assertions when verifying that only administrator
|
||||
# domains have certain permissions.
|
||||
# This attribute is presently associated with sysadm_t and
|
||||
# certain administrator utility domains.
|
||||
# XXX The use of this attribute should be reviewed for consistency.
|
||||
# XXX Might want to partition into several finer-grained attributes
|
||||
# XXX used in different assertions within assert.te.
|
||||
attribute admin;
|
||||
|
||||
# The secadmin attribute identifies every security administrator domain.
|
||||
# It is used in TE assertions when verifying that only administrator
|
||||
# domains have certain permissions.
|
||||
# This attribute is presently associated with sysadm_t and secadm_t
|
||||
attribute secadmin;
|
||||
|
||||
# The userdomain attribute identifies every user domain, presently
|
||||
# user_t and sysadm_t. It is used in TE rules that should be applied
|
||||
# to all user domains.
|
||||
attribute userdomain;
|
||||
|
||||
# for a small domain that can only be used for newrole
|
||||
attribute user_mini_domain;
|
||||
|
||||
# pty for the mini domain
|
||||
attribute mini_pty_type;
|
||||
|
||||
# pty created by a server such as sshd
|
||||
attribute server_pty;
|
||||
|
||||
# attribute for all non-administrative devpts types
|
||||
attribute userpty_type;
|
||||
|
||||
# The user_tty_type identifies every type for a tty or pty owned by an
|
||||
# unpriviledged user
|
||||
attribute user_tty_type;
|
||||
|
||||
# The admin_tty_type identifies every type for a tty or pty owned by a
|
||||
# priviledged user
|
||||
attribute admin_tty_type;
|
||||
|
||||
# The user_crond_domain attribute identifies every user_crond domain, presently
|
||||
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
|
||||
# applied to all user domains.
|
||||
attribute user_crond_domain;
|
||||
|
||||
# The unpriv_userdomain identifies non-administrative users (default user_t)
|
||||
attribute unpriv_userdomain;
|
||||
|
||||
# This attribute is for the main user home directory for unpriv users
|
||||
attribute user_home_dir_type;
|
||||
|
||||
# The gphdomain attribute identifies every gnome-pty-helper derived
|
||||
# domain. It is used in TE rules to permit inheritance and use of
|
||||
# descriptors created by these domains.
|
||||
attribute gphdomain;
|
||||
|
||||
# The fs_domain identifies every domain that may directly access a fixed disk
|
||||
attribute fs_domain;
|
||||
|
||||
# This attribute is for all domains for the userhelper program.
|
||||
attribute userhelperdomain;
|
||||
|
||||
############################
|
||||
# Attributes for file types:
|
||||
#
|
||||
|
||||
# The file_type attribute identifies all types assigned to files
|
||||
# in persistent filesystems. It is used in TE rules to permit
|
||||
# the association of all such file types with persistent filesystem
|
||||
# types, and to permit certain domains to access all such types as
|
||||
# appropriate.
|
||||
attribute file_type;
|
||||
|
||||
# The secure_file_type attribute identifies files
|
||||
# which will be treated with a higer level of security.
|
||||
# Most domains will be prevented from manipulating files in this domain
|
||||
attribute secure_file_type;
|
||||
|
||||
# The device_type attribute identifies all types assigned to device nodes
|
||||
attribute device_type;
|
||||
|
||||
# The proc_fs attribute identifies all types that may be assigned to
|
||||
# files under /proc.
|
||||
attribute proc_fs;
|
||||
|
||||
# The dev_fs attribute identifies all types that may be assigned to
|
||||
# files, sockets, or pipes under /dev.
|
||||
attribute dev_fs;
|
||||
|
||||
# The sysadmfile attribute identifies all types assigned to files
|
||||
# that should be completely accessible to administrators. It is used
|
||||
# in TE rules to grant such access for administrator domains.
|
||||
attribute sysadmfile;
|
||||
|
||||
# The secadmfile attribute identifies all types assigned to files
|
||||
# that should be only accessible to security administrators. It is used
|
||||
# in TE rules to grant such access for security administrator domains.
|
||||
attribute secadmfile;
|
||||
|
||||
# The fs_type attribute identifies all types assigned to filesystems
|
||||
# (not limited to persistent filesystems).
|
||||
# It is used in TE rules to permit certain domains to mount
|
||||
# any filesystem and to permit most domains to obtain the
|
||||
# overall filesystem statistics.
|
||||
attribute fs_type;
|
||||
|
||||
# The mount_point attribute identifies all types that can serve
|
||||
# as a mount point (for the mount binary). It is used in the mount
|
||||
# policy to grant mounton permission, and in other domains to grant
|
||||
# getattr permission over all the mount points.
|
||||
attribute mount_point;
|
||||
|
||||
# The exec_type attribute identifies all types assigned
|
||||
# to entrypoint executables for domains. This attribute is
|
||||
# used in TE rules and assertions that should be applied to all
|
||||
# such executables.
|
||||
attribute exec_type;
|
||||
|
||||
# The tmpfile attribute identifies all types assigned to temporary
|
||||
# files. This attribute is used in TE rules to grant certain
|
||||
# domains the ability to remove all such files (e.g. init, crond).
|
||||
attribute tmpfile;
|
||||
|
||||
# The user_tmpfile attribute identifies all types associated with temporary
|
||||
# files for unpriv_userdomain domains.
|
||||
attribute user_tmpfile;
|
||||
|
||||
# for the user_xserver_tmp_t etc
|
||||
attribute xserver_tmpfile;
|
||||
|
||||
# The tmpfsfile attribute identifies all types defined for tmpfs
|
||||
# type transitions.
|
||||
# It is used in TE rules to grant certain domains the ability to
|
||||
# access all such files.
|
||||
attribute tmpfsfile;
|
||||
|
||||
# The home_type attribute identifies all types assigned to home
|
||||
# directories. This attribute is used in TE rules to grant certain
|
||||
# domains the ability to access all home directory types.
|
||||
attribute home_type;
|
||||
|
||||
# This attribute is for the main user home directory /home/user, to
|
||||
# distinguish it from sub-dirs. Often you want a process to be able to
|
||||
# read the user home directory but not read the regular directories under it.
|
||||
attribute home_dir_type;
|
||||
|
||||
# The ttyfile attribute identifies all types assigned to ttys.
|
||||
# It is used in TE rules to grant certain domains the ability to
|
||||
# access all ttys.
|
||||
attribute ttyfile;
|
||||
|
||||
# The ptyfile attribute identifies all types assigned to ptys.
|
||||
# It is used in TE rules to grant certain domains the ability to
|
||||
# access all ptys.
|
||||
attribute ptyfile;
|
||||
|
||||
# The pidfile attribute identifies all types assigned to pid files.
|
||||
# It is used in TE rules to grant certain domains the ability to
|
||||
# access all such files.
|
||||
attribute pidfile;
|
||||
|
||||
|
||||
############################
|
||||
# Attributes for network types:
|
||||
#
|
||||
|
||||
# The socket_type attribute identifies all types assigned to
|
||||
# kernel-created sockets. Ordinary sockets are assigned the
|
||||
# domain of the creating process.
|
||||
# XXX This attribute is unused. Remove?
|
||||
attribute socket_type;
|
||||
|
||||
# Identifies all types assigned to port numbers to control binding.
|
||||
attribute port_type;
|
||||
|
||||
# Identifies all types assigned to reserved port (<1024) numbers to control binding.
|
||||
attribute reserved_port_type;
|
||||
|
||||
# Identifies all types assigned to network interfaces to control
|
||||
# operations on the interface (XXX obsolete, not supported via LSM)
|
||||
# and to control traffic sent or received on the interface.
|
||||
attribute netif_type;
|
||||
|
||||
# Identifies all default types assigned to packets received
|
||||
# on network interfaces.
|
||||
attribute netmsg_type;
|
||||
|
||||
# Identifies all types assigned to network nodes/hosts to control
|
||||
# traffic sent to or received from the node.
|
||||
attribute node_type;
|
||||
|
||||
# Identifier for log files or directories that only exist for log files.
|
||||
attribute logfile;
|
||||
|
||||
# Identifier for lock files (/var/lock/*) or directories that only exist for
|
||||
# lock files.
|
||||
attribute lockfile;
|
||||
|
||||
|
||||
|
||||
##############################
|
||||
# Attributes for security policy types:
|
||||
#
|
||||
|
||||
# The login_contexts attribute idenitifies the files used
|
||||
# to define default contexts for login types (e.g., login, cron).
|
||||
attribute login_contexts;
|
||||
|
||||
# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
|
||||
# sysadm_mail_t, etc)
|
||||
attribute user_mail_domain;
|
||||
|
||||
# Identifies domains that can transition to system_mail_t
|
||||
attribute privmail;
|
||||
|
||||
# Type for non-sysadm home directory
|
||||
attribute user_home_type;
|
||||
|
||||
# For domains that are part of a mail server and need to read user files and
|
||||
# fifos, and inherit file handles to enable user email to get to the mail
|
||||
# spool
|
||||
attribute mta_user_agent;
|
||||
|
||||
# For domains that are part of a mail server for delivering messages to the
|
||||
# user
|
||||
attribute mta_delivery_agent;
|
||||
|
||||
# For domains that make outbound TCP port 25 connections to send mail from the
|
||||
# mail server.
|
||||
attribute mail_server_sender;
|
||||
|
||||
# For a mail server process that takes TCP connections on port 25
|
||||
attribute mail_server_domain;
|
||||
|
||||
# For web clients such as netscape and squid
|
||||
attribute web_client_domain;
|
||||
|
||||
# For X Window System server domains
|
||||
attribute xserver;
|
||||
|
||||
# For X Window System client domains
|
||||
attribute xclient;
|
||||
|
||||
# For X Window System protocol extensions
|
||||
attribute xextension;
|
||||
|
||||
# For X Window System property types
|
||||
attribute xproperty;
|
||||
|
||||
#
|
||||
# For file systems that do not have extended attributes but need to be
|
||||
# r/w by users
|
||||
#
|
||||
attribute noexattrfile;
|
||||
|
||||
#
|
||||
# For filetypes that the usercan read
|
||||
#
|
||||
attribute usercanread;
|
||||
|
||||
#
|
||||
# For serial devices
|
||||
#
|
||||
attribute serial_device;
|
||||
|
||||
# Attribute to designate unrestricted access
|
||||
attribute unrestricted;
|
||||
|
||||
# Attribute to designate can transition to unconfined_t
|
||||
attribute unconfinedtrans;
|
||||
|
||||
# For clients of nscd.
|
||||
attribute nscd_client_domain;
|
||||
|
||||
# For clients of nscd that can use shmem interface.
|
||||
attribute nscd_shmem_domain;
|
||||
|
||||
# For labeling of content for httpd. This attribute is only used by
|
||||
# the httpd_unified domain, which says treat all httpdcontent the
|
||||
# same. If you want content to be served in a "non-unified" system
|
||||
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
|
||||
# your policy.
|
||||
attribute httpdcontent;
|
||||
|
||||
# For labeling of domains whos transition can be disabled
|
||||
attribute transitionbool;
|
||||
|
||||
# For labelling daemons that should not have a range transition to "s0"
|
||||
# included in the daemon_base_domain macro
|
||||
attribute no_daemon_range_trans;
|
||||
|
||||
# For labeling of file_context domains which users can change files to rather
|
||||
# then the default file context. These file_context can survive a relabeling
|
||||
# of the file system.
|
||||
attribute customizable;
|
||||
|
||||
##############################
|
||||
# Attributes for polyinstatiation support:
|
||||
#
|
||||
|
||||
# For labeling types that are to be polyinstantiated
|
||||
attribute polydir;
|
||||
|
||||
# And for labeling the parent directories of those polyinstantiated directories
|
||||
# This is necessary for remounting the original in the parent to give
|
||||
# security aware apps access
|
||||
attribute polyparent;
|
||||
|
||||
# And labeling for the member directories
|
||||
attribute polymember;
|
||||
|
83
mls/constraints
Normal file
83
mls/constraints
Normal file
@ -0,0 +1,83 @@
|
||||
#
|
||||
# Define m4 macros for the constraints
|
||||
#
|
||||
|
||||
#
|
||||
# Define the constraints
|
||||
#
|
||||
# constrain class_set perm_set expression ;
|
||||
#
|
||||
# validatetrans class_set expression ;
|
||||
#
|
||||
# expression : ( expression )
|
||||
# | not expression
|
||||
# | expression and expression
|
||||
# | expression or expression
|
||||
# | u1 op u2
|
||||
# | r1 role_mls_op r2
|
||||
# | t1 op t2
|
||||
# | l1 role_mls_op l2
|
||||
# | l1 role_mls_op h2
|
||||
# | h1 role_mls_op l2
|
||||
# | h1 role_mls_op h2
|
||||
# | l1 role_mls_op h1
|
||||
# | l2 role_mls_op h2
|
||||
# | u1 op names
|
||||
# | u2 op names
|
||||
# | r1 op names
|
||||
# | r2 op names
|
||||
# | t1 op names
|
||||
# | t2 op names
|
||||
# | u3 op names (NOTE: this is only available for validatetrans)
|
||||
# | r3 op names (NOTE: this is only available for validatetrans)
|
||||
# | t3 op names (NOTE: this is only available for validatetrans)
|
||||
#
|
||||
# op : == | !=
|
||||
# role_mls_op : == | != | eq | dom | domby | incomp
|
||||
#
|
||||
# names : name | { name_list }
|
||||
# name_list : name | name_list name#
|
||||
#
|
||||
|
||||
#
|
||||
# Restrict the ability to transition to other users
|
||||
# or roles to a few privileged types.
|
||||
#
|
||||
|
||||
constrain process transition
|
||||
( u1 == u2 or ( t1 == privuser and t2 == userdomain )
|
||||
ifdef(`crond.te', `
|
||||
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)')
|
||||
or (t1 == priv_system_role and u2 == system_u )
|
||||
);
|
||||
|
||||
constrain process transition
|
||||
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
|
||||
ifdef(`crond.te', `
|
||||
or (t1 == crond_t and t2 == user_crond_domain)
|
||||
')
|
||||
ifdef(`userhelper.te',
|
||||
`or (t1 == userhelperdomain)')
|
||||
ifdef(`postfix.te', `
|
||||
ifdef(`direct_sysadm_daemon',
|
||||
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
|
||||
')
|
||||
or (t1 == priv_system_role and r2 == system_r )
|
||||
);
|
||||
|
||||
constrain process dyntransition
|
||||
( u1 == u2 and r1 == r2);
|
||||
|
||||
#
|
||||
# Restrict the ability to label objects with other
|
||||
# user identities to a few privileged types.
|
||||
#
|
||||
|
||||
constrain dir_file_class_set { create relabelto relabelfrom }
|
||||
( u1 == u2 or t1 == privowner );
|
||||
|
||||
constrain socket_class_set { create relabelto relabelfrom }
|
||||
( u1 == u2 or t1 == privowner );
|
43
mls/domains/admin.te
Normal file
43
mls/domains/admin.te
Normal file
@ -0,0 +1,43 @@
|
||||
#DESC Admin - Domains for administrators.
|
||||
#
|
||||
#################################
|
||||
|
||||
# sysadm_t is the system administrator domain.
|
||||
type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
|
||||
ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
|
||||
; dnl end of sysadm_t type declaration
|
||||
|
||||
allow privhome home_root_t:dir { getattr search };
|
||||
|
||||
# system_r is authorized for sysadm_t for single-user mode.
|
||||
role system_r types sysadm_t;
|
||||
|
||||
general_proc_read_access(sysadm_t)
|
||||
|
||||
# sysadm_t is also granted permissions specific to administrator domains.
|
||||
admin_domain(sysadm)
|
||||
|
||||
# for su
|
||||
allow sysadm_t userdomain:fd use;
|
||||
|
||||
ifdef(`separate_secadm', `', `
|
||||
security_manager_domain(sysadm_t)
|
||||
')
|
||||
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||
|
||||
limited_user_role(secadm)
|
||||
typeattribute secadm_t admin;
|
||||
role secadm_r types secadm_t;
|
||||
security_manager_domain(secadm_t)
|
||||
r_dir_file(secadm_t, { var_t var_log_t })
|
||||
|
||||
typeattribute secadm_tty_device_t admin_tty_type;
|
||||
typeattribute secadm_devpts_t admin_tty_type;
|
||||
|
||||
bool allow_ptrace false;
|
||||
|
||||
if (allow_ptrace) {
|
||||
can_ptrace(sysadm_t, domain)
|
||||
}
|
3
mls/domains/misc/auth-net.te
Normal file
3
mls/domains/misc/auth-net.te
Normal file
@ -0,0 +1,3 @@
|
||||
#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
|
||||
|
||||
can_network(auth)
|
30
mls/domains/misc/fcron.te
Normal file
30
mls/domains/misc/fcron.te
Normal file
@ -0,0 +1,30 @@
|
||||
#DESC fcron - additions to cron policy for a more powerful cron program
|
||||
#
|
||||
# Domain for fcron, a more powerful cron program.
|
||||
#
|
||||
# Needs cron.te installed.
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
|
||||
# Use capabilities.
|
||||
allow crond_t self:capability { dac_override dac_read_search };
|
||||
|
||||
# differences between r_dir_perms and rw_dir_perms
|
||||
allow crond_t cron_spool_t:dir { add_name remove_name write };
|
||||
|
||||
ifdef(`mta.te', `
|
||||
# not sure why we need write access, but Postfix does not work without it
|
||||
# I will have to change fcron to avoid the need for this
|
||||
allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
|
||||
')
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
can_exec(dpkg_t, crontab_exec_t)
|
||||
file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
|
||||
')
|
||||
|
||||
rw_dir_create_file(crond_t, cron_spool_t)
|
||||
can_setfscreate(crond_t)
|
||||
|
||||
# for /var/run/fcron.fifo
|
||||
file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
|
75
mls/domains/misc/kernel.te
Normal file
75
mls/domains/misc/kernel.te
Normal file
@ -0,0 +1,75 @@
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the kernel_t domain.
|
||||
#
|
||||
|
||||
#
|
||||
# kernel_t is the domain of kernel threads.
|
||||
# It is also the target type when checking permissions in the system class.
|
||||
#
|
||||
type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
|
||||
role system_r types kernel_t;
|
||||
general_domain_access(kernel_t)
|
||||
general_proc_read_access(kernel_t)
|
||||
base_file_read_access(kernel_t)
|
||||
uses_shlib(kernel_t)
|
||||
can_exec(kernel_t, shell_exec_t)
|
||||
|
||||
# Use capabilities.
|
||||
allow kernel_t self:capability *;
|
||||
|
||||
r_dir_file(kernel_t, sysfs_t)
|
||||
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
|
||||
|
||||
# Run init in the init_t domain.
|
||||
domain_auto_trans(kernel_t, init_exec_t, init_t)
|
||||
|
||||
ifdef(`mls_policy', `
|
||||
# run init with maximum MLS range
|
||||
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
||||
')
|
||||
|
||||
# Share state with the init process.
|
||||
allow kernel_t init_t:process share;
|
||||
|
||||
# Mount and unmount file systems.
|
||||
allow kernel_t fs_type:filesystem mount_fs_perms;
|
||||
|
||||
# Send signal to any process.
|
||||
allow kernel_t domain:process signal;
|
||||
allow kernel_t domain:dir search;
|
||||
|
||||
# Access the console.
|
||||
allow kernel_t device_t:dir search;
|
||||
allow kernel_t console_device_t:chr_file rw_file_perms;
|
||||
|
||||
# Access the initrd filesystem.
|
||||
allow kernel_t file_t:chr_file rw_file_perms;
|
||||
can_exec(kernel_t, file_t)
|
||||
ifdef(`chroot.te', `
|
||||
can_exec(kernel_t, chroot_exec_t)
|
||||
')
|
||||
allow kernel_t self:capability sys_chroot;
|
||||
|
||||
allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
|
||||
allow kernel_t unlabeled_t:fifo_file rw_file_perms;
|
||||
allow kernel_t file_t:dir rw_dir_perms;
|
||||
allow kernel_t file_t:blk_file create_file_perms;
|
||||
allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
|
||||
|
||||
# Lookup the policy.
|
||||
allow kernel_t policy_config_t:dir r_dir_perms;
|
||||
|
||||
# Load the policy configuration.
|
||||
can_loadpol(kernel_t)
|
||||
|
||||
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
||||
can_exec(kernel_t, bin_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain(kernel_t)
|
||||
')
|
5
mls/domains/misc/local.te
Normal file
5
mls/domains/misc/local.te
Normal file
@ -0,0 +1,5 @@
|
||||
# Local customization of existing policy should be done in this file.
|
||||
# If you are creating brand new policy for a new "target" domain, you
|
||||
# need to create a type enforcement (.te) file in domains/program
|
||||
# and a file context (.fc) file in file_context/program.
|
||||
|
7
mls/domains/misc/startx.te
Normal file
7
mls/domains/misc/startx.te
Normal file
@ -0,0 +1,7 @@
|
||||
#DESC startx - policy for running an X server from a user domain
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
#
|
||||
|
||||
# Everything is in the macro files
|
||||
|
13
mls/domains/misc/userspace_objmgr.te
Normal file
13
mls/domains/misc/userspace_objmgr.te
Normal file
@ -0,0 +1,13 @@
|
||||
#DESC Userspace Object Managers
|
||||
#
|
||||
#################################
|
||||
|
||||
# Get our own security context.
|
||||
can_getcon(userspace_objmgr)
|
||||
# Get security decisions via selinuxfs.
|
||||
can_getsecurity(userspace_objmgr)
|
||||
# Read /etc/selinux
|
||||
r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow userspace_objmgr self:netlink_selinux_socket { create bind read };
|
||||
|
14
mls/domains/misc/xclient.te
Normal file
14
mls/domains/misc/xclient.te
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
|
||||
#
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Domains for the SELinux-enabled X Window System
|
||||
#
|
||||
|
||||
#
|
||||
# Domain for all non-local X clients
|
||||
#
|
||||
type remote_xclient_t, domain;
|
||||
in_user_role(remote_xclient_t)
|
122
mls/domains/program/NetworkManager.te
Normal file
122
mls/domains/program/NetworkManager.te
Normal file
@ -0,0 +1,122 @@
|
||||
#DESC NetworkManager -
|
||||
#
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the NetworkManager_t domain.
|
||||
#
|
||||
# NetworkManager_t is the domain for the NetworkManager daemon.
|
||||
# NetworkManager_exec_t is the type of the NetworkManager executable.
|
||||
#
|
||||
daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
|
||||
|
||||
can_network(NetworkManager_t)
|
||||
allow NetworkManager_t port_type:tcp_socket name_connect;
|
||||
allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
|
||||
allow NetworkManager_t dhcpc_t:process signal;
|
||||
|
||||
can_ypbind(NetworkManager_t)
|
||||
uses_shlib(NetworkManager_t)
|
||||
allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
|
||||
|
||||
allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
||||
|
||||
allow NetworkManager_t self:process { setcap getsched };
|
||||
allow NetworkManager_t self:fifo_file rw_file_perms;
|
||||
allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
|
||||
allow NetworkManager_t self:file { getattr read };
|
||||
allow NetworkManager_t self:packet_socket create_socket_perms;
|
||||
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
|
||||
#
|
||||
# Communicate with Caching Name Server
|
||||
#
|
||||
ifdef(`named.te', `
|
||||
allow NetworkManager_t named_zone_t:dir search;
|
||||
rw_dir_create_file(NetworkManager_t, named_cache_t)
|
||||
domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
|
||||
allow named_t NetworkManager_t:udp_socket { read write };
|
||||
allow named_t NetworkManager_t:netlink_route_socket { read write };
|
||||
allow NetworkManager_t named_t:process signal;
|
||||
allow named_t NetworkManager_t:packet_socket { read write };
|
||||
')
|
||||
|
||||
allow NetworkManager_t selinux_config_t:dir search;
|
||||
allow NetworkManager_t selinux_config_t:file { getattr read };
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, NetworkManager)
|
||||
allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow NetworkManager_t self:dbus send_msg;
|
||||
ifdef(`hald.te', `
|
||||
allow NetworkManager_t hald_t:dbus send_msg;
|
||||
allow hald_t NetworkManager_t:dbus send_msg;
|
||||
')
|
||||
allow NetworkManager_t initrc_t:dbus send_msg;
|
||||
allow initrc_t NetworkManager_t:dbus send_msg;
|
||||
ifdef(`targeted_policy', `
|
||||
allow NetworkManager_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t NetworkManager_t:dbus send_msg;
|
||||
')
|
||||
allow NetworkManager_t userdomain:dbus send_msg;
|
||||
allow userdomain NetworkManager_t:dbus send_msg;
|
||||
')
|
||||
|
||||
allow NetworkManager_t usr_t:file { getattr read };
|
||||
|
||||
ifdef(`ifconfig.te', `
|
||||
domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
|
||||
')dnl end if def ifconfig
|
||||
|
||||
allow NetworkManager_t { sbin_t bin_t }:dir search;
|
||||
allow NetworkManager_t bin_t:lnk_file read;
|
||||
can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
|
||||
|
||||
# in /etc created by NetworkManager will be labelled net_conf_t.
|
||||
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
|
||||
|
||||
allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow NetworkManager_t proc_t:file { getattr read };
|
||||
r_dir_file(NetworkManager_t, proc_net_t)
|
||||
|
||||
allow NetworkManager_t { domain -unrestricted }:dir search;
|
||||
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
|
||||
dontaudit NetworkManager_t unrestricted:dir search;
|
||||
dontaudit NetworkManager_t unrestricted:file { getattr read };
|
||||
|
||||
allow NetworkManager_t howl_t:process signal;
|
||||
allow NetworkManager_t initrc_var_run_t:file { getattr read };
|
||||
|
||||
ifdef(`modutil.te', `
|
||||
if (!secure_mode_insmod) {
|
||||
domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
|
||||
}
|
||||
')
|
||||
|
||||
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
# allow vpnc connections
|
||||
allow NetworkManager_t self:rawip_socket create_socket_perms;
|
||||
allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
|
||||
|
||||
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
|
||||
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
|
||||
ifdef(`vpnc.te', `
|
||||
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
|
||||
')
|
||||
|
||||
ifdef(`dhcpc.te', `
|
||||
allow NetworkManager_t dhcp_state_t:dir search;
|
||||
allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
|
||||
')
|
||||
allow NetworkManager_t var_lib_t:dir search;
|
||||
dontaudit NetworkManager_t user_tty_type:chr_file { read write };
|
||||
dontaudit NetworkManager_t security_t:dir search;
|
||||
|
||||
ifdef(`consoletype.te', `
|
||||
can_exec(NetworkManager_t, consoletype_exec_t)
|
||||
')
|
||||
|
66
mls/domains/program/acct.te
Normal file
66
mls/domains/program/acct.te
Normal file
@ -0,0 +1,66 @@
|
||||
#DESC Acct - BSD process accounting
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: acct
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the acct_t domain.
|
||||
#
|
||||
# acct_exec_t is the type of the acct executable.
|
||||
#
|
||||
daemon_base_domain(acct)
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(acct_exec_t, acct_t)
|
||||
|
||||
# for monthly cron job
|
||||
file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
|
||||
')
|
||||
|
||||
# for SSP
|
||||
allow acct_t urandom_device_t:chr_file read;
|
||||
|
||||
type acct_data_t, file_type, logfile, sysadmfile;
|
||||
|
||||
# not sure why we need this, the command "last" is reported as using it
|
||||
dontaudit acct_t self:capability kill;
|
||||
|
||||
# gzip needs chown capability for some reason
|
||||
allow acct_t self:capability { chown fsetid sys_pacct };
|
||||
|
||||
allow acct_t var_t:dir { getattr search };
|
||||
rw_dir_create_file(acct_t, acct_data_t)
|
||||
|
||||
can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
|
||||
allow acct_t { bin_t sbin_t }:dir search;
|
||||
allow acct_t bin_t:lnk_file read;
|
||||
|
||||
read_locale(acct_t)
|
||||
|
||||
allow acct_t fs_t:filesystem getattr;
|
||||
|
||||
allow acct_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow acct_t self:fifo_file { read write getattr };
|
||||
|
||||
allow acct_t { self proc_t }:file { read getattr };
|
||||
|
||||
read_sysctl(acct_t)
|
||||
|
||||
dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
|
||||
|
||||
# for nscd
|
||||
dontaudit acct_t var_run_t:dir search;
|
||||
|
||||
|
||||
allow acct_t devtty_t:chr_file { read write };
|
||||
|
||||
allow acct_t { etc_t etc_runtime_t }:file { read getattr };
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
|
||||
rw_dir_create_file(logrotate_t, acct_data_t)
|
||||
can_exec(logrotate_t, acct_data_t)
|
||||
')
|
||||
|
24
mls/domains/program/alsa.te
Normal file
24
mls/domains/program/alsa.te
Normal file
@ -0,0 +1,24 @@
|
||||
#DESC ainit - configuration tool for ALSA
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
#
|
||||
type alsa_t, domain, privlog, daemon;
|
||||
type alsa_exec_t, file_type, sysadmfile, exec_type;
|
||||
uses_shlib(alsa_t)
|
||||
allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
|
||||
allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
|
||||
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow alsa_t self:unix_dgram_socket create_socket_perms;
|
||||
allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
|
||||
allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
|
||||
|
||||
type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
|
||||
rw_dir_create_file(alsa_t,alsa_etc_rw_t)
|
||||
allow alsa_t self:capability { setgid setuid ipc_owner };
|
||||
dontaudit alsa_t self:capability sys_admin;
|
||||
allow alsa_t devpts_t:chr_file { read write };
|
||||
allow alsa_t etc_t:file { getattr read };
|
||||
domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
|
||||
role system_r types alsa_t;
|
||||
read_locale(alsa_t)
|
284
mls/domains/program/amanda.te
Normal file
284
mls/domains/program/amanda.te
Normal file
@ -0,0 +1,284 @@
|
||||
#DESC Amanda - Automated backup program
|
||||
#
|
||||
# This policy file sets the rigths for amanda client started by inetd_t
|
||||
# and amrecover
|
||||
#
|
||||
# X-Debian-Packages: amanda-common amanda-server
|
||||
# Depends: inetd.te
|
||||
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
|
||||
#
|
||||
# License : GPL
|
||||
#
|
||||
# last change: 27. August 2002
|
||||
#
|
||||
# state : complete and tested
|
||||
#
|
||||
# Hints :
|
||||
# - amanda.fc is the appendant file context file
|
||||
# - If you use amrecover please extract the files and directories to the
|
||||
# directory speficified in amanda.fc as type amanda_recover_dir_t.
|
||||
# - The type amanda_user_exec_t is defined to label the files but not used.
|
||||
# This configuration works only as an client and a amanda client does not need
|
||||
# this programs.
|
||||
#
|
||||
# Enhancements/Corrections:
|
||||
# - set tighter permissions to /bin/tar instead bin_t
|
||||
|
||||
##############################################################################
|
||||
# AMANDA CLIENT DECLARATIONS
|
||||
##############################################################################
|
||||
|
||||
# General declarations
|
||||
######################
|
||||
|
||||
type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
|
||||
role system_r types amanda_t;
|
||||
|
||||
# type for the amanda executables
|
||||
type amanda_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# type for the amanda executables started by inetd
|
||||
type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# type for amanda configurations files
|
||||
type amanda_config_t, file_type, sysadmfile;
|
||||
|
||||
# type for files in /usr/lib/amanda
|
||||
type amanda_usr_lib_t, file_type, sysadmfile;
|
||||
|
||||
# type for all files in /var/lib/amanda
|
||||
type amanda_var_lib_t, file_type, sysadmfile;
|
||||
|
||||
# type for all files in /var/lib/amanda/gnutar-lists/
|
||||
type amanda_gnutarlists_t, file_type, sysadmfile;
|
||||
|
||||
# type for user startable files
|
||||
type amanda_user_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# type for same awk and other scripts
|
||||
type amanda_script_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# type for the shell configuration files
|
||||
type amanda_shellconfig_t, file_type, sysadmfile;
|
||||
|
||||
tmp_domain(amanda)
|
||||
|
||||
# type for /etc/amandates
|
||||
type amanda_amandates_t, file_type, sysadmfile;
|
||||
|
||||
# type for /etc/dumpdates
|
||||
type amanda_dumpdates_t, file_type, sysadmfile;
|
||||
|
||||
# type for amanda data
|
||||
type amanda_data_t, file_type, sysadmfile;
|
||||
|
||||
# Domain transitions
|
||||
####################
|
||||
|
||||
domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
|
||||
|
||||
|
||||
##################
|
||||
# File permissions
|
||||
##################
|
||||
|
||||
# configuration files -> read only
|
||||
allow amanda_t amanda_config_t:file { getattr read };
|
||||
|
||||
# access to amanda_amandates_t
|
||||
allow amanda_t amanda_amandates_t:file { getattr lock read write };
|
||||
|
||||
# access to amanda_dumpdates_t
|
||||
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
|
||||
|
||||
# access to amandas data structure
|
||||
allow amanda_t amanda_data_t:dir { read search write };
|
||||
allow amanda_t amanda_data_t:file { read write };
|
||||
|
||||
# access to proc_t
|
||||
allow amanda_t proc_t:file { getattr read };
|
||||
|
||||
# access to etc_t and similar
|
||||
allow amanda_t etc_t:file { getattr read };
|
||||
allow amanda_t etc_runtime_t:file { getattr read };
|
||||
|
||||
# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
|
||||
rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
|
||||
|
||||
# access to device_t and similar
|
||||
allow amanda_t devtty_t:chr_file { read write };
|
||||
|
||||
# access to fs_t
|
||||
allow amanda_t fs_t:filesystem getattr;
|
||||
|
||||
# access to sysctl_kernel_t ( proc/sys/kernel/* )
|
||||
read_sysctl(amanda_t)
|
||||
|
||||
#####################
|
||||
# process permissions
|
||||
#####################
|
||||
|
||||
# Allow to use shared libs
|
||||
uses_shlib(amanda_t)
|
||||
|
||||
# Allow to execute a amanda executable file
|
||||
allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
|
||||
|
||||
# Allow to run a shell
|
||||
allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
|
||||
|
||||
# access to bin_t (tar)
|
||||
allow amanda_t bin_t:file { execute execute_no_trans };
|
||||
|
||||
allow amanda_t self:capability { chown dac_override setuid };
|
||||
allow amanda_t self:process { fork sigchld setpgid signal };
|
||||
allow amanda_t self:dir search;
|
||||
allow amanda_t self:file { getattr read };
|
||||
|
||||
|
||||
###################################
|
||||
# Network and process communication
|
||||
###################################
|
||||
|
||||
can_network_server(amanda_t);
|
||||
can_ypbind(amanda_t);
|
||||
can_exec(amanda_t, sbin_t);
|
||||
|
||||
allow amanda_t self:fifo_file { getattr read write ioctl lock };
|
||||
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow amanda_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
||||
##########################
|
||||
# Communication with inetd
|
||||
##########################
|
||||
|
||||
allow amanda_t inetd_t:udp_socket { read write };
|
||||
|
||||
|
||||
###################
|
||||
# inetd permissions
|
||||
###################
|
||||
|
||||
allow inetd_t amanda_usr_lib_t:dir search;
|
||||
|
||||
|
||||
########################
|
||||
# Access to to save data
|
||||
########################
|
||||
|
||||
# access to user_home_t
|
||||
allow amanda_t user_home_type:file { getattr read };
|
||||
|
||||
##############################################################################
|
||||
# AMANDA RECOVER DECLARATIONS
|
||||
##############################################################################
|
||||
|
||||
|
||||
# General declarations
|
||||
######################
|
||||
|
||||
# type for amrecover
|
||||
type amanda_recover_t, domain;
|
||||
role sysadm_r types amanda_recover_t;
|
||||
role system_r types amanda_recover_t;
|
||||
|
||||
# exec types for amrecover
|
||||
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# type for recover files ( restored data )
|
||||
type amanda_recover_dir_t, file_type, sysadmfile;
|
||||
file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
|
||||
|
||||
# domain transsition
|
||||
domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
|
||||
|
||||
# file type auto trans to write debug messages
|
||||
file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
|
||||
|
||||
|
||||
# amanda recover process permissions
|
||||
####################################
|
||||
|
||||
uses_shlib(amanda_recover_t)
|
||||
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
|
||||
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
|
||||
can_exec(amanda_recover_t, shell_exec_t)
|
||||
allow amanda_recover_t privfd:fd use;
|
||||
|
||||
|
||||
# amrecover network and process communication
|
||||
#############################################
|
||||
|
||||
can_network(amanda_recover_t);
|
||||
allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
|
||||
can_ypbind(amanda_recover_t);
|
||||
read_locale(amanda_recover_t);
|
||||
|
||||
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
|
||||
allow amanda_recover_t self:unix_stream_socket { connect create read write };
|
||||
allow amanda_recover_t var_log_t:dir search;
|
||||
rw_dir_create_file(amanda_recover_t, amanda_log_t)
|
||||
|
||||
# amrecover file permissions
|
||||
############################
|
||||
|
||||
# access to etc_t and similar
|
||||
allow amanda_recover_t etc_t:dir search;
|
||||
allow amanda_recover_t etc_t:file { getattr read };
|
||||
allow amanda_recover_t etc_runtime_t:file { getattr read };
|
||||
|
||||
# access to amanda_recover_dir_t
|
||||
allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
|
||||
allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
|
||||
|
||||
# access to var_t and var_run_t
|
||||
allow amanda_recover_t var_t:dir search;
|
||||
allow amanda_recover_t var_run_t:dir search;
|
||||
|
||||
# access to proc_t
|
||||
allow amanda_recover_t proc_t:dir search;
|
||||
allow amanda_recover_t proc_t:file { getattr read };
|
||||
|
||||
# access to sysctl_kernel_t
|
||||
read_sysctl(amanda_recover_t)
|
||||
|
||||
# access to dev_t and similar
|
||||
allow amanda_recover_t device_t:dir search;
|
||||
allow amanda_recover_t devtty_t:chr_file { read write };
|
||||
allow amanda_recover_t null_device_t:chr_file { getattr write };
|
||||
|
||||
# access to bin_t
|
||||
allow amanda_recover_t bin_t:file { execute execute_no_trans };
|
||||
|
||||
# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
|
||||
# in the sysadm home directory
|
||||
allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
|
||||
|
||||
# access to use sysadm_tty_device_t (/dev/tty?)
|
||||
allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
|
||||
|
||||
# access to amanda_tmp_t and tmp_t
|
||||
allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
|
||||
allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
|
||||
allow amanda_recover_t tmp_t:dir search;
|
||||
|
||||
#
|
||||
# Rules to allow amanda to be run as a service in xinetd
|
||||
#
|
||||
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
|
||||
|
||||
#amanda needs to look at fs_type directories to decide whether it should backup
|
||||
allow amanda_t { fs_type file_type }:dir {getattr read search };
|
||||
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
|
||||
allow amanda_t device_type:{ blk_file chr_file } getattr;
|
||||
allow amanda_t fixed_disk_device_t:blk_file read;
|
||||
domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
|
||||
|
||||
allow amanda_t file_type:sock_file getattr;
|
||||
logdir_domain(amanda)
|
||||
|
||||
dontaudit amanda_t proc_t:lnk_file read;
|
||||
dontaudit amanda_t unlabeled_t:file getattr;
|
||||
#amanda wants to check attributes on fifo_files
|
||||
allow amanda_t file_type:fifo_file getattr;
|
48
mls/domains/program/anaconda.te
Normal file
48
mls/domains/program/anaconda.te
Normal file
@ -0,0 +1,48 @@
|
||||
#DESC Anaconda - Red Hat Installation program
|
||||
#
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the anaconda_t domain.
|
||||
#
|
||||
# anaconda_t is the domain of the installation program
|
||||
#
|
||||
type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
|
||||
role system_r types anaconda_t;
|
||||
unconfined_domain(anaconda_t)
|
||||
|
||||
role system_r types ldconfig_t;
|
||||
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
|
||||
|
||||
# Run other rc scripts in the anaconda_t domain.
|
||||
domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
|
||||
|
||||
ifdef(`dmesg.te', `
|
||||
domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
|
||||
')
|
||||
|
||||
ifdef(`rpm.te', `
|
||||
# Access /var/lib/rpm.
|
||||
domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
|
||||
')
|
||||
|
||||
file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
|
||||
|
||||
ifdef(`udev.te', `
|
||||
domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
|
||||
')
|
||||
|
||||
ifdef(`ssh-agent.te', `
|
||||
role system_r types sysadm_ssh_agent_t;
|
||||
domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
|
||||
')
|
||||
ifdef(`passwd.te', `
|
||||
domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
|
||||
')
|
415
mls/domains/program/apache.te
Normal file
415
mls/domains/program/apache.te
Normal file
@ -0,0 +1,415 @@
|
||||
#DESC Apache - Web server
|
||||
#
|
||||
# X-Debian-Packages: apache2-common apache
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# Policy file for running the Apache web server
|
||||
#
|
||||
# NOTES:
|
||||
# This policy will work with SUEXEC enabled as part of the Apache
|
||||
# configuration. However, the user CGI scripts will run under the
|
||||
# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
|
||||
# of the creating user.
|
||||
#
|
||||
# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
|
||||
# type, and the directory containing the scripts should also be labeled
|
||||
# with these types. This policy allows user_r role to perform that
|
||||
# relabeling. If it is desired that only sysadm_r should be able to relabel
|
||||
# the user CGI scripts, then relabel rule for user_r should be removed.
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
define(`httpd_home_dirs', `
|
||||
r_dir_file(httpd_t, $1)
|
||||
r_dir_file(httpd_suexec_t, $1)
|
||||
can_exec(httpd_suexec_t, $1)
|
||||
')
|
||||
|
||||
bool httpd_unified false;
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
bool httpd_builtin_scripting false;
|
||||
|
||||
# Allow httpd cgi support
|
||||
bool httpd_enable_cgi false;
|
||||
|
||||
# Allow httpd to read home directories
|
||||
bool httpd_enable_homedirs false;
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
bool httpd_ssi_exec false;
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
bool httpd_tty_comm false;
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
bool httpd_can_network_connect false;
|
||||
|
||||
#########################################################
|
||||
# Apache types
|
||||
#########################################################
|
||||
# httpd_config_t is the type given to the configuration
|
||||
# files for apache /etc/httpd/conf
|
||||
#
|
||||
type httpd_config_t, file_type, sysadmfile;
|
||||
|
||||
# httpd_modules_t is the type given to module files (libraries)
|
||||
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
||||
#
|
||||
type httpd_modules_t, file_type, sysadmfile;
|
||||
|
||||
# httpd_cache_t is the type given to the /var/cache/httpd
|
||||
# directory and the files under that directory
|
||||
#
|
||||
type httpd_cache_t, file_type, sysadmfile;
|
||||
|
||||
# httpd_exec_t is the type give to the httpd executable.
|
||||
#
|
||||
daemon_domain(httpd, `, privmail, nscd_client_domain')
|
||||
|
||||
append_logdir_domain(httpd)
|
||||
#can read /etc/httpd/logs
|
||||
allow httpd_t httpd_log_t:lnk_file read;
|
||||
|
||||
# For /etc/init.d/apache2 reload
|
||||
can_tcp_connect(httpd_t, httpd_t)
|
||||
|
||||
can_tcp_connect(web_client_domain, httpd_t)
|
||||
|
||||
can_exec(httpd_t, httpd_exec_t)
|
||||
file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
|
||||
|
||||
general_domain_access(httpd_t)
|
||||
|
||||
allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
|
||||
|
||||
read_sysctl(httpd_t)
|
||||
|
||||
allow httpd_t crypt_device_t:chr_file rw_file_perms;
|
||||
|
||||
# for modules that want to access /etc/mtab and /proc/meminfo
|
||||
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
|
||||
|
||||
uses_shlib(httpd_t)
|
||||
allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
|
||||
allow httpd_t usr_t:lnk_file { getattr read };
|
||||
|
||||
# for apache2 memory mapped files
|
||||
var_lib_domain(httpd)
|
||||
|
||||
# for tomcat
|
||||
r_dir_file(httpd_t, var_lib_t)
|
||||
|
||||
# execute perl
|
||||
allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
|
||||
can_exec(httpd_t, { bin_t sbin_t })
|
||||
allow httpd_t bin_t:lnk_file read;
|
||||
|
||||
########################################
|
||||
# Set up networking
|
||||
########################################
|
||||
|
||||
can_network_server(httpd_t)
|
||||
can_kerberos(httpd_t)
|
||||
can_resolve(httpd_t)
|
||||
nsswitch_domain(httpd_t)
|
||||
allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
|
||||
# allow httpd to work as a relay
|
||||
allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
|
||||
|
||||
if (httpd_can_network_connect) {
|
||||
can_network_client(httpd_t)
|
||||
allow httpd_t port_type:tcp_socket name_connect;
|
||||
}
|
||||
|
||||
##########################################
|
||||
# Legacy: remove when it's fixed #
|
||||
# Allow libphp5.so with text relocations #
|
||||
##########################################
|
||||
allow httpd_t texrel_shlib_t:file execmod;
|
||||
|
||||
#########################################
|
||||
# Allow httpd to search users directories
|
||||
#########################################
|
||||
allow httpd_t home_root_t:dir { getattr search };
|
||||
dontaudit httpd_t sysadm_home_dir_t:dir getattr;
|
||||
|
||||
############################################################################
|
||||
# Allow the httpd_t the capability to bind to a port and various other stuff
|
||||
############################################################################
|
||||
allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
||||
dontaudit httpd_t self:capability net_admin;
|
||||
|
||||
#################################################
|
||||
# Allow the httpd_t to read the web servers config files
|
||||
###################################################
|
||||
r_dir_file(httpd_t, httpd_config_t)
|
||||
# allow logrotate to read the config files for restart
|
||||
ifdef(`logrotate.te', `
|
||||
r_dir_file(logrotate_t, httpd_config_t)
|
||||
domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
|
||||
allow logrotate_t httpd_t:process signull;
|
||||
')
|
||||
r_dir_file(initrc_t, httpd_config_t)
|
||||
##################################################
|
||||
|
||||
###############################
|
||||
# Allow httpd_t to put files in /var/cache/httpd etc
|
||||
##############################
|
||||
create_dir_file(httpd_t, httpd_cache_t)
|
||||
|
||||
###############################
|
||||
# Allow httpd_t to access the tmpfs file system
|
||||
##############################
|
||||
tmpfs_domain(httpd)
|
||||
|
||||
#####################
|
||||
# Allow httpd_t to access
|
||||
# libraries for its modules
|
||||
###############################
|
||||
allow httpd_t httpd_modules_t:file rx_file_perms;
|
||||
allow httpd_t httpd_modules_t:dir r_dir_perms;
|
||||
allow httpd_t httpd_modules_t:lnk_file r_file_perms;
|
||||
|
||||
######################################################################
|
||||
# Allow initrc_t to access the Apache modules directory.
|
||||
######################################################################
|
||||
allow initrc_t httpd_modules_t:dir r_dir_perms;
|
||||
|
||||
##############################################
|
||||
# Allow httpd_t to have access to files
|
||||
# such as nisswitch.conf
|
||||
# need ioctl for php
|
||||
###############################################
|
||||
allow httpd_t etc_t:file { read getattr ioctl };
|
||||
allow httpd_t etc_t:lnk_file { getattr read };
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_domain(sys)
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
if (httpd_ssi_exec) {
|
||||
domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
|
||||
}
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
##################################################
|
||||
#
|
||||
# PHP Directives
|
||||
##################################################
|
||||
|
||||
type httpd_php_exec_t, file_type, sysadmfile, exec_type;
|
||||
type httpd_php_t, domain;
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
|
||||
|
||||
# The system role is authorized for this domain.
|
||||
role system_r types httpd_php_t;
|
||||
|
||||
general_domain_access(httpd_php_t)
|
||||
uses_shlib(httpd_php_t)
|
||||
can_exec(httpd_php_t, lib_t)
|
||||
|
||||
# allow php to read and append to apache logfiles
|
||||
allow httpd_php_t httpd_log_t:file ra_file_perms;
|
||||
|
||||
# access to /tmp
|
||||
tmp_domain(httpd)
|
||||
tmp_domain(httpd_php)
|
||||
|
||||
# Creation of lock files for apache2
|
||||
lock_domain(httpd)
|
||||
|
||||
# Allow apache to used public_content_t
|
||||
anonymous_domain(httpd)
|
||||
|
||||
# connect to mysql
|
||||
ifdef(`mysqld.te', `
|
||||
can_unix_connect(httpd_php_t, mysqld_t)
|
||||
can_unix_connect(httpd_t, mysqld_t)
|
||||
can_unix_connect(httpd_sys_script_t, mysqld_t)
|
||||
allow httpd_php_t mysqld_var_run_t:dir search;
|
||||
allow httpd_php_t mysqld_var_run_t:sock_file write;
|
||||
allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
|
||||
allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
|
||||
allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
|
||||
')
|
||||
allow httpd_t bin_t:dir search;
|
||||
allow httpd_t sbin_t:dir search;
|
||||
allow httpd_t httpd_log_t:dir remove_name;
|
||||
|
||||
read_fonts(httpd_t)
|
||||
|
||||
allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
|
||||
allow httpd_t autofs_t:dir { search getattr };
|
||||
|
||||
if (use_nfs_home_dirs && httpd_enable_homedirs) {
|
||||
httpd_home_dirs(nfs_t)
|
||||
}
|
||||
if (use_samba_home_dirs && httpd_enable_homedirs) {
|
||||
httpd_home_dirs(cifs_t)
|
||||
}
|
||||
|
||||
#
|
||||
# Allow users to mount additional directories as http_source
|
||||
#
|
||||
allow httpd_t mnt_t:dir r_dir_perms;
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)
|
||||
typealias httpd_sys_content_t alias httpd_user_content_t;
|
||||
typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
|
||||
|
||||
if (httpd_enable_homedirs) {
|
||||
allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
') dnl targeted policy
|
||||
|
||||
# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
|
||||
typealias httpd_sys_content_t alias httpd_sysadm_content_t;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
#
|
||||
# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
|
||||
# This is a bug but it still exists in FC2
|
||||
#
|
||||
typealias httpd_log_t alias httpd_runtime_t;
|
||||
allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
|
||||
dontaudit httpd_t httpd_runtime_t:file ioctl;
|
||||
') dnl distro_redhat
|
||||
#
|
||||
# Customer reported the following
|
||||
#
|
||||
ifdef(`snmpd.te', `
|
||||
dontaudit httpd_t snmpd_var_lib_t:dir search;
|
||||
dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
|
||||
', `
|
||||
dontaudit httpd_t usr_t:dir write;
|
||||
')
|
||||
|
||||
application_domain(httpd_helper)
|
||||
role system_r types httpd_helper_t;
|
||||
domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
||||
allow httpd_helper_t httpd_config_t:file { getattr read };
|
||||
allow httpd_helper_t httpd_log_t:file { append };
|
||||
|
||||
########################################
|
||||
# When the admin starts the server, the server wants to access
|
||||
# the TTY or PTY associated with the session. The httpd appears
|
||||
# to run correctly without this permission, so the permission
|
||||
# are dontaudited here.
|
||||
##################################################
|
||||
|
||||
if (httpd_tty_comm) {
|
||||
allow { httpd_t httpd_helper_t } devpts_t:dir search;
|
||||
ifdef(`targeted_policy', `
|
||||
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
|
||||
')
|
||||
allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
|
||||
} else {
|
||||
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
|
||||
}
|
||||
|
||||
read_sysctl(httpd_sys_script_t)
|
||||
allow httpd_sys_script_t var_lib_t:dir search;
|
||||
dontaudit httpd_t selinux_config_t:dir search;
|
||||
r_dir_file(httpd_t, cert_t)
|
||||
|
||||
#
|
||||
# unconfined domain for apache scripts. Only to be used as a last resort
|
||||
#
|
||||
type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
|
||||
type httpd_unconfined_script_t, domain, nscd_client_domain;
|
||||
role system_r types httpd_unconfined_script_t;
|
||||
unconfined_domain(httpd_unconfined_script_t)
|
||||
|
||||
# The following are types for SUEXEC,which runs user scripts as their
|
||||
# own user ID
|
||||
#
|
||||
daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
|
||||
allow httpd_t httpd_suexec_exec_t:file { getattr read };
|
||||
|
||||
#########################################################
|
||||
# Permissions for running child processes and scripts
|
||||
##########################################################
|
||||
|
||||
allow httpd_suexec_t self:capability { setuid setgid };
|
||||
|
||||
dontaudit httpd_suexec_t var_run_t:dir search;
|
||||
allow httpd_suexec_t { var_t var_log_t }:dir search;
|
||||
allow httpd_suexec_t home_root_t:dir search;
|
||||
|
||||
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
||||
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
||||
allow httpd_suexec_t httpd_t:fifo_file getattr;
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow httpd_suexec_t etc_t:file { getattr read };
|
||||
read_locale(httpd_suexec_t)
|
||||
read_sysctl(httpd_suexec_t)
|
||||
allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
# for shell scripts
|
||||
allow httpd_suexec_t bin_t:dir search;
|
||||
allow httpd_suexec_t bin_t:lnk_file read;
|
||||
can_exec(httpd_suexec_t, { bin_t shell_exec_t })
|
||||
|
||||
if (httpd_can_network_connect) {
|
||||
can_network(httpd_suexec_t)
|
||||
allow httpd_suexec_t port_type:tcp_socket name_connect;
|
||||
}
|
||||
|
||||
can_ypbind(httpd_suexec_t)
|
||||
allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
|
||||
|
||||
allow httpd_suexec_t autofs_t:dir { search getattr };
|
||||
tmp_domain(httpd_suexec)
|
||||
|
||||
if (httpd_enable_cgi && httpd_unified) {
|
||||
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
|
||||
')
|
||||
}
|
||||
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
|
||||
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
create_dir_file(httpd_t, httpdcontent)
|
||||
}
|
||||
if (httpd_enable_cgi) {
|
||||
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
|
||||
allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
|
||||
}
|
||||
|
||||
#
|
||||
# Types for squirrelmail
|
||||
#
|
||||
type httpd_squirrelmail_t, file_type, sysadmfile;
|
||||
create_dir_file(httpd_t, httpd_squirrelmail_t)
|
||||
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
|
||||
# File Type of squirrelmail attachments
|
||||
type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
|
||||
allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
|
||||
create_dir_file(httpd_t, squirrelmail_spool_t)
|
||||
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
|
||||
|
||||
ifdef(`mta.te', `
|
||||
# apache should set close-on-exec
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
|
||||
dontaudit system_mail_t httpd_log_t:file { append getattr };
|
||||
allow system_mail_t httpd_squirrelmail_t:file { append read };
|
||||
dontaudit system_mail_t httpd_t:tcp_socket { read write };
|
||||
')
|
||||
bool httpd_enable_ftp_server false;
|
||||
if (httpd_enable_ftp_server) {
|
||||
allow httpd_t ftp_port_t:tcp_socket name_bind;
|
||||
}
|
||||
|
157
mls/domains/program/apmd.te
Normal file
157
mls/domains/program/apmd.te
Normal file
@ -0,0 +1,157 @@
|
||||
#DESC Apmd - Automatic Power Management daemon
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: apmd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the apmd_t domain.
|
||||
#
|
||||
daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain')
|
||||
|
||||
# for SSP
|
||||
allow apmd_t urandom_device_t:chr_file read;
|
||||
|
||||
type apm_t, domain, privlog;
|
||||
type apm_exec_t, file_type, sysadmfile, exec_type;
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
|
||||
')
|
||||
uses_shlib(apm_t)
|
||||
allow apm_t privfd:fd use;
|
||||
allow apm_t admin_tty_type:chr_file rw_file_perms;
|
||||
allow apm_t device_t:dir search;
|
||||
allow apm_t self:capability { dac_override sys_admin };
|
||||
allow apm_t proc_t:dir search;
|
||||
allow apm_t proc_t:file r_file_perms;
|
||||
allow apm_t fs_t:filesystem getattr;
|
||||
allow apm_t apm_bios_t:chr_file rw_file_perms;
|
||||
role sysadm_r types apm_t;
|
||||
role system_r types apm_t;
|
||||
|
||||
allow apmd_t device_t:lnk_file read;
|
||||
allow apmd_t proc_t:file { getattr read write };
|
||||
can_sysctl(apmd_t)
|
||||
allow apmd_t sysfs_t:file write;
|
||||
|
||||
allow apmd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow apmd_t self:fifo_file rw_file_perms;
|
||||
allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
|
||||
allow apmd_t etc_t:lnk_file read;
|
||||
|
||||
# acpid wants a socket
|
||||
file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
|
||||
|
||||
# acpid also has a logfile
|
||||
log_domain(apmd)
|
||||
tmp_domain(apmd)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
var_lib_domain(apmd)
|
||||
')
|
||||
|
||||
allow apmd_t self:file { getattr read ioctl };
|
||||
allow apmd_t self:process getsession;
|
||||
|
||||
# Use capabilities.
|
||||
allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
|
||||
|
||||
# controlling an orderly resume of PCMCIA requires creating device
|
||||
# nodes 254,{0,1,2} for some reason.
|
||||
allow apmd_t self:capability mknod;
|
||||
|
||||
# Access /dev/apm_bios.
|
||||
allow apmd_t apm_bios_t:chr_file rw_file_perms;
|
||||
|
||||
# Run helper programs.
|
||||
can_exec_any(apmd_t)
|
||||
|
||||
# apmd calls hwclock.sh on suspend and resume
|
||||
allow apmd_t clock_device_t:chr_file r_file_perms;
|
||||
ifdef(`hwclock.te', `
|
||||
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
|
||||
allow apmd_t adjtime_t:file rw_file_perms;
|
||||
allow hwclock_t apmd_log_t:file append;
|
||||
allow hwclock_t apmd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
|
||||
# to quiet fuser and ps
|
||||
# setuid for fuser, dac* for ps
|
||||
dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
|
||||
dontaudit apmd_t domain:socket_class_set getattr;
|
||||
dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
|
||||
dontaudit apmd_t device_type:devfile_class_set getattr;
|
||||
dontaudit apmd_t home_type:dir { search getattr };
|
||||
dontaudit apmd_t domain:key_socket getattr;
|
||||
dontaudit apmd_t domain:dir search;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
can_exec(apmd_t, apmd_var_run_t)
|
||||
# for /var/lock/subsys/network
|
||||
lock_domain(apmd)
|
||||
|
||||
# ifconfig_exec_t needs to be run in its own domain for Red Hat
|
||||
ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
|
||||
ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
|
||||
ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
|
||||
', `
|
||||
# for ifconfig which is run all the time
|
||||
dontaudit apmd_t sysctl_t:dir search;
|
||||
')
|
||||
|
||||
ifdef(`udev.te', `
|
||||
allow apmd_t udev_t:file { getattr read };
|
||||
allow apmd_t udev_t:lnk_file { getattr read };
|
||||
')
|
||||
#
|
||||
# apmd tells the machine to shutdown requires the following
|
||||
#
|
||||
allow apmd_t initctl_t:fifo_file write;
|
||||
allow apmd_t initrc_var_run_t:file { read write lock };
|
||||
|
||||
#
|
||||
# Allow it to run killof5 and pidof
|
||||
#
|
||||
typeattribute apmd_t unrestricted;
|
||||
r_dir_file(apmd_t, domain)
|
||||
|
||||
# Same for apm/acpid scripts
|
||||
domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
|
||||
ifdef(`consoletype.te', `
|
||||
allow consoletype_t apmd_t:fd use;
|
||||
allow consoletype_t apmd_t:fifo_file write;
|
||||
')
|
||||
ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
|
||||
ifdef(`crond.te', `
|
||||
domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
|
||||
allow apmd_t crond_t:fifo_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
# for a find /dev operation that gets /dev/shm
|
||||
dontaudit apmd_t tmpfs_t:dir r_dir_perms;
|
||||
dontaudit apmd_t selinux_config_t:dir search;
|
||||
allow apmd_t user_tty_type:chr_file rw_file_perms;
|
||||
# Access /dev/apm_bios.
|
||||
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
allow apmd_t logrotate_t:fd use;
|
||||
')dnl end if logrotate.te
|
||||
allow apmd_t devpts_t:dir { getattr search };
|
||||
allow apmd_t security_t:dir search;
|
||||
allow apmd_t usr_t:dir search;
|
||||
r_dir_file(apmd_t, hwdata_t)
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain(apmd_t)
|
||||
')
|
||||
|
||||
ifdef(`NetworkManager.te', `
|
||||
ifdef(`dbusd.te', `
|
||||
allow apmd_t NetworkManager_t:dbus send_msg;
|
||||
allow NetworkManager_t apmd_t:dbus send_msg;
|
||||
')
|
||||
')
|
48
mls/domains/program/arpwatch.te
Normal file
48
mls/domains/program/arpwatch.te
Normal file
@ -0,0 +1,48 @@
|
||||
#DESC arpwatch - keep track of ethernet/ip address pairings
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the arpwatch_t domain.
|
||||
#
|
||||
# arpwatch_exec_t is the type of the arpwatch executable.
|
||||
#
|
||||
daemon_domain(arpwatch, `, privmail')
|
||||
|
||||
# for files created by arpwatch
|
||||
type arpwatch_data_t, file_type, sysadmfile;
|
||||
create_dir_file(arpwatch_t,arpwatch_data_t)
|
||||
tmp_domain(arpwatch)
|
||||
|
||||
allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
|
||||
|
||||
can_network_server(arpwatch_t)
|
||||
allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow arpwatch_t self:udp_socket create_socket_perms;
|
||||
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
|
||||
allow arpwatch_t self:packet_socket create_socket_perms;
|
||||
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow arpwatch_t { sbin_t var_lib_t }:dir search;
|
||||
allow arpwatch_t sbin_t:lnk_file read;
|
||||
r_dir_file(arpwatch_t, etc_t)
|
||||
r_dir_file(arpwatch_t, usr_t)
|
||||
can_ypbind(arpwatch_t)
|
||||
|
||||
ifdef(`qmail.te', `
|
||||
allow arpwatch_t bin_t:dir search;
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
allow initrc_t arpwatch_data_t:dir { add_name write };
|
||||
allow initrc_t arpwatch_data_t:file create;
|
||||
')dnl end distro_gentoo
|
||||
|
||||
# why is mail delivered to a directory of type arpwatch_data_t?
|
||||
allow mta_delivery_agent arpwatch_data_t:dir search;
|
||||
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
|
||||
')
|
76
mls/domains/program/auditd.te
Normal file
76
mls/domains/program/auditd.te
Normal file
@ -0,0 +1,76 @@
|
||||
#DESC auditd - System auditing daemon
|
||||
#
|
||||
# Authors: Colin Walters <walters@verbum.org>
|
||||
#
|
||||
# Some fixes by Paul Moore <paul.moore@hp.com>
|
||||
#
|
||||
define(`audit_manager_domain', `
|
||||
allow $1 auditd_etc_t:file rw_file_perms;
|
||||
create_dir_file($1, auditd_log_t)
|
||||
domain_auto_trans($1, auditctl_exec_t, auditctl_t)
|
||||
')
|
||||
|
||||
daemon_domain(auditd)
|
||||
|
||||
ifdef(`mls_policy', `
|
||||
# run at the highest MLS level
|
||||
typeattribute auditd_t mlsrangetrans;
|
||||
range_transition initrc_t auditd_exec_t s15:c0.c255;
|
||||
')
|
||||
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
|
||||
allow auditd_t self:process setsched;
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t etc_t:file { getattr read };
|
||||
|
||||
# Do not use logdir_domain since this is a security file
|
||||
type auditd_log_t, file_type, secure_file_type;
|
||||
allow auditd_t var_log_t:dir search;
|
||||
rw_dir_create_file(auditd_t, auditd_log_t)
|
||||
|
||||
can_exec(auditd_t, init_exec_t)
|
||||
allow auditd_t initctl_t:fifo_file write;
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
dontaudit auditd_t unconfined_t:fifo_file read;
|
||||
')
|
||||
|
||||
type auditctl_t, domain, privlog;
|
||||
type auditctl_exec_t, file_type, exec_type, sysadmfile;
|
||||
uses_shlib(auditctl_t)
|
||||
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditctl_t self:capability { audit_write audit_control };
|
||||
allow auditctl_t etc_t:file { getattr read };
|
||||
allow auditctl_t admin_tty_type:chr_file rw_file_perms;
|
||||
|
||||
type auditd_etc_t, file_type, secure_file_type;
|
||||
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
|
||||
allow initrc_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
role secadm_r types auditctl_t;
|
||||
role sysadm_r types auditctl_t;
|
||||
audit_manager_domain(secadm_t)
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
ifdef(`separate_secadm', `', `
|
||||
audit_manager_domain(sysadm_t)
|
||||
')
|
||||
')
|
||||
|
||||
role system_r types auditctl_t;
|
||||
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
|
||||
|
||||
dontaudit auditctl_t local_login_t:fd use;
|
||||
allow auditctl_t proc_t:dir search;
|
||||
allow auditctl_t sysctl_kernel_t:dir search;
|
||||
allow auditctl_t sysctl_kernel_t:file { getattr read };
|
||||
dontaudit auditctl_t init_t:fd use;
|
||||
allow auditctl_t initrc_devpts_t:chr_file { read write };
|
||||
allow auditctl_t privfd:fd use;
|
||||
|
||||
|
||||
allow auditd_t sbin_t:dir search;
|
||||
can_exec(auditd_t, sbin_t)
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
79
mls/domains/program/automount.te
Normal file
79
mls/domains/program/automount.te
Normal file
@ -0,0 +1,79 @@
|
||||
#DESC Automount - Automount daemon
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
|
||||
# Modified by Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: amd am-utils autofs
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the automount_t domain.
|
||||
#
|
||||
daemon_domain(automount)
|
||||
|
||||
etc_domain(automount)
|
||||
|
||||
# for SSP
|
||||
allow automount_t urandom_device_t:chr_file read;
|
||||
|
||||
# for if the mount point is not labelled
|
||||
allow automount_t file_t:dir getattr;
|
||||
allow automount_t default_t:dir getattr;
|
||||
|
||||
allow automount_t autofs_t:dir { create_dir_perms ioctl };
|
||||
allow automount_t fs_type:dir getattr;
|
||||
|
||||
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow automount_t proc_t:file { getattr read };
|
||||
allow automount_t self:process { getpgid setpgid setsched };
|
||||
allow automount_t self:capability { sys_nice dac_override };
|
||||
allow automount_t self:unix_stream_socket create_socket_perms;
|
||||
allow automount_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# because config files can be shell scripts
|
||||
can_exec(automount_t, { etc_t automount_etc_t })
|
||||
|
||||
can_network_server(automount_t)
|
||||
can_resolve(automount_t)
|
||||
can_ypbind(automount_t)
|
||||
can_ldap(automount_t)
|
||||
|
||||
ifdef(`fsadm.te', `
|
||||
domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
|
||||
')
|
||||
|
||||
lock_domain(automount)
|
||||
|
||||
tmp_domain(automount)
|
||||
allow automount_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Run mount in the mount_t domain.
|
||||
domain_auto_trans(automount_t, mount_exec_t, mount_t)
|
||||
allow mount_t autofs_t:dir { search mounton read };
|
||||
allow mount_t automount_tmp_t:dir mounton;
|
||||
|
||||
ifdef(`apmd.te',
|
||||
`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
|
||||
can_exec(automount_t, bin_t)')
|
||||
|
||||
allow automount_t { bin_t sbin_t }:dir search;
|
||||
can_exec(automount_t, mount_exec_t)
|
||||
can_exec(automount_t, shell_exec_t)
|
||||
|
||||
allow mount_t autofs_t:dir getattr;
|
||||
dontaudit automount_t var_t:dir write;
|
||||
|
||||
allow userdomain autofs_t:dir r_dir_perms;
|
||||
allow kernel_t autofs_t:dir { getattr ioctl read search };
|
||||
|
||||
allow automount_t { boot_t home_root_t }:dir getattr;
|
||||
allow automount_t mnt_t:dir { getattr search };
|
||||
|
||||
can_exec(initrc_t, automount_etc_t)
|
||||
|
||||
# Allow automount to create and delete directories in / and /home
|
||||
file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
|
||||
|
||||
allow automount_t var_lib_t:dir search;
|
||||
allow automount_t var_lib_nfs_t:dir search;
|
||||
|
31
mls/domains/program/avahi.te
Normal file
31
mls/domains/program/avahi.te
Normal file
@ -0,0 +1,31 @@
|
||||
#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
daemon_domain(avahi, `, privsysmod')
|
||||
r_dir_file(avahi_t, proc_net_t)
|
||||
can_network_server(avahi_t)
|
||||
can_ypbind(avahi_t)
|
||||
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow avahi_t self:unix_dgram_socket create_socket_perms;
|
||||
allow avahi_t self:capability { dac_override setgid chown kill setuid };
|
||||
allow avahi_t urandom_device_t:chr_file r_file_perms;
|
||||
allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
allow avahi_t self:fifo_file { read write };
|
||||
allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow avahi_t self:process setrlimit;
|
||||
allow avahi_t etc_t:file { getattr read };
|
||||
allow avahi_t initrc_t:process { signal signull };
|
||||
allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow avahi_t avahi_var_run_t:dir setattr;
|
||||
allow avahi_t avahi_var_run_t:sock_file create_file_perms;
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, avahi)
|
||||
ifdef(`targeted_policy', `
|
||||
allow avahi_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t avahi_t:dbus send_msg;
|
||||
')
|
||||
')
|
||||
|
116
mls/domains/program/bluetooth.te
Normal file
116
mls/domains/program/bluetooth.te
Normal file
@ -0,0 +1,116 @@
|
||||
#DESC Bluetooth
|
||||
#
|
||||
# Authors: Dan Walsh
|
||||
# RH-Packages: Bluetooth
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the bluetooth_t domain.
|
||||
#
|
||||
daemon_domain(bluetooth)
|
||||
|
||||
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
|
||||
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
|
||||
|
||||
tmp_domain(bluetooth)
|
||||
var_lib_domain(bluetooth)
|
||||
|
||||
# Use capabilities.
|
||||
allow bluetooth_t self:file read;
|
||||
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
|
||||
allow bluetooth_t self:process getsched;
|
||||
allow bluetooth_t proc_t:file { getattr read };
|
||||
|
||||
allow bluetooth_t self:shm create_shm_perms;
|
||||
|
||||
lock_domain(bluetooth)
|
||||
|
||||
# Use the network.
|
||||
can_network(bluetooth_t)
|
||||
can_ypbind(bluetooth_t)
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, bluetooth)
|
||||
allow bluetooth_t system_dbusd_t:dbus send_msg;
|
||||
')
|
||||
allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
|
||||
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
|
||||
|
||||
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
|
||||
type bluetooth_conf_t, file_type, sysadmfile;
|
||||
type bluetooth_conf_rw_t, file_type, sysadmfile;
|
||||
|
||||
# Read /etc/bluetooth
|
||||
allow bluetooth_t bluetooth_conf_t:dir search;
|
||||
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
|
||||
#/usr/sbin/hid2hci causes the following
|
||||
allow initrc_t usbfs_t:file { getattr read };
|
||||
allow bluetooth_t usbfs_t:dir r_dir_perms;
|
||||
allow bluetooth_t usbfs_t:file rw_file_perms;
|
||||
allow bluetooth_t bin_t:dir search;
|
||||
can_exec(bluetooth_t, { bin_t shell_exec_t })
|
||||
allow bluetooth_t bin_t:lnk_file read;
|
||||
|
||||
#Handle bluetooth serial devices
|
||||
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
|
||||
allow bluetooth_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
r_dir_file(bluetooth_t, fonts_t)
|
||||
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
|
||||
allow bluetooth_t usr_t:file { getattr read };
|
||||
|
||||
application_domain(bluetooth_helper, `, nscd_client_domain')
|
||||
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
|
||||
role system_r types bluetooth_helper_t;
|
||||
read_locale(bluetooth_helper_t)
|
||||
typeattribute bluetooth_helper_t unrestricted;
|
||||
r_dir_file(bluetooth_helper_t, domain)
|
||||
allow bluetooth_helper_t bin_t:dir { getattr search };
|
||||
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
|
||||
allow bluetooth_helper_t bin_t:lnk_file read;
|
||||
allow bluetooth_helper_t self:capability sys_nice;
|
||||
allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
||||
allow bluetooth_helper_t self:process { fork getsched sigchld };
|
||||
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
r_dir_file(bluetooth_helper_t, fonts_t)
|
||||
r_dir_file(bluetooth_helper_t, proc_t)
|
||||
read_sysctl(bluetooth_helper_t)
|
||||
allow bluetooth_helper_t tmp_t:dir search;
|
||||
allow bluetooth_helper_t usr_t:file { getattr read };
|
||||
allow bluetooth_helper_t home_dir_type:dir search;
|
||||
ifdef(`xserver.te', `
|
||||
allow bluetooth_helper_t xserver_log_t:dir search;
|
||||
allow bluetooth_helper_t xserver_log_t:file { getattr read };
|
||||
')
|
||||
ifdef(`targeted_policy', `
|
||||
allow bluetooth_helper_t tmp_t:sock_file { read write };
|
||||
allow bluetooth_helper_t tmpfs_t:file { read write };
|
||||
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
|
||||
allow bluetooth_t unconfined_t:dbus send_msg;
|
||||
allow unconfined_t bluetooth_t:dbus send_msg;
|
||||
', `
|
||||
ifdef(`xdm.te', `
|
||||
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
|
||||
')
|
||||
allow bluetooth_t unpriv_userdomain:dbus send_msg;
|
||||
allow unpriv_userdomain bluetooth_t:dbus send_msg;
|
||||
')
|
||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket connectto;
|
||||
tmp_domain(bluetooth_helper)
|
||||
allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
|
||||
|
||||
dontaudit bluetooth_helper_t default_t:dir { read search };
|
||||
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
|
||||
dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
|
||||
ifdef(`xserver.te', `
|
||||
allow bluetooth_helper_t xserver_log_t:dir search;
|
||||
allow bluetooth_helper_t xserver_log_t:file { getattr read };
|
||||
')
|
9
mls/domains/program/bonobo.te
Normal file
9
mls/domains/program/bonobo.te
Normal file
@ -0,0 +1,9 @@
|
||||
# DESC - Bonobo Activation Server
|
||||
#
|
||||
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
||||
#
|
||||
|
||||
# Type for executable
|
||||
type bonobo_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
# Everything else is in macros/bonobo_macros.te
|
167
mls/domains/program/bootloader.te
Normal file
167
mls/domains/program/bootloader.te
Normal file
@ -0,0 +1,167 @@
|
||||
#DESC Bootloader - Lilo boot loader/manager
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: lilo
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the bootloader_t domain.
|
||||
#
|
||||
# bootloader_exec_t is the type of the bootloader executable.
|
||||
#
|
||||
type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
|
||||
type bootloader_exec_t, file_type, sysadmfile, exec_type;
|
||||
etc_domain(bootloader)
|
||||
|
||||
role sysadm_r types bootloader_t;
|
||||
role system_r types bootloader_t;
|
||||
|
||||
allow bootloader_t var_t:dir search;
|
||||
create_append_log_file(bootloader_t, var_log_t)
|
||||
allow bootloader_t var_log_t:file write;
|
||||
|
||||
# for nscd
|
||||
dontaudit bootloader_t var_run_t:dir search;
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
|
||||
')
|
||||
allow bootloader_t { initrc_t privfd }:fd use;
|
||||
|
||||
tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
|
||||
|
||||
read_locale(bootloader_t)
|
||||
|
||||
# for tune2fs
|
||||
file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
|
||||
|
||||
# for /vmlinuz sym link
|
||||
allow bootloader_t root_t:lnk_file read;
|
||||
|
||||
# lilo would need read access to get BIOS data
|
||||
allow bootloader_t proc_kcore_t:file getattr;
|
||||
|
||||
allow bootloader_t { etc_t device_t }:dir r_dir_perms;
|
||||
allow bootloader_t etc_t:file r_file_perms;
|
||||
allow bootloader_t etc_t:lnk_file read;
|
||||
allow bootloader_t initctl_t:fifo_file getattr;
|
||||
uses_shlib(bootloader_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||
allow bootloader_t boot_t:file relabelfrom;
|
||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
|
||||
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
|
||||
allow bootloader_t usr_t:lnk_file read;
|
||||
allow bootloader_t tmpfs_t:dir r_dir_perms;
|
||||
allow bootloader_t initrc_var_run_t:dir r_dir_perms;
|
||||
allow bootloader_t var_lib_t:dir search;
|
||||
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
|
||||
allow bootloader_t dpkg_var_lib_t:file { getattr read };
|
||||
# for /usr/share/initrd-tools/scripts
|
||||
can_exec(bootloader_t, usr_t)
|
||||
')
|
||||
|
||||
allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
|
||||
dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
|
||||
allow bootloader_t device_t:lnk_file { getattr read };
|
||||
|
||||
# LVM2 / Device Mapper's /dev/mapper/control
|
||||
# maybe we should change the labeling for this
|
||||
ifdef(`lvm.te', `
|
||||
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
|
||||
domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
|
||||
allow lvm_t bootloader_tmp_t:file rw_file_perms;
|
||||
r_dir_file(bootloader_t, lvm_etc_t)
|
||||
')
|
||||
|
||||
# uncomment the following line if you use "lilo -p"
|
||||
#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
|
||||
|
||||
can_exec_any(bootloader_t)
|
||||
allow bootloader_t shell_exec_t:lnk_file read;
|
||||
allow bootloader_t { bin_t sbin_t }:dir search;
|
||||
allow bootloader_t { bin_t sbin_t }:lnk_file read;
|
||||
|
||||
allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
|
||||
allow bootloader_t modules_object_t:dir r_dir_perms;
|
||||
ifdef(`distro_redhat', `
|
||||
allow bootloader_t modules_object_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
# for ldd
|
||||
ifdef(`fsadm.te', `
|
||||
allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
ifdef(`modutil.te', `
|
||||
allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
|
||||
allow bootloader_t boot_t:dir { create rw_dir_perms };
|
||||
allow bootloader_t boot_t:file create_file_perms;
|
||||
allow bootloader_t boot_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow bootloader_t load_policy_exec_t:file { getattr read };
|
||||
|
||||
allow bootloader_t random_device_t:chr_file { getattr read };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# for mke2fs
|
||||
domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
|
||||
allow mount_t bootloader_tmp_t:dir mounton;
|
||||
|
||||
# new file system defaults to file_t, granting file_t access is still bad.
|
||||
allow bootloader_t file_t:dir create_dir_perms;
|
||||
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
|
||||
allow bootloader_t file_t:lnk_file create_lnk_perms;
|
||||
allow bootloader_t self:unix_stream_socket create_socket_perms;
|
||||
allow bootloader_t boot_runtime_t:file { read getattr unlink };
|
||||
|
||||
# for memlock
|
||||
allow bootloader_t zero_device_t:chr_file { getattr read };
|
||||
allow bootloader_t self:capability ipc_lock;
|
||||
')
|
||||
|
||||
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
||||
# allow bootloader to get attributes of any device node
|
||||
allow bootloader_t { device_type ttyfile }:chr_file getattr;
|
||||
allow bootloader_t device_type:blk_file getattr;
|
||||
dontaudit bootloader_t devpts_t:dir create_dir_perms;
|
||||
|
||||
allow bootloader_t self:process { fork signal_perms };
|
||||
allow bootloader_t self:lnk_file read;
|
||||
allow bootloader_t self:dir search;
|
||||
allow bootloader_t self:file { getattr read };
|
||||
allow bootloader_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow bootloader_t fs_t:filesystem getattr;
|
||||
|
||||
allow bootloader_t proc_t:dir { getattr search };
|
||||
allow bootloader_t proc_t:file r_file_perms;
|
||||
allow bootloader_t proc_t:lnk_file { getattr read };
|
||||
allow bootloader_t proc_mdstat_t:file r_file_perms;
|
||||
allow bootloader_t self:dir { getattr search read };
|
||||
read_sysctl(bootloader_t)
|
||||
allow bootloader_t etc_runtime_t:file r_file_perms;
|
||||
|
||||
allow bootloader_t devtty_t:chr_file rw_file_perms;
|
||||
allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
|
||||
allow bootloader_t initrc_t:fifo_file { read write };
|
||||
|
||||
# for reading BIOS data
|
||||
allow bootloader_t memory_device_t:chr_file r_file_perms;
|
||||
|
||||
allow bootloader_t policy_config_t:dir { search read };
|
||||
allow bootloader_t policy_config_t:file { getattr read };
|
||||
|
||||
allow bootloader_t lib_t:file { getattr read };
|
||||
allow bootloader_t sysfs_t:dir getattr;
|
||||
allow bootloader_t urandom_device_t:chr_file read;
|
||||
allow bootloader_t { usr_t var_t }:file { getattr read };
|
||||
r_dir_file(bootloader_t, src_t)
|
||||
dontaudit bootloader_t selinux_config_t:dir search;
|
||||
dontaudit bootloader_t sysctl_t:dir search;
|
46
mls/domains/program/canna.te
Normal file
46
mls/domains/program/canna.te
Normal file
@ -0,0 +1,46 @@
|
||||
#DESC canna - A Japanese character set input system.
|
||||
#
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the canna_t domain.
|
||||
#
|
||||
daemon_domain(canna)
|
||||
|
||||
file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
|
||||
|
||||
logdir_domain(canna)
|
||||
var_lib_domain(canna)
|
||||
|
||||
allow canna_t self:capability { setgid setuid net_bind_service };
|
||||
allow canna_t tmp_t:dir { search };
|
||||
allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
|
||||
allow canna_t self:unix_dgram_socket create_stream_socket_perms;
|
||||
allow canna_t etc_t:file { getattr read };
|
||||
allow canna_t usr_t:file { getattr read };
|
||||
|
||||
allow canna_t proc_t:file r_file_perms;
|
||||
allow canna_t etc_runtime_t:file r_file_perms;
|
||||
allow canna_t canna_var_lib_t:dir create;
|
||||
|
||||
rw_dir_create_file(canna_t, canna_var_lib_t)
|
||||
|
||||
can_network_tcp(canna_t)
|
||||
allow canna_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(canna_t)
|
||||
|
||||
allow userdomain canna_var_run_t:dir search;
|
||||
allow userdomain canna_var_run_t:sock_file write;
|
||||
can_unix_connect(userdomain, canna_t)
|
||||
|
||||
ifdef(`i18n_input.te', `
|
||||
allow i18n_input_t canna_var_run_t:dir search;
|
||||
allow i18n_input_t canna_var_run_t:sock_file write;
|
||||
can_unix_connect(i18n_input_t, canna_t)
|
||||
')
|
||||
|
||||
dontaudit canna_t kernel_t:fd use;
|
||||
dontaudit canna_t root_t:file read;
|
90
mls/domains/program/cardmgr.te
Normal file
90
mls/domains/program/cardmgr.te
Normal file
@ -0,0 +1,90 @@
|
||||
#DESC Cardmgr - PCMCIA control programs
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: pcmcia-cs
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the cardmgr_t domain.
|
||||
#
|
||||
daemon_domain(cardmgr, `, privmodule')
|
||||
|
||||
# for SSP
|
||||
allow cardmgr_t urandom_device_t:chr_file read;
|
||||
|
||||
type cardctl_exec_t, file_type, sysadmfile, exec_type;
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
|
||||
')
|
||||
role sysadm_r types cardmgr_t;
|
||||
allow cardmgr_t admin_tty_type:chr_file { read write };
|
||||
|
||||
allow cardmgr_t sysfs_t:dir search;
|
||||
allow cardmgr_t home_root_t:dir search;
|
||||
|
||||
# Use capabilities (net_admin for route), setuid for cardctl
|
||||
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
|
||||
|
||||
# for /etc/resolv.conf
|
||||
file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
|
||||
|
||||
allow cardmgr_t etc_runtime_t:file { getattr read };
|
||||
|
||||
allow cardmgr_t modules_object_t:dir search;
|
||||
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cardmgr_t self:unix_stream_socket create_socket_perms;
|
||||
allow cardmgr_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Create stab file
|
||||
var_lib_domain(cardmgr)
|
||||
|
||||
# for /var/lib/misc/pcmcia-scheme
|
||||
# would be better to have it in a different type if I knew how it was created..
|
||||
allow cardmgr_t var_lib_t:file { getattr read };
|
||||
|
||||
# Create device files in /tmp.
|
||||
type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
|
||||
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
|
||||
|
||||
# Create symbolic links in /dev.
|
||||
type cardmgr_lnk_t, file_type, sysadmfile;
|
||||
file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
|
||||
|
||||
# Run a shell, normal commands, /etc/pcmcia scripts.
|
||||
can_exec_any(cardmgr_t)
|
||||
allow cardmgr_t etc_t:lnk_file read;
|
||||
|
||||
# Run ifconfig.
|
||||
domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
|
||||
allow ifconfig_t cardmgr_t:fd use;
|
||||
|
||||
allow cardmgr_t proc_t:file { getattr read ioctl };
|
||||
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
can_ps(cardmgr_t, domain -unrestricted)
|
||||
dontaudit cardmgr_t unrestricted:dir search;
|
||||
|
||||
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
|
||||
allow cardmgr_t ttyfile:chr_file getattr;
|
||||
dontaudit cardmgr_t ptyfile:chr_file getattr;
|
||||
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
|
||||
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
|
||||
dontaudit cardmgr_t proc_kmsg_t:file getattr;
|
||||
|
||||
allow cardmgr_t tty_device_t:chr_file rw_file_perms;
|
||||
|
||||
ifdef(`apmd.te', `
|
||||
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
|
||||
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
ifdef(`hald.te', `
|
||||
rw_dir_file(hald_t, cardmgr_var_run_t)
|
||||
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
|
||||
')
|
||||
allow cardmgr_t device_t:lnk_file { getattr read };
|
10
mls/domains/program/cdrecord.te
Normal file
10
mls/domains/program/cdrecord.te
Normal file
@ -0,0 +1,10 @@
|
||||
# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
|
||||
#
|
||||
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
||||
|
||||
# Type for the cdrecord excutable.
|
||||
type cdrecord_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# everything else is in the cdrecord_domain macros in
|
||||
# macros/program/cdrecord_macros.te.
|
||||
|
11
mls/domains/program/certwatch.te
Normal file
11
mls/domains/program/certwatch.te
Normal file
@ -0,0 +1,11 @@
|
||||
#DESC certwatch - generate SSL certificate expiry warnings
|
||||
#
|
||||
# Domains for the certwatch process
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>,
|
||||
#
|
||||
application_domain(certwatch)
|
||||
role system_r types certwatch_t;
|
||||
r_dir_file(certwatch_t, cert_t)
|
||||
can_exec(certwatch_t, httpd_modules_t)
|
||||
system_crond_entry(certwatch_exec_t, certwatch_t)
|
||||
read_locale(certwatch_t)
|
64
mls/domains/program/checkpolicy.te
Normal file
64
mls/domains/program/checkpolicy.te
Normal file
@ -0,0 +1,64 @@
|
||||
#DESC Checkpolicy - SELinux policy compliler
|
||||
#
|
||||
# Authors: Frank Mayer, mayerf@tresys.com
|
||||
# X-Debian-Packages: checkpolicy
|
||||
#
|
||||
|
||||
###########################
|
||||
#
|
||||
# checkpolicy_t is the domain type for checkpolicy
|
||||
# checkpolicy_exec_t if file type for the executable
|
||||
|
||||
type checkpolicy_t, domain;
|
||||
role sysadm_r types checkpolicy_t;
|
||||
role system_r types checkpolicy_t;
|
||||
role secadm_r types checkpolicy_t;
|
||||
|
||||
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
##########################
|
||||
#
|
||||
# Rules
|
||||
|
||||
domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
|
||||
|
||||
# able to create and modify binary policy files
|
||||
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
|
||||
allow checkpolicy_t policy_config_t:file create_file_perms;
|
||||
|
||||
###########################
|
||||
# constrain what checkpolicy can use as source files
|
||||
#
|
||||
|
||||
# only allow read of policy source files
|
||||
allow checkpolicy_t policy_src_t:dir r_dir_perms;
|
||||
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
# allow test policies to be created in src directories
|
||||
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
|
||||
# directory search permissions for path to source and binary policy files
|
||||
allow checkpolicy_t root_t:dir search;
|
||||
allow checkpolicy_t etc_t:dir search;
|
||||
|
||||
# Read the devpts root directory.
|
||||
allow checkpolicy_t devpts_t:dir r_dir_perms;
|
||||
ifdef(`sshd.te',
|
||||
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||
|
||||
# Other access
|
||||
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
|
||||
uses_shlib(checkpolicy_t)
|
||||
allow checkpolicy_t self:capability dac_override;
|
||||
|
||||
##########################
|
||||
# Allow users to execute checkpolicy without a domain transition
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||
|
||||
allow checkpolicy_t { userdomain privfd }:fd use;
|
||||
|
||||
allow checkpolicy_t fs_t:filesystem getattr;
|
||||
allow checkpolicy_t console_device_t:chr_file { read write };
|
||||
allow checkpolicy_t init_t:fd use;
|
||||
allow checkpolicy_t selinux_config_t:dir search;
|
18
mls/domains/program/chkpwd.te
Normal file
18
mls/domains/program/chkpwd.te
Normal file
@ -0,0 +1,18 @@
|
||||
#DESC Chkpwd - PAM password checking programs
|
||||
# X-Debian-Packages: libpam-modules
|
||||
#
|
||||
# Domains for the /sbin/.*_chkpwd utilities.
|
||||
#
|
||||
|
||||
#
|
||||
# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
|
||||
#
|
||||
type chkpwd_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
chkpwd_domain(system)
|
||||
dontaudit system_chkpwd_t privfd:fd use;
|
||||
role sysadm_r types system_chkpwd_t;
|
||||
in_user_role(system_chkpwd_t)
|
||||
|
||||
# Everything else is in the chkpwd_domain macro in
|
||||
# macros/program/chkpwd_macros.te.
|
21
mls/domains/program/chroot.te
Normal file
21
mls/domains/program/chroot.te
Normal file
@ -0,0 +1,21 @@
|
||||
#DESC Chroot - Establish chroot environments
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages:
|
||||
#
|
||||
type chroot_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# For a chroot environment named potato that can be entered from user_t (so
|
||||
# the user can run an old version of Debian in a chroot), with the possibility
|
||||
# of user_devpts_t or user_tty_device_t being the controlling tty type for
|
||||
# administration. This also defines a mount_domain for the user (so they can
|
||||
# mount file systems).
|
||||
#chroot(user, potato)
|
||||
# For a chroot environment named apache that can be entered from initrc_t for
|
||||
# running a different version of apache.
|
||||
# initrc is a special case, uses the system_r role (usually appends "_r" to
|
||||
# the base name of the parent domain), and has sysadm_devpts_t and
|
||||
# sysadm_tty_device_t for the controlling terminal
|
||||
#chroot(initrc, apache)
|
||||
|
||||
# the main code is in macros/program/chroot_macros.te
|
20
mls/domains/program/comsat.te
Normal file
20
mls/domains/program/comsat.te
Normal file
@ -0,0 +1,20 @@
|
||||
#DESC comsat - biff server
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
# Depends: inetd.te
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the comsat_t domain.
|
||||
#
|
||||
# comsat_exec_t is the type of the comsat executable.
|
||||
#
|
||||
|
||||
inetd_child_domain(comsat, udp)
|
||||
allow comsat_t initrc_var_run_t:file r_file_perms;
|
||||
dontaudit comsat_t initrc_var_run_t:file write;
|
||||
allow comsat_t mail_spool_t:dir r_dir_perms;
|
||||
allow comsat_t mail_spool_t:lnk_file read;
|
||||
allow comsat_t var_spool_t:dir search;
|
||||
dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
|
65
mls/domains/program/consoletype.te
Normal file
65
mls/domains/program/consoletype.te
Normal file
@ -0,0 +1,65 @@
|
||||
#DESC consoletype - determine the type of a console device
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages:
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the consoletype_t domain.
|
||||
#
|
||||
# consoletype_t is the domain for the consoletype program.
|
||||
# consoletype_exec_t is the type of the corresponding program.
|
||||
#
|
||||
type consoletype_t, domain, mlsfileread, mlsfilewrite;
|
||||
type consoletype_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
role system_r types consoletype_t;
|
||||
|
||||
uses_shlib(consoletype_t)
|
||||
general_domain_access(consoletype_t)
|
||||
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
|
||||
allow consoletype_t xdm_tmp_t:file { read write };
|
||||
')
|
||||
|
||||
ifdef(`hotplug.te', `
|
||||
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
|
||||
')
|
||||
')
|
||||
|
||||
allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
|
||||
|
||||
allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
|
||||
|
||||
# Use capabilities.
|
||||
allow consoletype_t self:capability sys_admin;
|
||||
|
||||
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
|
||||
allow consoletype_t initrc_t:fifo_file write;
|
||||
allow consoletype_t nfs_t:file write;
|
||||
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
|
||||
|
||||
ifdef(`lpd.te', `
|
||||
allow consoletype_t printconf_t:file { getattr read };
|
||||
')
|
||||
|
||||
ifdef(`pam.te', `
|
||||
allow consoletype_t pam_var_run_t:file { getattr read };
|
||||
')
|
||||
ifdef(`distro_redhat', `
|
||||
allow consoletype_t tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
ifdef(`firstboot.te', `
|
||||
allow consoletype_t firstboot_t:fifo_file write;
|
||||
')
|
||||
dontaudit consoletype_t proc_t:dir search;
|
||||
dontaudit consoletype_t proc_t:file read;
|
||||
dontaudit consoletype_t root_t:file read;
|
||||
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
|
||||
allow consoletype_t system_crond_t:fd use;
|
||||
allow consoletype_t fs_t:filesystem getattr;
|
17
mls/domains/program/cpucontrol.te
Normal file
17
mls/domains/program/cpucontrol.te
Normal file
@ -0,0 +1,17 @@
|
||||
#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
#
|
||||
|
||||
type cpucontrol_conf_t, file_type, sysadmfile;
|
||||
|
||||
daemon_base_domain(cpucontrol)
|
||||
|
||||
# Access cpu devices.
|
||||
allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
|
||||
allow cpucontrol_t device_t:lnk_file { getattr read };
|
||||
allow initrc_t cpu_device_t:chr_file getattr;
|
||||
|
||||
allow cpucontrol_t self:capability sys_rawio;
|
||||
|
||||
r_dir_file(cpucontrol_t, cpucontrol_conf_t)
|
17
mls/domains/program/cpuspeed.te
Normal file
17
mls/domains/program/cpuspeed.te
Normal file
@ -0,0 +1,17 @@
|
||||
#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
|
||||
#
|
||||
# Authors: Russell Coker <russell@coker.com.au>
|
||||
# Thomas Bleher <ThomasBleher@gmx.de>
|
||||
#
|
||||
|
||||
daemon_base_domain(cpuspeed)
|
||||
read_locale(cpuspeed_t)
|
||||
|
||||
allow cpuspeed_t sysfs_t:dir search;
|
||||
allow cpuspeed_t sysfs_t:file rw_file_perms;
|
||||
allow cpuspeed_t proc_t:dir r_dir_perms;
|
||||
allow cpuspeed_t proc_t:file { getattr read };
|
||||
allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
|
||||
allow cpuspeed_t self:process setsched;
|
||||
allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
|
48
mls/domains/program/crack.te
Normal file
48
mls/domains/program/crack.te
Normal file
@ -0,0 +1,48 @@
|
||||
#DESC Crack - Password cracking application
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: crack
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the crack_t domain.
|
||||
#
|
||||
# crack_exec_t is the type of the crack executable.
|
||||
#
|
||||
system_domain(crack)
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(crack_exec_t, crack_t)
|
||||
')
|
||||
|
||||
# for SSP
|
||||
allow crack_t urandom_device_t:chr_file read;
|
||||
|
||||
type crack_db_t, file_type, sysadmfile, usercanread;
|
||||
allow crack_t var_t:dir search;
|
||||
rw_dir_create_file(crack_t, crack_db_t)
|
||||
|
||||
allow crack_t device_t:dir search;
|
||||
allow crack_t devtty_t:chr_file rw_file_perms;
|
||||
allow crack_t self:fifo_file { read write getattr };
|
||||
|
||||
tmp_domain(crack)
|
||||
|
||||
# for dictionaries
|
||||
allow crack_t usr_t:file { getattr read };
|
||||
|
||||
can_exec(crack_t, bin_t)
|
||||
allow crack_t { bin_t sbin_t }:dir search;
|
||||
|
||||
allow crack_t self:process { fork signal_perms };
|
||||
|
||||
allow crack_t proc_t:dir { read search };
|
||||
allow crack_t proc_t:file { read getattr };
|
||||
|
||||
# read config files
|
||||
allow crack_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow crack_t etc_t:dir r_dir_perms;
|
||||
|
||||
allow crack_t fs_t:filesystem getattr;
|
||||
|
||||
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
|
214
mls/domains/program/crond.te
Normal file
214
mls/domains/program/crond.te
Normal file
@ -0,0 +1,214 @@
|
||||
#DESC Crond - Crond daemon
|
||||
#
|
||||
# Domains for the top-level crond daemon process and
|
||||
# for system cron jobs. The domains for user cron jobs
|
||||
# are in macros/program/crond_macros.te.
|
||||
#
|
||||
# X-Debian-Packages: cron
|
||||
# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
|
||||
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
#
|
||||
|
||||
# NB The constraints file has some entries for crond_t, this makes it
|
||||
# different from all other domains...
|
||||
|
||||
# Domain for crond. It needs auth_chkpwd to check for locked accounts.
|
||||
daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
|
||||
|
||||
# This domain is granted permissions common to most domains (including can_net)
|
||||
general_domain_access(crond_t)
|
||||
|
||||
# Type for the anacron executable.
|
||||
type anacron_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# Type for temporary files.
|
||||
tmp_domain(crond)
|
||||
|
||||
crond_domain(system)
|
||||
|
||||
allow system_crond_t proc_mdstat_t:file { getattr read };
|
||||
allow system_crond_t proc_t:lnk_file read;
|
||||
allow system_crond_t proc_t:filesystem getattr;
|
||||
allow system_crond_t usbdevfs_t:filesystem getattr;
|
||||
|
||||
ifdef(`mta.te', `
|
||||
allow mta_user_agent system_crond_t:fd use;
|
||||
')
|
||||
|
||||
# read files in /etc
|
||||
allow system_crond_t etc_t:file r_file_perms;
|
||||
allow system_crond_t etc_runtime_t:file { getattr read };
|
||||
|
||||
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
||||
|
||||
read_locale(crond_t)
|
||||
|
||||
# Use capabilities.
|
||||
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
|
||||
dontaudit crond_t self:capability sys_resource;
|
||||
|
||||
# Get security policy decisions.
|
||||
can_getsecurity(crond_t)
|
||||
|
||||
# for finding binaries and /bin/sh
|
||||
allow crond_t { bin_t sbin_t }:dir search;
|
||||
allow crond_t { bin_t sbin_t }:lnk_file read;
|
||||
|
||||
# Read from /var/spool/cron.
|
||||
allow crond_t var_lib_t:dir search;
|
||||
allow crond_t var_spool_t:dir r_dir_perms;
|
||||
allow crond_t cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t cron_spool_t:file r_file_perms;
|
||||
|
||||
# Read /etc/security/default_contexts.
|
||||
r_dir_file(crond_t, default_context_t)
|
||||
|
||||
allow crond_t etc_t:file { getattr read };
|
||||
allow crond_t etc_t:lnk_file read;
|
||||
|
||||
allow crond_t default_t:dir search;
|
||||
|
||||
# crond tries to search /root. Not sure why.
|
||||
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
||||
|
||||
# to search /home
|
||||
allow crond_t home_root_t:dir { getattr search };
|
||||
allow crond_t user_home_dir_type:dir r_dir_perms;
|
||||
|
||||
# Run a shell.
|
||||
can_exec(crond_t, shell_exec_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
ifdef(`rpm.te', `
|
||||
allow crond_t rpm_log_t: file create_file_perms;
|
||||
|
||||
system_crond_entry(rpm_exec_t, rpm_t)
|
||||
allow system_crond_t rpm_log_t:file create_file_perms;
|
||||
#read ahead wants to read this
|
||||
allow initrc_t system_cron_spool_t:file { getattr read };
|
||||
')
|
||||
')
|
||||
|
||||
allow system_crond_t var_log_t:file r_file_perms;
|
||||
|
||||
|
||||
# Set exec context.
|
||||
can_setexec(crond_t)
|
||||
|
||||
# Transition to this domain for anacron as well.
|
||||
# Still need to study anacron.
|
||||
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
|
||||
|
||||
# Inherit and use descriptors from init for anacron.
|
||||
allow system_crond_t init_t:fd use;
|
||||
|
||||
# Inherit and use descriptors from initrc for anacron.
|
||||
allow system_crond_t initrc_t:fd use;
|
||||
can_access_pty(system_crond_t, initrc)
|
||||
|
||||
# Use capabilities.
|
||||
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
||||
|
||||
allow crond_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
# Read the system crontabs.
|
||||
allow system_crond_t system_cron_spool_t:file r_file_perms;
|
||||
|
||||
allow crond_t system_cron_spool_t:dir r_dir_perms;
|
||||
allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
|
||||
# Read from /var/spool/cron.
|
||||
allow system_crond_t cron_spool_t:dir r_dir_perms;
|
||||
allow system_crond_t cron_spool_t:file r_file_perms;
|
||||
|
||||
# Write to /var/lib/slocate.db.
|
||||
allow system_crond_t var_lib_t:dir rw_dir_perms;
|
||||
allow system_crond_t var_lib_t:file create_file_perms;
|
||||
|
||||
# Update whatis files.
|
||||
allow system_crond_t man_t:dir create_dir_perms;
|
||||
allow system_crond_t man_t:file create_file_perms;
|
||||
allow system_crond_t man_t:lnk_file read;
|
||||
|
||||
# Write /var/lock/makewhatis.lock.
|
||||
lock_domain(system_crond)
|
||||
|
||||
# for if /var/mail is a symlink
|
||||
allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
|
||||
allow crond_t mail_spool_t:dir search;
|
||||
|
||||
ifdef(`mta.te', `
|
||||
r_dir_file(system_mail_t, crond_tmp_t)
|
||||
')
|
||||
|
||||
# Stat any file and search any directory for find.
|
||||
allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
|
||||
allow system_crond_t device_type:{ chr_file blk_file } getattr;
|
||||
allow system_crond_t file_type:dir { read search getattr };
|
||||
|
||||
# Create temporary files.
|
||||
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
|
||||
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
|
||||
|
||||
# /sbin/runlevel ask for w access to utmp, but will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
# /sbin/runlevel needs lock access however
|
||||
dontaudit system_crond_t initrc_var_run_t:file write;
|
||||
allow system_crond_t initrc_var_run_t:file { getattr read lock };
|
||||
|
||||
# Access other spool directories like
|
||||
# /var/spool/anacron and /var/spool/slrnpull.
|
||||
allow system_crond_t var_spool_t:file create_file_perms;
|
||||
allow system_crond_t var_spool_t:dir rw_dir_perms;
|
||||
|
||||
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
||||
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
||||
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
||||
|
||||
#
|
||||
# reading /var/spool/cron/mailman
|
||||
#
|
||||
allow crond_t var_spool_t:file { getattr read };
|
||||
allow system_crond_t devpts_t:filesystem getattr;
|
||||
allow system_crond_t sysfs_t:filesystem getattr;
|
||||
allow system_crond_t tmpfs_t:filesystem getattr;
|
||||
allow system_crond_t rpc_pipefs_t:filesystem getattr;
|
||||
|
||||
#
|
||||
# These rules are here to allow system cron jobs to su
|
||||
#
|
||||
ifdef(`su.te', `
|
||||
su_restricted_domain(system_crond,system)
|
||||
role system_r types system_crond_su_t;
|
||||
allow system_crond_su_t crond_t:fifo_file ioctl;
|
||||
')
|
||||
allow system_crond_t self:passwd rootok;
|
||||
#
|
||||
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||||
#
|
||||
allow system_crond_t initctl_t:fifo_file write;
|
||||
dontaudit userdomain system_crond_t:fd use;
|
||||
|
||||
r_dir_file(crond_t, selinux_config_t)
|
||||
|
||||
# Allow system cron jobs to relabel filesystem for restoring file contexts.
|
||||
bool cron_can_relabel false;
|
||||
if (cron_can_relabel) {
|
||||
domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
|
||||
} else {
|
||||
r_dir_file(system_crond_t, file_context_t)
|
||||
can_getsecurity(system_crond_t)
|
||||
}
|
||||
dontaudit system_crond_t removable_t:filesystem getattr;
|
||||
#
|
||||
# Required for webalizer
|
||||
#
|
||||
dontaudit crond_t self:capability sys_tty_config;
|
||||
ifdef(`apache.te', `
|
||||
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
|
||||
allow system_crond_t httpd_modules_t:lnk_file read;
|
||||
# Needed for certwatch
|
||||
can_exec(system_crond_t, httpd_modules_t)
|
||||
')
|
12
mls/domains/program/crontab.te
Normal file
12
mls/domains/program/crontab.te
Normal file
@ -0,0 +1,12 @@
|
||||
#DESC Crontab - Crontab manipulation programs
|
||||
#
|
||||
# Domains for the crontab program.
|
||||
#
|
||||
# X-Debian-Packages: cron
|
||||
#
|
||||
|
||||
# Type for the crontab executable.
|
||||
type crontab_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# Everything else is in the crontab_domain macro in
|
||||
# macros/program/crontab_macros.te.
|
321
mls/domains/program/cups.te
Normal file
321
mls/domains/program/cups.te
Normal file
@ -0,0 +1,321 @@
|
||||
#DESC Cups - Common Unix Printing System
|
||||
#
|
||||
# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
|
||||
# Depends: lpd.te lpr.te
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the cupsd_t domain.
|
||||
#
|
||||
# cupsd_t is the domain of cupsd.
|
||||
# cupsd_exec_t is the type of the cupsd executable.
|
||||
#
|
||||
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
|
||||
etcdir_domain(cupsd)
|
||||
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
|
||||
|
||||
can_network(cupsd_t)
|
||||
allow cupsd_t port_type:tcp_socket name_connect;
|
||||
logdir_domain(cupsd)
|
||||
|
||||
tmp_domain(cupsd, `', { file dir fifo_file })
|
||||
|
||||
allow cupsd_t devpts_t:dir search;
|
||||
|
||||
allow cupsd_t device_t:lnk_file read;
|
||||
allow cupsd_t printer_device_t:chr_file rw_file_perms;
|
||||
allow cupsd_t urandom_device_t:chr_file { getattr read };
|
||||
dontaudit cupsd_t random_device_t:chr_file ioctl;
|
||||
|
||||
# temporary solution, we need something better
|
||||
allow cupsd_t serial_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(cupsd_t, usbdevfs_t)
|
||||
r_dir_file(cupsd_t, usbfs_t)
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
|
||||
')
|
||||
|
||||
ifdef(`inetd.te', `
|
||||
allow inetd_t printer_port_t:tcp_socket name_bind;
|
||||
domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
|
||||
')
|
||||
|
||||
# write to spool
|
||||
allow cupsd_t var_spool_t:dir search;
|
||||
|
||||
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
|
||||
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
|
||||
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
|
||||
allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
|
||||
allow cupsd_t cupsd_etc_t:file setattr;
|
||||
allow cupsd_t cupsd_etc_t:dir setattr;
|
||||
|
||||
allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
|
||||
can_exec(cupsd_t, initrc_exec_t)
|
||||
allow cupsd_t proc_t:file r_file_perms;
|
||||
allow cupsd_t proc_t:dir r_dir_perms;
|
||||
allow cupsd_t self:file { getattr read };
|
||||
read_sysctl(cupsd_t)
|
||||
allow cupsd_t sysctl_dev_t:dir search;
|
||||
allow cupsd_t sysctl_dev_t:file { getattr read };
|
||||
|
||||
# for /etc/printcap
|
||||
dontaudit cupsd_t etc_t:file write;
|
||||
|
||||
# allow cups to execute its backend scripts
|
||||
can_exec(cupsd_t, cupsd_exec_t)
|
||||
allow cupsd_t cupsd_exec_t:dir search;
|
||||
allow cupsd_t cupsd_exec_t:lnk_file read;
|
||||
allow cupsd_t reserved_port_t:tcp_socket name_bind;
|
||||
dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
|
||||
|
||||
allow cupsd_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow cupsd_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Use capabilities.
|
||||
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
|
||||
dontaudit cupsd_t self:capability net_admin;
|
||||
|
||||
#
|
||||
# /usr/lib/cups/backend/serial needs sys_admin
|
||||
# Need new context to run under???
|
||||
allow cupsd_t self:capability sys_admin;
|
||||
|
||||
allow cupsd_t self:process setsched;
|
||||
|
||||
# for /var/lib/defoma
|
||||
allow cupsd_t var_lib_t:dir search;
|
||||
r_dir_file(cupsd_t, readable_t)
|
||||
|
||||
# Bind to the cups/ipp port (631).
|
||||
allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
|
||||
can_tcp_connect(web_client_domain, cupsd_t)
|
||||
can_tcp_connect(cupsd_t, cupsd_t)
|
||||
|
||||
# Send to portmap.
|
||||
ifdef(`portmap.te', `
|
||||
can_udp_send(cupsd_t, portmap_t)
|
||||
can_udp_send(portmap_t, cupsd_t)
|
||||
')
|
||||
|
||||
# Write to /var/spool/cups.
|
||||
allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
|
||||
allow cupsd_t print_spool_t:file create_file_perms;
|
||||
allow cupsd_t print_spool_t:file rw_file_perms;
|
||||
|
||||
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
|
||||
allow cupsd_t { bin_t sbin_t }:dir { search getattr };
|
||||
allow cupsd_t bin_t:lnk_file read;
|
||||
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
|
||||
|
||||
# They will also invoke ghostscript, which needs to read fonts
|
||||
read_fonts(cupsd_t)
|
||||
|
||||
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
|
||||
allow cupsd_t lib_t:file { read getattr };
|
||||
|
||||
# read python modules
|
||||
allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
|
||||
|
||||
#
|
||||
# lots of errors generated requiring the following
|
||||
#
|
||||
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
|
||||
|
||||
#
|
||||
# Satisfy readahead
|
||||
#
|
||||
allow initrc_t cupsd_log_t:file { getattr read };
|
||||
r_dir_file(cupsd_t, var_t)
|
||||
|
||||
r_dir_file(cupsd_t, usercanread)
|
||||
ifdef(`samba.te', `
|
||||
rw_dir_file(cupsd_t, samba_var_t)
|
||||
allow smbd_t cupsd_etc_t:dir search;
|
||||
')
|
||||
|
||||
ifdef(`pam.te', `
|
||||
dontaudit cupsd_t pam_var_run_t:file { getattr read };
|
||||
')
|
||||
dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
|
||||
# PTAL
|
||||
daemon_domain(ptal)
|
||||
etcdir_domain(ptal)
|
||||
|
||||
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
|
||||
allow ptal_t self:capability { chown sys_rawio };
|
||||
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
|
||||
allow ptal_t self:unix_stream_socket { listen accept };
|
||||
can_network_server_tcp(ptal_t)
|
||||
allow ptal_t ptal_port_t:tcp_socket name_bind;
|
||||
allow userdomain ptal_t:unix_stream_socket connectto;
|
||||
allow userdomain ptal_var_run_t:sock_file write;
|
||||
allow userdomain ptal_var_run_t:dir search;
|
||||
allow ptal_t self:fifo_file rw_file_perms;
|
||||
allow ptal_t device_t:dir read;
|
||||
allow ptal_t printer_device_t:chr_file rw_file_perms;
|
||||
allow initrc_t printer_device_t:chr_file getattr;
|
||||
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
r_dir_file(ptal_t, usbdevfs_t)
|
||||
rw_dir_file(ptal_t, usbfs_t)
|
||||
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
|
||||
allow cupsd_t ptal_t:unix_stream_socket connectto;
|
||||
allow cupsd_t ptal_var_run_t:dir search;
|
||||
dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
|
||||
|
||||
allow initrc_t ptal_var_run_t:dir rmdir;
|
||||
allow initrc_t ptal_var_run_t:fifo_file unlink;
|
||||
|
||||
|
||||
# HPLIP
|
||||
daemon_domain(hplip)
|
||||
etcdir_domain(hplip)
|
||||
allow hplip_t etc_t:file r_file_perms;
|
||||
allow hplip_t etc_runtime_t:file { read getattr };
|
||||
allow hplip_t printer_device_t:chr_file rw_file_perms;
|
||||
allow cupsd_t hplip_var_run_t:file { read getattr };
|
||||
allow hplip_t cupsd_etc_t:dir search;
|
||||
can_network(hplip_t)
|
||||
allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
|
||||
allow hplip_t hplip_port_t:tcp_socket name_bind;
|
||||
|
||||
# Uses networking to talk to the daemons
|
||||
allow hplip_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hplip_t self:unix_stream_socket create_socket_perms;
|
||||
allow hplip_t self:rawip_socket create_socket_perms;
|
||||
|
||||
# for python
|
||||
can_exec(hplip_t, bin_t)
|
||||
allow hplip_t { sbin_t bin_t }:dir search;
|
||||
allow hplip_t self:file { getattr read };
|
||||
allow hplip_t proc_t:file r_file_perms;
|
||||
allow hplip_t urandom_device_t:chr_file { getattr read };
|
||||
allow hplip_t usr_t:{ file lnk_file } r_file_perms;
|
||||
allow hplip_t devpts_t:dir search;
|
||||
allow hplip_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
|
||||
dontaudit cupsd_t selinux_config_t:dir search;
|
||||
dontaudit cupsd_t selinux_config_t:file { getattr read };
|
||||
|
||||
allow cupsd_t printconf_t:file { getattr read };
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, cupsd)
|
||||
allow cupsd_t system_dbusd_t:dbus send_msg;
|
||||
allow cupsd_t userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
# CUPS configuration daemon
|
||||
daemon_domain(cupsd_config, `, nscd_client_domain')
|
||||
|
||||
allow cupsd_config_t devpts_t:dir search;
|
||||
allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
ifdef(`rpm.te', `
|
||||
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
|
||||
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
|
||||
')
|
||||
allow cupsd_config_t initrc_exec_t:file getattr;
|
||||
')dnl end distro_redhat
|
||||
|
||||
allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
|
||||
allow cupsd_config_t self:file { getattr read };
|
||||
|
||||
allow cupsd_config_t proc_t:file { getattr read };
|
||||
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
|
||||
allow cupsd_config_t cupsd_t:process { signal };
|
||||
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
|
||||
can_ps(cupsd_config_t, cupsd_t)
|
||||
|
||||
allow cupsd_config_t self:capability { chown sys_tty_config };
|
||||
|
||||
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
|
||||
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
|
||||
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
|
||||
file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
|
||||
allow cupsd_config_t var_t:lnk_file read;
|
||||
|
||||
can_network_tcp(cupsd_config_t)
|
||||
can_ypbind(cupsd_config_t)
|
||||
allow cupsd_config_t port_type:tcp_socket name_connect;
|
||||
can_tcp_connect(cupsd_config_t, cupsd_t)
|
||||
allow cupsd_config_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
|
||||
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, cupsd_config)
|
||||
allow cupsd_config_t userdomain:dbus send_msg;
|
||||
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
allow userdomain cupsd_config_t:dbus send_msg;
|
||||
')dnl end if dbusd.te
|
||||
|
||||
ifdef(`hald.te', `
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
|
||||
allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
|
||||
')dnl end if dbusd.te
|
||||
|
||||
allow hald_t cupsd_config_t:process signal;
|
||||
domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
|
||||
|
||||
') dnl end if hald.te
|
||||
|
||||
|
||||
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
|
||||
ifdef(`hostname.te', `
|
||||
can_exec(cupsd_t, hostname_exec_t)
|
||||
can_exec(cupsd_config_t, hostname_exec_t)
|
||||
')
|
||||
allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
|
||||
allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
|
||||
# killall causes the following
|
||||
dontaudit cupsd_config_t domain:dir { getattr search };
|
||||
dontaudit cupsd_config_t selinux_config_t:dir search;
|
||||
|
||||
can_exec(cupsd_config_t, cupsd_config_exec_t)
|
||||
|
||||
allow cupsd_config_t usr_t:file { getattr read };
|
||||
allow cupsd_config_t var_lib_t:dir { getattr search };
|
||||
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
|
||||
allow cupsd_config_t printconf_t:file { getattr read };
|
||||
|
||||
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
ifdef(`logrotate.te', `
|
||||
allow cupsd_config_t logrotate_t:fd use;
|
||||
')dnl end if logrotate.te
|
||||
allow cupsd_config_t system_crond_t:fd use;
|
||||
allow cupsd_config_t crond_t:fifo_file r_file_perms;
|
||||
allow cupsd_t crond_t:fifo_file read;
|
||||
allow cupsd_t crond_t:fd use;
|
||||
|
||||
# Alternatives asks for this
|
||||
allow cupsd_config_t initrc_exec_t:file getattr;
|
||||
ifdef(`targeted_policy', `
|
||||
can_unix_connect(cupsd_t, initrc_t)
|
||||
allow cupsd_t initrc_t:dbus send_msg;
|
||||
allow initrc_t cupsd_t:dbus send_msg;
|
||||
allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
|
||||
allow unconfined_t cupsd_config_t:dbus send_msg;
|
||||
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
|
||||
')
|
||||
typealias printer_port_t alias cupsd_lpd_port_t;
|
||||
inetd_child_domain(cupsd_lpd)
|
||||
allow inetd_t printer_port_t:tcp_socket name_bind;
|
||||
r_dir_file(cupsd_lpd_t, cupsd_etc_t)
|
||||
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
|
||||
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
|
||||
ifdef(`use_mcs', `
|
||||
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
||||
')
|
||||
|
30
mls/domains/program/cvs.te
Normal file
30
mls/domains/program/cvs.te
Normal file
@ -0,0 +1,30 @@
|
||||
#DESC cvs - Concurrent Versions System
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
# Depends: inetd.te
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the cvs_t domain.
|
||||
#
|
||||
# cvs_exec_t is the type of the cvs executable.
|
||||
#
|
||||
|
||||
inetd_child_domain(cvs, tcp)
|
||||
typeattribute cvs_t privmail;
|
||||
typeattribute cvs_t auth_chkpwd;
|
||||
|
||||
type cvs_data_t, file_type, sysadmfile, customizable;
|
||||
create_dir_file(cvs_t, cvs_data_t)
|
||||
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
|
||||
allow cvs_t bin_t:dir search;
|
||||
allow cvs_t { bin_t sbin_t }:lnk_file read;
|
||||
allow cvs_t etc_runtime_t:file { getattr read };
|
||||
allow system_mail_t cvs_data_t:file { getattr read };
|
||||
dontaudit cvs_t devtty_t:chr_file { read write };
|
||||
ifdef(`kerberos.te', `
|
||||
# Allow kerberos to work
|
||||
allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
|
||||
dontaudit cvs_t krb5_conf_t:file write;
|
||||
')
|
60
mls/domains/program/cyrus.te
Normal file
60
mls/domains/program/cyrus.te
Normal file
@ -0,0 +1,60 @@
|
||||
#DESC cyrus-imapd
|
||||
#
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
# cyrusd_exec_t is the type of the cyrusd executable.
|
||||
# cyrusd_key_t is the type of the cyrus private key files
|
||||
daemon_domain(cyrus)
|
||||
|
||||
general_domain_access(cyrus_t)
|
||||
file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
|
||||
|
||||
type cyrus_var_lib_t, file_type, sysadmfile;
|
||||
|
||||
allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
|
||||
allow cyrus_t self:process setrlimit;
|
||||
|
||||
can_network(cyrus_t)
|
||||
allow cyrus_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(cyrus_t)
|
||||
can_exec(cyrus_t, bin_t)
|
||||
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
|
||||
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
|
||||
allow cyrus_t etc_t:file { getattr read };
|
||||
allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
|
||||
read_locale(cyrus_t)
|
||||
read_sysctl(cyrus_t)
|
||||
tmp_domain(cyrus)
|
||||
allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
|
||||
allow cyrus_t proc_t:dir search;
|
||||
allow cyrus_t proc_t:file { getattr read };
|
||||
allow cyrus_t sysadm_devpts_t:chr_file { read write };
|
||||
|
||||
allow cyrus_t var_lib_t:dir search;
|
||||
|
||||
allow cyrus_t etc_runtime_t:file { read getattr };
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(cyrus_exec_t, cyrus_t)
|
||||
allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
|
||||
allow system_crond_t cyrus_var_lib_t:file create_file_perms;
|
||||
')
|
||||
create_dir_file(cyrus_t, mail_spool_t)
|
||||
allow cyrus_t var_spool_t:dir search;
|
||||
|
||||
ifdef(`saslauthd.te', `
|
||||
allow cyrus_t saslauthd_var_run_t:dir search;
|
||||
allow cyrus_t saslauthd_var_run_t:sock_file { read write };
|
||||
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
|
||||
')
|
||||
|
||||
r_dir_file(cyrus_t, cert_t)
|
||||
allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
|
||||
|
||||
ifdef(`postfix.te', `
|
||||
allow postfix_master_t cyrus_t:unix_stream_socket connectto;
|
||||
allow postfix_master_t var_lib_t:dir search;
|
||||
allow postfix_master_t cyrus_var_lib_t:dir search;
|
||||
allow postfix_master_t cyrus_var_lib_t:sock_file write;
|
||||
')
|
||||
|
14
mls/domains/program/dbskkd.te
Normal file
14
mls/domains/program/dbskkd.te
Normal file
@ -0,0 +1,14 @@
|
||||
#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the dbskkd_t domain.
|
||||
#
|
||||
# dbskkd_exec_t is the type of the dbskkd executable.
|
||||
#
|
||||
# Depends: inetd.te
|
||||
|
||||
inetd_child_domain(dbskkd)
|
27
mls/domains/program/dbusd.te
Normal file
27
mls/domains/program/dbusd.te
Normal file
@ -0,0 +1,27 @@
|
||||
#DESC dbus-daemon-1 server for dbus desktop bus protocol
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
|
||||
dbusd_domain(system)
|
||||
|
||||
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
|
||||
|
||||
ifdef(`pamconsole.te', `
|
||||
r_dir_file(system_dbusd_t, pam_var_console_t)
|
||||
')
|
||||
|
||||
# dac_override: /var/run/dbus is owned by messagebus on Debian
|
||||
allow system_dbusd_t self:capability { dac_override setgid setuid };
|
||||
nsswitch_domain(system_dbusd_t)
|
||||
|
||||
# I expect we need more than this
|
||||
|
||||
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
|
||||
allow initrc_t system_dbusd_t:unix_stream_socket connectto;
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
|
||||
can_exec(system_dbusd_t, sbin_t)
|
||||
allow system_dbusd_t self:fifo_file { read write };
|
||||
allow system_dbusd_t self:unix_stream_socket connectto;
|
||||
allow system_dbusd_t self:unix_stream_socket connectto;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
42
mls/domains/program/ddcprobe.te
Normal file
42
mls/domains/program/ddcprobe.te
Normal file
@ -0,0 +1,42 @@
|
||||
#DESC ddcprobe - output ddcprobe results from kudzu
|
||||
#
|
||||
# Author: dan walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
type ddcprobe_t, domain, privmem;
|
||||
type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
# Allow execution by the sysadm
|
||||
role sysadm_r types ddcprobe_t;
|
||||
role system_r types ddcprobe_t;
|
||||
domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
|
||||
|
||||
uses_shlib(ddcprobe_t)
|
||||
|
||||
# Allow terminal access
|
||||
access_terminal(ddcprobe_t, sysadm)
|
||||
|
||||
# Allow ddcprobe to read /dev/mem
|
||||
allow ddcprobe_t memory_device_t:chr_file read;
|
||||
allow ddcprobe_t memory_device_t:chr_file { execute write };
|
||||
allow ddcprobe_t self:process execmem;
|
||||
allow ddcprobe_t zero_device_t:chr_file { execute read };
|
||||
|
||||
allow ddcprobe_t proc_t:dir search;
|
||||
allow ddcprobe_t proc_t:file { getattr read };
|
||||
can_exec(ddcprobe_t, sbin_t)
|
||||
allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
|
||||
allow ddcprobe_t userdomain:fd use;
|
||||
read_sysctl(ddcprobe_t)
|
||||
allow ddcprobe_t urandom_device_t:chr_file { getattr read };
|
||||
allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
|
||||
allow ddcprobe_t self:capability { sys_rawio sys_admin };
|
||||
|
||||
allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow ddcprobe_t kudzu_exec_t:file getattr;
|
||||
allow ddcprobe_t lib_t:file { getattr read };
|
||||
read_locale(ddcprobe_t)
|
||||
allow ddcprobe_t modules_object_t:dir search;
|
||||
allow ddcprobe_t modules_dep_t:file { getattr read };
|
||||
allow ddcprobe_t usr_t:file { getattr read };
|
||||
allow ddcprobe_t kernel_t:system syslog_console;
|
169
mls/domains/program/dhcpc.te
Normal file
169
mls/domains/program/dhcpc.te
Normal file
@ -0,0 +1,169 @@
|
||||
#DESC DHCPC - DHCP client
|
||||
#
|
||||
# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: pump dhcp-client udhcpc
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the dhcpc_t domain.
|
||||
#
|
||||
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
|
||||
# network configurator daemon started by /etc/sysconfig/network-scripts
|
||||
# rc scripts, runs in this domain.
|
||||
# dhcpc_exec_t is the type of the dhcpcd executable.
|
||||
# The dhcpc_t can be used for other DHCPC related files as well.
|
||||
#
|
||||
daemon_domain(dhcpc)
|
||||
|
||||
# for SSP
|
||||
allow dhcpc_t urandom_device_t:chr_file read;
|
||||
|
||||
can_network(dhcpc_t)
|
||||
allow dhcpc_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(dhcpc_t)
|
||||
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dhcpc_t self:unix_stream_socket create_socket_perms;
|
||||
allow dhcpc_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow dhcpc_t devpts_t:dir search;
|
||||
|
||||
# for localization
|
||||
allow dhcpc_t lib_t:file { getattr read };
|
||||
|
||||
ifdef(`consoletype.te', `
|
||||
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
|
||||
')
|
||||
ifdef(`nscd.te', `
|
||||
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
|
||||
allow dhcpc_t nscd_var_run_t:file { getattr read };
|
||||
')
|
||||
ifdef(`cardmgr.te', `
|
||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
||||
allow cardmgr_t dhcpc_t:process signal_perms;
|
||||
allow cardmgr_t dhcpc_var_run_t:file unlink;
|
||||
allow dhcpc_t cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
ifdef(`hotplug.te', `
|
||||
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow hotplug_t dhcpc_t:process signal_perms;
|
||||
allow hotplug_t dhcpc_var_run_t:file { getattr read };
|
||||
allow hotplug_t dhcp_etc_t:file rw_file_perms;
|
||||
allow dhcpc_t hotplug_etc_t:dir { getattr search };
|
||||
ifdef(`distro_redhat', `
|
||||
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
|
||||
')
|
||||
')dnl end hotplug.te
|
||||
|
||||
# for the dhcp client to run ping to check IP addresses
|
||||
ifdef(`ping.te', `
|
||||
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
|
||||
ifdef(`hotplug.te', `
|
||||
allow ping_t hotplug_t:fd use;
|
||||
') dnl end if hotplug
|
||||
ifdef(`cardmgr.te', `
|
||||
allow ping_t cardmgr_t:fd use;
|
||||
') dnl end if cardmgr
|
||||
', `
|
||||
allow dhcpc_t self:capability setuid;
|
||||
allow dhcpc_t self:rawip_socket create_socket_perms;
|
||||
') dnl end if ping
|
||||
|
||||
ifdef(`dhcpd.te', `', `
|
||||
type dhcp_state_t, file_type, sysadmfile;
|
||||
type dhcp_etc_t, file_type, sysadmfile, usercanread;
|
||||
')
|
||||
type dhcpc_state_t, file_type, sysadmfile;
|
||||
|
||||
allow dhcpc_t etc_t:lnk_file read;
|
||||
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow dhcpc_t proc_net_t:dir search;
|
||||
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
|
||||
allow dhcpc_t self:file { getattr read };
|
||||
read_sysctl(dhcpc_t)
|
||||
allow dhcpc_t userdomain:fd use;
|
||||
ifdef(`run_init.te', `
|
||||
allow dhcpc_t run_init_t:fd use;
|
||||
')
|
||||
|
||||
# Use capabilities
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
|
||||
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
|
||||
# for udp port 68
|
||||
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
|
||||
|
||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
|
||||
|
||||
# Allow access to the dhcpc file types
|
||||
r_dir_file(dhcpc_t, dhcp_etc_t)
|
||||
allow dhcpc_t sbin_t:dir search;
|
||||
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
|
||||
ifdef(`distro_redhat', `
|
||||
can_exec(dhcpc_t, etc_t)
|
||||
allow initrc_t dhcp_etc_t:file rw_file_perms;
|
||||
')
|
||||
ifdef(`ifconfig.te', `
|
||||
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
|
||||
')dnl end if def ifconfig
|
||||
|
||||
|
||||
tmp_domain(dhcpc)
|
||||
|
||||
# Allow dhcpc_t to use packet sockets
|
||||
allow dhcpc_t self:packet_socket create_socket_perms;
|
||||
allow dhcpc_t var_lib_t:dir search;
|
||||
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
|
||||
rw_dir_create_file(dhcpc_t, dhcpc_state_t)
|
||||
allow dhcpc_t dhcp_state_t:file { getattr read };
|
||||
|
||||
allow dhcpc_t bin_t:dir { getattr search };
|
||||
allow dhcpc_t bin_t:lnk_file read;
|
||||
can_exec(dhcpc_t, { bin_t shell_exec_t })
|
||||
|
||||
ifdef(`hostname.te', `
|
||||
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
|
||||
')
|
||||
dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
|
||||
allow dhcpc_t { userdomain kernel_t }:fd use;
|
||||
|
||||
allow dhcpc_t home_root_t:dir search;
|
||||
allow initrc_t dhcpc_state_t:file { getattr read };
|
||||
dontaudit dhcpc_t var_lock_t:dir search;
|
||||
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
dontaudit dhcpc_t domain:dir getattr;
|
||||
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
|
||||
#
|
||||
# dhclient sometimes starts ypbind and ntdp
|
||||
#
|
||||
can_exec(dhcpc_t, initrc_exec_t)
|
||||
ifdef(`ypbind.te', `
|
||||
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
|
||||
allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
|
||||
allow dhcpc_t ypbind_t:process signal;
|
||||
')
|
||||
ifdef(`ntpd.te', `
|
||||
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
|
||||
')
|
||||
role sysadm_r types dhcpc_t;
|
||||
domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
|
||||
ifdef(`dbusd.te', `
|
||||
dbusd_client(system, dhcpc)
|
||||
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
allow dhcpc_t self:dbus send_msg;
|
||||
allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
|
||||
ifdef(`unconfined.te', `
|
||||
allow unconfined_t dhcpc_t:dbus send_msg;
|
||||
allow dhcpc_t unconfined_t:dbus send_msg;
|
||||
')dnl end ifdef unconfined.te
|
||||
')
|
||||
ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
|
||||
allow dhcpc_t locale_t:file write;
|
79
mls/domains/program/dhcpd.te
Normal file
79
mls/domains/program/dhcpd.te
Normal file
@ -0,0 +1,79 @@
|
||||
#DESC DHCPD - DHCP server
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# based on the dhcpc_t policy from:
|
||||
# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
|
||||
# X-Debian-Packages: dhcp dhcp3-server
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the dhcpd_t domain.
|
||||
#
|
||||
# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
|
||||
# server daemon rc scripts, runs in this domain.
|
||||
# dhcpd_exec_t is the type of the dhcpdd executable.
|
||||
# The dhcpd_t can be used for other DHCPC related files as well.
|
||||
#
|
||||
daemon_domain(dhcpd, `, nscd_client_domain')
|
||||
|
||||
# for UDP port 4011
|
||||
allow dhcpd_t pxe_port_t:udp_socket name_bind;
|
||||
|
||||
type dhcp_etc_t, file_type, sysadmfile, usercanread;
|
||||
|
||||
# Use the network.
|
||||
can_network(dhcpd_t)
|
||||
allow dhcpd_t port_type:tcp_socket name_connect;
|
||||
allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
|
||||
can_ypbind(dhcpd_t)
|
||||
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dhcpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow dhcpd_t var_lib_t:dir search;
|
||||
|
||||
allow dhcpd_t devtty_t:chr_file { read write };
|
||||
|
||||
# Use capabilities
|
||||
allow dhcpd_t self:capability { net_raw net_bind_service };
|
||||
dontaudit dhcpd_t self:capability net_admin;
|
||||
|
||||
# Allow access to the dhcpd file types
|
||||
type dhcp_state_t, file_type, sysadmfile;
|
||||
type dhcpd_state_t, file_type, sysadmfile;
|
||||
allow dhcpd_t dhcp_etc_t:file { read getattr };
|
||||
allow dhcpd_t dhcp_etc_t:dir search;
|
||||
file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
|
||||
rw_dir_create_file(dhcpd_t, dhcpd_state_t)
|
||||
|
||||
allow dhcpd_t etc_t:lnk_file read;
|
||||
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
|
||||
|
||||
# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
|
||||
can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
|
||||
|
||||
# Allow dhcpd_t to use packet sockets
|
||||
allow dhcpd_t self:packet_socket create_socket_perms;
|
||||
allow dhcpd_t self:rawip_socket create_socket_perms;
|
||||
|
||||
# allow to run utilities and scripts
|
||||
allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
|
||||
allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
|
||||
allow dhcpd_t self:fifo_file { read write getattr };
|
||||
|
||||
# allow reading /proc
|
||||
allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
|
||||
tmp_domain(dhcpd)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
||||
allow initrc_t dhcpd_state_t:file setattr;
|
||||
')
|
||||
r_dir_file(dhcpd_t, usr_t)
|
||||
allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
|
||||
|
||||
ifdef(`named.te', `
|
||||
allow dhcpd_t { named_conf_t named_zone_t }:dir search;
|
||||
allow dhcpd_t dnssec_t:file { getattr read };
|
||||
')
|
48
mls/domains/program/dictd.te
Normal file
48
mls/domains/program/dictd.te
Normal file
@ -0,0 +1,48 @@
|
||||
#DESC Dictd - Dictionary daemon
|
||||
#
|
||||
# Authors: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: dictd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the dictd_t domain.
|
||||
#
|
||||
# dictd_exec_t is the type of the dictd executable.
|
||||
#
|
||||
daemon_base_domain(dictd)
|
||||
type dictd_var_lib_t, file_type, sysadmfile;
|
||||
typealias dictd_var_lib_t alias var_lib_dictd_t;
|
||||
etc_domain(dictd)
|
||||
|
||||
# for checking for nscd
|
||||
dontaudit dictd_t var_run_t:dir search;
|
||||
|
||||
# read config files
|
||||
allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
|
||||
|
||||
read_locale(dictd_t)
|
||||
|
||||
allow dictd_t { var_t var_lib_t }:dir search;
|
||||
allow dictd_t dictd_var_lib_t:dir r_dir_perms;
|
||||
allow dictd_t dictd_var_lib_t:file r_file_perms;
|
||||
|
||||
allow dictd_t self:capability { setuid setgid };
|
||||
|
||||
allow dictd_t usr_t:file r_file_perms;
|
||||
|
||||
allow dictd_t self:process { setpgid fork sigchld };
|
||||
|
||||
allow dictd_t proc_t:file r_file_perms;
|
||||
|
||||
allow dictd_t dict_port_t:tcp_socket name_bind;
|
||||
|
||||
allow dictd_t devtty_t:chr_file rw_file_perms;
|
||||
|
||||
allow dictd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
can_network_server(dictd_t)
|
||||
can_ypbind(dictd_t)
|
||||
can_tcp_connect(userdomain, dictd_t)
|
||||
|
||||
allow dictd_t fs_t:filesystem getattr;
|
29
mls/domains/program/dmesg.te
Normal file
29
mls/domains/program/dmesg.te
Normal file
@ -0,0 +1,29 @@
|
||||
#DESC dmesg - control kernel ring buffer
|
||||
#
|
||||
# Author: Dan Walsh dwalsh@redhat.com
|
||||
#
|
||||
# X-Debian-Packages: util-linux
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the dmesg_t domain.
|
||||
#
|
||||
# dmesg_exec_t is the type of the dmesg executable.
|
||||
#
|
||||
# while sysadm_t has the sys_admin capability there is no point in using
|
||||
# dmesg_t when run from sysadm_t, so we use nosysadm.
|
||||
#
|
||||
daemon_base_domain(dmesg, , `nosysadm')
|
||||
|
||||
#
|
||||
# Rules used for dmesg
|
||||
#
|
||||
allow dmesg_t self:capability sys_admin;
|
||||
allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
|
||||
allow dmesg_t admin_tty_type:chr_file { getattr read write };
|
||||
allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
|
||||
allow dmesg_t var_log_t:file { getattr write };
|
||||
read_locale(dmesg_t)
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit dmesg_t file_t:dir search;
|
22
mls/domains/program/dmidecode.te
Normal file
22
mls/domains/program/dmidecode.te
Normal file
@ -0,0 +1,22 @@
|
||||
#DESC dmidecode - decodes DMI data for x86/ia64 bioses
|
||||
#
|
||||
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
||||
#
|
||||
|
||||
type dmidecode_t, domain, privmem;
|
||||
type dmidecode_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
# Allow execution by the sysadm
|
||||
role sysadm_r types dmidecode_t;
|
||||
role system_r types dmidecode_t;
|
||||
domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
|
||||
|
||||
uses_shlib(dmidecode_t)
|
||||
|
||||
# Allow terminal access
|
||||
access_terminal(dmidecode_t, sysadm)
|
||||
|
||||
# Allow dmidecode to read /dev/mem
|
||||
allow dmidecode_t memory_device_t:chr_file read;
|
||||
|
||||
allow dmidecode_t self:capability sys_rawio;
|
75
mls/domains/program/dovecot.te
Normal file
75
mls/domains/program/dovecot.te
Normal file
@ -0,0 +1,75 @@
|
||||
#DESC Dovecot POP and IMAP servers
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
|
||||
|
||||
#
|
||||
# Main dovecot daemon
|
||||
#
|
||||
daemon_domain(dovecot, `, privhome')
|
||||
etc_domain(dovecot);
|
||||
|
||||
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
|
||||
|
||||
can_exec(dovecot_t, dovecot_exec_t)
|
||||
|
||||
type dovecot_cert_t, file_type, sysadmfile;
|
||||
type dovecot_passwd_t, file_type, sysadmfile;
|
||||
type dovecot_spool_t, file_type, sysadmfile;
|
||||
|
||||
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
|
||||
allow dovecot_t self:process setrlimit;
|
||||
can_network_tcp(dovecot_t)
|
||||
allow dovecot_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(dovecot_t)
|
||||
allow dovecot_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
|
||||
can_unix_connect(dovecot_t, self)
|
||||
|
||||
allow dovecot_t etc_t:file { getattr read };
|
||||
allow dovecot_t initrc_var_run_t:file getattr;
|
||||
allow dovecot_t bin_t:dir { getattr search };
|
||||
can_exec(dovecot_t, bin_t)
|
||||
|
||||
allow dovecot_t pop_port_t:tcp_socket name_bind;
|
||||
allow dovecot_t urandom_device_t:chr_file { getattr read };
|
||||
allow dovecot_t cert_t:dir search;
|
||||
r_dir_file(dovecot_t, dovecot_cert_t)
|
||||
r_dir_file(dovecot_t, cert_t)
|
||||
|
||||
allow dovecot_t { self proc_t }:file { getattr read };
|
||||
allow dovecot_t self:fifo_file rw_file_perms;
|
||||
|
||||
can_kerberos(dovecot_t)
|
||||
|
||||
allow dovecot_t tmp_t:dir search;
|
||||
rw_dir_create_file(dovecot_t, mail_spool_t)
|
||||
|
||||
|
||||
create_dir_file(dovecot_t, dovecot_spool_t)
|
||||
create_dir_file(mta_delivery_agent, dovecot_spool_t)
|
||||
allow dovecot_t mail_spool_t:lnk_file read;
|
||||
allow dovecot_t var_spool_t:dir { search };
|
||||
|
||||
#
|
||||
# Dovecot auth daemon
|
||||
#
|
||||
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
|
||||
can_ldap(dovecot_auth_t)
|
||||
can_ypbind(dovecot_auth_t)
|
||||
can_kerberos(dovecot_auth_t)
|
||||
can_resolve(dovecot_auth_t)
|
||||
allow dovecot_auth_t self:process { fork signal_perms };
|
||||
allow dovecot_auth_t self:capability { setgid setuid };
|
||||
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
|
||||
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow dovecot_auth_t self:fifo_file rw_file_perms;
|
||||
allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
|
||||
allow dovecot_auth_t etc_t:file { getattr read };
|
||||
allow dovecot_auth_t { self proc_t }:file { getattr read };
|
||||
read_locale(dovecot_auth_t)
|
||||
read_sysctl(dovecot_auth_t)
|
||||
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
|
||||
dontaudit dovecot_auth_t selinux_config_t:dir search;
|
||||
allow dovecot_auth_t etc_runtime_t:file { getattr read };
|
32
mls/domains/program/fetchmail.te
Normal file
32
mls/domains/program/fetchmail.te
Normal file
@ -0,0 +1,32 @@
|
||||
#DESC fetchmail - remote-mail retrieval utility
|
||||
#
|
||||
# Author: Greg Norris <haphazard@kc.rr.com>
|
||||
# X-Debian-Packages: fetchmail
|
||||
# Depends: mta.te
|
||||
#
|
||||
# Note: This policy is only required when running fetchmail in daemon mode.
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the fetchmail_t domain.
|
||||
#
|
||||
daemon_domain(fetchmail);
|
||||
type fetchmail_etc_t, file_type, sysadmfile;
|
||||
type fetchmail_uidl_cache_t, file_type, sysadmfile;
|
||||
|
||||
# misc. requirements
|
||||
allow fetchmail_t self:process setrlimit;
|
||||
|
||||
# network-related goodies
|
||||
can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
|
||||
can_network_udp(fetchmail_t, dns_port_t)
|
||||
allow fetchmail_t port_type:tcp_socket name_connect;
|
||||
|
||||
allow fetchmail_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# file access
|
||||
allow fetchmail_t etc_t:file r_file_perms;
|
||||
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
|
||||
allow fetchmail_t mail_spool_t:dir search;
|
||||
file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
|
80
mls/domains/program/fingerd.te
Normal file
80
mls/domains/program/fingerd.te
Normal file
@ -0,0 +1,80 @@
|
||||
#DESC Fingerd - Finger daemon
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the fingerd_t domain.
|
||||
#
|
||||
# fingerd_exec_t is the type of the fingerd executable.
|
||||
#
|
||||
daemon_domain(fingerd)
|
||||
|
||||
etcdir_domain(fingerd)
|
||||
|
||||
allow fingerd_t etc_t:lnk_file read;
|
||||
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
|
||||
|
||||
log_domain(fingerd)
|
||||
system_crond_entry(fingerd_exec_t, fingerd_t)
|
||||
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
|
||||
|
||||
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
|
||||
ifdef(`inetd.te', `
|
||||
allow inetd_t fingerd_port_t:tcp_socket name_bind;
|
||||
# can be run from inetd
|
||||
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
|
||||
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
|
||||
')
|
||||
ifdef(`tcpd.te', `
|
||||
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
|
||||
')
|
||||
|
||||
allow fingerd_t self:capability { setgid setuid };
|
||||
# for gzip from logrotate
|
||||
dontaudit fingerd_t self:capability fsetid;
|
||||
|
||||
# cfingerd runs shell scripts
|
||||
allow fingerd_t { bin_t sbin_t }:dir search;
|
||||
allow fingerd_t bin_t:lnk_file read;
|
||||
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
|
||||
allow fingerd_t devtty_t:chr_file { read write };
|
||||
|
||||
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
|
||||
|
||||
# Use the network.
|
||||
can_network_server(fingerd_t)
|
||||
can_ypbind(fingerd_t)
|
||||
|
||||
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fingerd_t self:unix_stream_socket create_socket_perms;
|
||||
allow fingerd_t self:fifo_file { read write getattr };
|
||||
|
||||
# allow any user domain to connect to the finger server
|
||||
can_tcp_connect(userdomain, fingerd_t)
|
||||
|
||||
# for .finger, .plan. etc
|
||||
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
|
||||
# should really have a different type for .plan etc
|
||||
allow fingerd_t user_home_type:file { getattr read };
|
||||
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
||||
# have to change this when we create a type for Maildir
|
||||
dontaudit fingerd_t user_home_t:dir search;
|
||||
|
||||
# for mail
|
||||
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
|
||||
allow fingerd_t mail_spool_t:file getattr;
|
||||
allow fingerd_t mail_spool_t:lnk_file read;
|
||||
|
||||
# see who is logged in and when users last logged in
|
||||
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
|
||||
dontaudit fingerd_t initrc_var_run_t:file lock;
|
||||
allow fingerd_t devpts_t:dir search;
|
||||
allow fingerd_t ptyfile:chr_file getattr;
|
||||
|
||||
allow fingerd_t proc_t:file { read getattr };
|
||||
|
||||
# for date command
|
||||
read_sysctl(fingerd_t)
|
131
mls/domains/program/firstboot.te
Normal file
131
mls/domains/program/firstboot.te
Normal file
@ -0,0 +1,131 @@
|
||||
#DESC firstboot
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
# X-Debian-Packages: firstboot
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the firstboot_t domain.
|
||||
#
|
||||
# firstboot_exec_t is the type of the firstboot executable.
|
||||
#
|
||||
application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
|
||||
type firstboot_rw_t, file_type, sysadmfile;
|
||||
role system_r types firstboot_t;
|
||||
|
||||
ifdef(`xserver.te', `
|
||||
domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
|
||||
')
|
||||
|
||||
etc_domain(firstboot)
|
||||
|
||||
allow firstboot_t proc_t:file r_file_perms;
|
||||
|
||||
allow firstboot_t urandom_device_t:chr_file { getattr read };
|
||||
allow firstboot_t proc_t:file { getattr read write };
|
||||
|
||||
domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
|
||||
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
|
||||
|
||||
can_exec_any(firstboot_t)
|
||||
ifdef(`useradd.te',`
|
||||
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
|
||||
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
|
||||
')
|
||||
allow firstboot_t etc_runtime_t:file { getattr read };
|
||||
|
||||
r_dir_file(firstboot_t, etc_t)
|
||||
|
||||
allow firstboot_t firstboot_rw_t:dir create_dir_perms;
|
||||
allow firstboot_t firstboot_rw_t:file create_file_perms;
|
||||
allow firstboot_t self:fifo_file { getattr read write };
|
||||
allow firstboot_t self:process { fork sigchld };
|
||||
allow firstboot_t self:unix_stream_socket { connect create };
|
||||
allow firstboot_t initrc_exec_t:file { getattr read };
|
||||
allow firstboot_t initrc_var_run_t:file r_file_perms;
|
||||
allow firstboot_t lib_t:file { getattr read };
|
||||
allow firstboot_t local_login_t:fd use;
|
||||
read_locale(firstboot_t)
|
||||
|
||||
allow firstboot_t proc_t:dir search;
|
||||
allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
|
||||
allow firstboot_t usr_t:file r_file_perms;
|
||||
|
||||
allow firstboot_t etc_t:file write;
|
||||
|
||||
# Allow write to utmp file
|
||||
allow firstboot_t initrc_var_run_t:file write;
|
||||
|
||||
ifdef(`samba.te', `
|
||||
rw_dir_file(firstboot_t, samba_etc_t)
|
||||
')
|
||||
|
||||
dontaudit firstboot_t shadow_t:file getattr;
|
||||
|
||||
role system_r types initrc_t;
|
||||
#role_transition firstboot_r initrc_exec_t system_r;
|
||||
domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
|
||||
|
||||
allow firstboot_t self:passwd rootok;
|
||||
|
||||
ifdef(`userhelper.te', `
|
||||
role system_r types sysadm_userhelper_t;
|
||||
domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
|
||||
')
|
||||
|
||||
ifdef(`consoletype.te', `
|
||||
allow consoletype_t devtty_t:chr_file { read write };
|
||||
allow consoletype_t etc_t:file { getattr read };
|
||||
allow consoletype_t firstboot_t:fd use;
|
||||
')
|
||||
|
||||
allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
|
||||
|
||||
allow firstboot_t self:capability { dac_override setgid };
|
||||
allow firstboot_t self:dir search;
|
||||
allow firstboot_t self:file { read write };
|
||||
allow firstboot_t self:lnk_file read;
|
||||
can_setfscreate(firstboot_t)
|
||||
allow firstboot_t krb5_conf_t:file rw_file_perms;
|
||||
|
||||
allow firstboot_t modules_conf_t:file { getattr read };
|
||||
allow firstboot_t modules_dep_t:file { getattr read };
|
||||
allow firstboot_t modules_object_t:dir search;
|
||||
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
|
||||
allow firstboot_t proc_t:lnk_file read;
|
||||
|
||||
can_getsecurity(firstboot_t)
|
||||
|
||||
dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
|
||||
read_sysctl(firstboot_t)
|
||||
|
||||
allow firstboot_t var_run_t:dir getattr;
|
||||
allow firstboot_t var_t:dir getattr;
|
||||
ifdef(`hostname.te', `
|
||||
allow hostname_t devtty_t:chr_file { read write };
|
||||
allow hostname_t firstboot_t:fd use;
|
||||
')
|
||||
ifdef(`iptables.te', `
|
||||
allow iptables_t devtty_t:chr_file { read write };
|
||||
allow iptables_t firstboot_t:fd use;
|
||||
allow iptables_t firstboot_t:fifo_file write;
|
||||
')
|
||||
can_network_server(firstboot_t)
|
||||
can_ypbind(firstboot_t)
|
||||
ifdef(`printconf.te', `
|
||||
can_exec(firstboot_t, printconf_t)
|
||||
')
|
||||
create_dir_file(firstboot_t, var_t)
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
|
||||
file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
|
||||
|
||||
#
|
||||
# The big hammer
|
||||
#
|
||||
unconfined_domain(firstboot_t)
|
||||
ifdef(`targeted_policy', `
|
||||
allow firstboot_t unconfined_t:process transition;
|
||||
')
|
||||
|
28
mls/domains/program/fs_daemon.te
Normal file
28
mls/domains/program/fs_daemon.te
Normal file
@ -0,0 +1,28 @@
|
||||
#DESC file system daemons
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: smartmontools
|
||||
|
||||
daemon_domain(fsdaemon, `, fs_domain, privmail')
|
||||
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# for config
|
||||
allow fsdaemon_t etc_t:file { getattr read };
|
||||
|
||||
allow fsdaemon_t device_t:dir read;
|
||||
allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
|
||||
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
|
||||
allow fsdaemon_t etc_runtime_t:file { getattr read };
|
||||
|
||||
allow fsdaemon_t proc_mdstat_t:file { getattr read };
|
||||
|
||||
can_exec_any(fsdaemon_t)
|
||||
allow fsdaemon_t self:fifo_file rw_file_perms;
|
||||
can_network_udp(fsdaemon_t)
|
||||
tmp_domain(fsdaemon)
|
||||
allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
|
||||
|
||||
dontaudit fsdaemon_t devpts_t:dir search;
|
||||
allow fsdaemon_t proc_t:file { getattr read };
|
||||
dontaudit system_mail_t fixed_disk_device_t:blk_file read;
|
123
mls/domains/program/fsadm.te
Normal file
123
mls/domains/program/fsadm.te
Normal file
@ -0,0 +1,123 @@
|
||||
#DESC Fsadm - Disk and file system administration
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the fsadm_t domain.
|
||||
#
|
||||
# fsadm_t is the domain for disk and file system
|
||||
# administration.
|
||||
# fsadm_exec_t is the type of the corresponding programs.
|
||||
#
|
||||
type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
|
||||
role system_r types fsadm_t;
|
||||
role sysadm_r types fsadm_t;
|
||||
|
||||
general_domain_access(fsadm_t)
|
||||
|
||||
# for swapon
|
||||
r_dir_file(fsadm_t, sysfs_t)
|
||||
|
||||
# Read system information files in /proc.
|
||||
r_dir_file(fsadm_t, proc_t)
|
||||
|
||||
# Read system variables in /proc/sys
|
||||
read_sysctl(fsadm_t)
|
||||
|
||||
# for /dev/shm
|
||||
allow fsadm_t tmpfs_t:dir { getattr search };
|
||||
allow fsadm_t tmpfs_t:file { read write };
|
||||
|
||||
base_file_read_access(fsadm_t)
|
||||
|
||||
# Read /etc.
|
||||
r_dir_file(fsadm_t, etc_t)
|
||||
|
||||
# Read module-related files.
|
||||
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow fsadm_t device_t:dir r_dir_perms;
|
||||
allow fsadm_t device_t:lnk_file r_file_perms;
|
||||
|
||||
uses_shlib(fsadm_t)
|
||||
|
||||
type fsadm_exec_t, file_type, sysadmfile, exec_type;
|
||||
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
|
||||
')
|
||||
tmp_domain(fsadm)
|
||||
|
||||
# remount file system to apply changes
|
||||
allow fsadm_t fs_t:filesystem remount;
|
||||
|
||||
allow fsadm_t fs_t:filesystem getattr;
|
||||
|
||||
# mkreiserfs needs this
|
||||
allow fsadm_t proc_t:filesystem getattr;
|
||||
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
|
||||
|
||||
# Use capabilities. ipc_lock is for losetup
|
||||
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
|
||||
|
||||
# Write to /etc/mtab.
|
||||
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
|
||||
|
||||
# Inherit and use descriptors from init.
|
||||
allow fsadm_t init_t:fd use;
|
||||
|
||||
# Run other fs admin programs in the fsadm_t domain.
|
||||
can_exec(fsadm_t, fsadm_exec_t)
|
||||
|
||||
# Access disk devices.
|
||||
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
|
||||
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
|
||||
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
|
||||
|
||||
# Access lost+found.
|
||||
allow fsadm_t lost_found_t:dir create_dir_perms;
|
||||
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
|
||||
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow fsadm_t file_t:dir { search read getattr rmdir create };
|
||||
|
||||
# Recreate /mnt/cdrom.
|
||||
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
|
||||
|
||||
# Recreate /dev/cdrom.
|
||||
allow fsadm_t device_t:dir rw_dir_perms;
|
||||
allow fsadm_t device_t:lnk_file { unlink create };
|
||||
|
||||
# Enable swapping to devices and files
|
||||
allow fsadm_t swapfile_t:file { getattr swapon };
|
||||
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
|
||||
|
||||
# Allow console log change (updfstab)
|
||||
allow fsadm_t kernel_t:system syslog_console;
|
||||
|
||||
# Access terminals.
|
||||
can_access_pty(fsadm_t, initrc)
|
||||
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
||||
allow fsadm_t privfd:fd use;
|
||||
|
||||
read_locale(fsadm_t)
|
||||
|
||||
# for smartctl cron jobs
|
||||
system_crond_entry(fsadm_exec_t, fsadm_t)
|
||||
|
||||
# Access to /initrd devices
|
||||
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
|
||||
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
|
||||
allow fsadm_t usbfs_t:dir { getattr search };
|
||||
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
||||
allow fsadm_t device_type:chr_file getattr;
|
||||
|
||||
# for tune2fs
|
||||
allow fsadm_t file_type:dir { getattr search };
|
116
mls/domains/program/ftpd.te
Normal file
116
mls/domains/program/ftpd.te
Normal file
@ -0,0 +1,116 @@
|
||||
#DESC Ftpd - Ftp daemon
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the ftpd_t domain
|
||||
#
|
||||
daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
|
||||
etc_domain(ftpd)
|
||||
|
||||
can_network(ftpd_t)
|
||||
allow ftpd_t port_type:tcp_socket name_connect;
|
||||
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow ftpd_t self:unix_stream_socket create_socket_perms;
|
||||
allow ftpd_t self:process { getcap setcap setsched setrlimit };
|
||||
allow ftpd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow ftpd_t bin_t:dir search;
|
||||
can_exec(ftpd_t, bin_t)
|
||||
allow ftpd_t bin_t:lnk_file read;
|
||||
read_sysctl(ftpd_t)
|
||||
|
||||
allow ftpd_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(ftpd_exec_t, ftpd_t)
|
||||
allow system_crond_t xferlog_t:file r_file_perms;
|
||||
can_exec(ftpd_t, { sbin_t shell_exec_t })
|
||||
allow ftpd_t usr_t:file { getattr read };
|
||||
ifdef(`logrotate.te', `
|
||||
can_exec(ftpd_t, logrotate_exec_t)
|
||||
')dnl end if logrotate.te
|
||||
')dnl end if crond.te
|
||||
|
||||
allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
|
||||
allow ftpd_t port_t:tcp_socket name_bind;
|
||||
|
||||
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
|
||||
type ftpd_lock_t, file_type, sysadmfile, lockfile;
|
||||
|
||||
# Allow ftpd to run directly without inetd.
|
||||
bool ftpd_is_daemon false;
|
||||
if (ftpd_is_daemon) {
|
||||
file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
|
||||
allow ftpd_t ftp_port_t:tcp_socket name_bind;
|
||||
can_tcp_connect(userdomain, ftpd_t)
|
||||
# Allows it to check exec privs on daemon
|
||||
allow inetd_t ftpd_exec_t:file x_file_perms;
|
||||
}
|
||||
ifdef(`inetd.te', `
|
||||
if (!ftpd_is_daemon) {
|
||||
ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
|
||||
domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
|
||||
|
||||
# Use sockets inherited from inetd.
|
||||
allow ftpd_t inetd_t:fd use;
|
||||
allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
|
||||
|
||||
# Send SIGCHLD to inetd on death.
|
||||
allow ftpd_t inetd_t:process sigchld;
|
||||
}
|
||||
') dnl end inetd.te
|
||||
|
||||
# Access shared memory tmpfs instance.
|
||||
tmpfs_domain(ftpd)
|
||||
|
||||
# Use capabilities.
|
||||
allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
|
||||
|
||||
# Append to /var/log/wtmp.
|
||||
allow ftpd_t wtmp_t:file { getattr append };
|
||||
#kerberized ftp requires the following
|
||||
allow ftpd_t wtmp_t:file { write lock };
|
||||
|
||||
# Create and modify /var/log/xferlog.
|
||||
type xferlog_t, file_type, sysadmfile, logfile;
|
||||
file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
|
||||
|
||||
# Execute /bin/ls (can comment this out for proftpd)
|
||||
# also may need rules to allow tar etc...
|
||||
can_exec(ftpd_t, ls_exec_t)
|
||||
|
||||
allow initrc_t ftpd_etc_t:file { getattr read };
|
||||
allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow ftpd_t proc_t:file { getattr read };
|
||||
|
||||
dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
|
||||
dontaudit ftpd_t selinux_config_t:dir search;
|
||||
allow ftpd_t autofs_t:dir search;
|
||||
allow ftpd_t self:file { getattr read };
|
||||
tmp_domain(ftpd)
|
||||
|
||||
# Allow ftp to read/write files in the user home directories.
|
||||
bool ftp_home_dir false;
|
||||
|
||||
if (ftp_home_dir) {
|
||||
# allow access to /home
|
||||
allow ftpd_t home_root_t:dir r_dir_perms;
|
||||
create_dir_file(ftpd_t, home_type)
|
||||
ifdef(`targeted_policy', `
|
||||
file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
|
||||
')
|
||||
}
|
||||
if (use_nfs_home_dirs && ftp_home_dir) {
|
||||
r_dir_file(ftpd_t, nfs_t)
|
||||
}
|
||||
if (use_samba_home_dirs && ftp_home_dir) {
|
||||
r_dir_file(ftpd_t, cifs_t)
|
||||
}
|
||||
dontaudit ftpd_t selinux_config_t:dir search;
|
||||
anonymous_domain(ftpd)
|
||||
|
61
mls/domains/program/getty.te
Normal file
61
mls/domains/program/getty.te
Normal file
@ -0,0 +1,61 @@
|
||||
#DESC Getty - Manage ttys
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the getty_t domain.
|
||||
#
|
||||
init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite')
|
||||
|
||||
etcdir_domain(getty)
|
||||
|
||||
allow getty_t console_device_t:chr_file setattr;
|
||||
|
||||
tmp_domain(getty)
|
||||
log_domain(getty)
|
||||
|
||||
allow getty_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow getty_t etc_t:lnk_file read;
|
||||
allow getty_t self:process { getpgid getsession };
|
||||
allow getty_t self:unix_dgram_socket create_socket_perms;
|
||||
allow getty_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
|
||||
|
||||
read_locale(getty_t)
|
||||
|
||||
# Run login in local_login_t domain.
|
||||
allow getty_t { sbin_t bin_t }:dir search;
|
||||
domain_auto_trans(getty_t, login_exec_t, local_login_t)
|
||||
|
||||
# Write to /var/run/utmp.
|
||||
allow getty_t { var_t var_run_t }:dir search;
|
||||
allow getty_t initrc_var_run_t:file rw_file_perms;
|
||||
|
||||
# Write to /var/log/wtmp.
|
||||
allow getty_t wtmp_t:file rw_file_perms;
|
||||
|
||||
# Chown, chmod, read and write ttys.
|
||||
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
|
||||
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
|
||||
dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
|
||||
|
||||
# for error condition handling
|
||||
allow getty_t fs_t:filesystem getattr;
|
||||
|
||||
lock_domain(getty)
|
||||
r_dir_file(getty_t, sysfs_t)
|
||||
# for mgetty
|
||||
var_run_domain(getty)
|
||||
allow getty_t self:capability { fowner fsetid };
|
||||
|
||||
#
|
||||
# getty needs to be able to run pppd
|
||||
#
|
||||
ifdef(`pppd.te', `
|
||||
domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
|
||||
')
|
13
mls/domains/program/gpg-agent.te
Normal file
13
mls/domains/program/gpg-agent.te
Normal file
@ -0,0 +1,13 @@
|
||||
#DESC gpg-agent - agent to securely store gpg-keys
|
||||
#
|
||||
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
||||
#
|
||||
|
||||
# Type for the gpg-agent executable.
|
||||
type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
# type for the pinentry executable
|
||||
type pinentry_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
# Everything else is in the gpg_agent_domain macro in
|
||||
# macros/program/gpg_agent_macros.te.
|
15
mls/domains/program/gpg.te
Normal file
15
mls/domains/program/gpg.te
Normal file
@ -0,0 +1,15 @@
|
||||
#DESC GPG - Gnu Privacy Guard (PGP replacement)
|
||||
#
|
||||
# Authors: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: gnupg
|
||||
#
|
||||
|
||||
# Type for gpg or pgp executables.
|
||||
type gpg_exec_t, file_type, sysadmfile, exec_type;
|
||||
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
|
||||
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
|
||||
|
||||
# Everything else is in the gpg_domain macro in
|
||||
# macros/program/gpg_macros.te.
|
45
mls/domains/program/gpm.te
Normal file
45
mls/domains/program/gpm.te
Normal file
@ -0,0 +1,45 @@
|
||||
#DESC Gpm - General Purpose Mouse driver
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: gpm
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the gpm_t domain.
|
||||
#
|
||||
# gpm_t is the domain of the console mouse server.
|
||||
# gpm_exec_t is the type of the console mouse server program.
|
||||
# gpmctl_t is the type of the Unix domain socket or pipe created
|
||||
# by the console mouse server.
|
||||
#
|
||||
daemon_domain(gpm)
|
||||
|
||||
type gpmctl_t, file_type, sysadmfile, dev_fs;
|
||||
|
||||
tmp_domain(gpm)
|
||||
|
||||
# Allow to read the /etc/gpm/ conf files
|
||||
type gpm_conf_t, file_type, sysadmfile;
|
||||
r_dir_file(gpm_t, gpm_conf_t)
|
||||
|
||||
# Use capabilities.
|
||||
allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
|
||||
|
||||
# Create and bind to /dev/gpmctl.
|
||||
file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
|
||||
allow gpm_t gpmctl_t:unix_stream_socket name_bind;
|
||||
allow gpm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# Read and write ttys.
|
||||
allow gpm_t tty_device_t:chr_file rw_file_perms;
|
||||
|
||||
# Access the mouse.
|
||||
allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
|
||||
allow gpm_t device_t:lnk_file { getattr read };
|
||||
|
||||
read_locale(gpm_t)
|
||||
|
||||
allow initrc_t gpmctl_t:sock_file setattr;
|
||||
|
104
mls/domains/program/hald.te
Normal file
104
mls/domains/program/hald.te
Normal file
@ -0,0 +1,104 @@
|
||||
#DESC hald - server for device info
|
||||
#
|
||||
# Author: Russell Coker <rcoker@redhat.com>
|
||||
# X-Debian-Packages:
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the hald_t domain.
|
||||
#
|
||||
# hald_exec_t is the type of the hald executable.
|
||||
#
|
||||
daemon_domain(hald, `, fs_domain, nscd_client_domain')
|
||||
|
||||
can_exec_any(hald_t)
|
||||
|
||||
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
|
||||
allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow hald_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
ifdef(`dbusd.te', `
|
||||
allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||||
dbusd_client(system, hald)
|
||||
allow hald_t self:dbus send_msg;
|
||||
')
|
||||
|
||||
allow hald_t self:file { getattr read };
|
||||
allow hald_t proc_t:file rw_file_perms;
|
||||
|
||||
allow hald_t { bin_t sbin_t }:dir search;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
allow hald_t usr_t:file { getattr read };
|
||||
allow hald_t bin_t:file getattr;
|
||||
|
||||
# For backwards compatibility with older kernels
|
||||
allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
|
||||
can_network_server(hald_t)
|
||||
can_ypbind(hald_t)
|
||||
|
||||
allow hald_t device_t:lnk_file read;
|
||||
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
|
||||
allow hald_t removable_device_t:blk_file write;
|
||||
allow hald_t event_device_t:chr_file { getattr read ioctl };
|
||||
allow hald_t printer_device_t:chr_file rw_file_perms;
|
||||
allow hald_t urandom_device_t:chr_file read;
|
||||
allow hald_t mouse_device_t:chr_file r_file_perms;
|
||||
allow hald_t device_type:chr_file getattr;
|
||||
|
||||
can_getsecurity(hald_t)
|
||||
|
||||
ifdef(`updfstab.te', `
|
||||
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
|
||||
allow updfstab_t hald_t:dbus send_msg;
|
||||
allow hald_t updfstab_t:dbus send_msg;
|
||||
')
|
||||
ifdef(`udev.te', `
|
||||
domain_auto_trans(hald_t, udev_exec_t, udev_t)
|
||||
allow udev_t hald_t:unix_dgram_socket sendto;
|
||||
allow hald_t udev_tbl_t:file { getattr read };
|
||||
')
|
||||
|
||||
ifdef(`hotplug.te', `
|
||||
r_dir_file(hald_t, hotplug_etc_t)
|
||||
')
|
||||
allow hald_t fs_type:dir { search getattr };
|
||||
allow hald_t usbfs_t:dir r_dir_perms;
|
||||
allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
|
||||
allow hald_t bin_t:lnk_file read;
|
||||
r_dir_file(hald_t, { selinux_config_t default_context_t } )
|
||||
allow hald_t initrc_t:dbus send_msg;
|
||||
allow initrc_t hald_t:dbus send_msg;
|
||||
allow hald_t etc_runtime_t:file rw_file_perms;
|
||||
allow hald_t var_lib_t:dir search;
|
||||
allow hald_t device_t:dir create_dir_perms;
|
||||
allow hald_t device_t:chr_file create_file_perms;
|
||||
tmp_domain(hald)
|
||||
allow hald_t mnt_t:dir search;
|
||||
r_dir_file(hald_t, proc_net_t)
|
||||
|
||||
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
|
||||
ifdef(`apmd.te', `
|
||||
allow hald_t apmd_var_run_t:sock_file write;
|
||||
allow hald_t apmd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
# For /usr/libexec/hald-probe-smbios
|
||||
domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
|
||||
|
||||
# ??
|
||||
ifdef(`lvm.te', `
|
||||
allow hald_t lvm_control_t:chr_file r_file_perms;
|
||||
')
|
||||
ifdef(`targeted_policy', `
|
||||
allow unconfined_t hald_t:dbus send_msg;
|
||||
allow hald_t unconfined_t:dbus send_msg;
|
||||
')
|
||||
ifdef(`mount.te', `
|
||||
domain_auto_trans(hald_t, mount_exec_t, mount_t)
|
||||
')
|
||||
r_dir_file(hald_t, hwdata_t)
|
28
mls/domains/program/hostname.te
Normal file
28
mls/domains/program/hostname.te
Normal file
@ -0,0 +1,28 @@
|
||||
#DESC hostname - show or set the system host name
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: hostname
|
||||
|
||||
# for setting the hostname
|
||||
daemon_core_rules(hostname, , nosysadm)
|
||||
allow hostname_t self:capability sys_admin;
|
||||
allow hostname_t etc_t:file { getattr read };
|
||||
|
||||
allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
read_locale(hostname_t)
|
||||
can_resolve(hostname_t)
|
||||
allow hostname_t userdomain:fd use;
|
||||
dontaudit hostname_t kernel_t:fd use;
|
||||
allow hostname_t net_conf_t:file { getattr read };
|
||||
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit hostname_t var_t:dir search;
|
||||
allow hostname_t fs_t:filesystem getattr;
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit hostname_t file_t:dir search;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
allow hostname_t tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
can_access_pty(hostname_t, initrc)
|
||||
allow hostname_t initrc_t:fd use;
|
160
mls/domains/program/hotplug.te
Normal file
160
mls/domains/program/hotplug.te
Normal file
@ -0,0 +1,160 @@
|
||||
#DESC Hotplug - Hardware event manager
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: hotplug
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the hotplug_t domain.
|
||||
#
|
||||
# hotplug_exec_t is the type of the hotplug executable.
|
||||
#
|
||||
ifdef(`unlimitedUtils', `
|
||||
daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
|
||||
', `
|
||||
daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
|
||||
')
|
||||
|
||||
etcdir_domain(hotplug)
|
||||
|
||||
allow hotplug_t self:fifo_file { read write getattr ioctl };
|
||||
allow hotplug_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hotplug_t self:unix_stream_socket create_socket_perms;
|
||||
allow hotplug_t self:udp_socket create_socket_perms;
|
||||
|
||||
read_sysctl(hotplug_t)
|
||||
allow hotplug_t sysctl_net_t:dir r_dir_perms;
|
||||
allow hotplug_t sysctl_net_t:file { getattr read };
|
||||
|
||||
# get info from /proc
|
||||
r_dir_file(hotplug_t, proc_t)
|
||||
allow hotplug_t self:file { getattr read ioctl };
|
||||
|
||||
allow hotplug_t devtty_t:chr_file rw_file_perms;
|
||||
|
||||
allow hotplug_t device_t:dir r_dir_perms;
|
||||
|
||||
# for SSP
|
||||
allow hotplug_t urandom_device_t:chr_file read;
|
||||
|
||||
allow hotplug_t { bin_t sbin_t }:dir search;
|
||||
allow hotplug_t { bin_t sbin_t }:lnk_file read;
|
||||
can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
|
||||
ifdef(`hostname.te', `
|
||||
can_exec(hotplug_t, hostname_exec_t)
|
||||
dontaudit hostname_t hotplug_t:fd use;
|
||||
')
|
||||
ifdef(`netutils.te', `
|
||||
ifdef(`distro_redhat', `
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
|
||||
|
||||
allow hotplug_t tmpfs_t:dir search;
|
||||
allow hotplug_t tmpfs_t:chr_file rw_file_perms;
|
||||
')dnl end if distro_redhat
|
||||
')dnl end if netutils.te
|
||||
|
||||
allow initrc_t usbdevfs_t:file { getattr read ioctl };
|
||||
allow initrc_t modules_dep_t:file { getattr read ioctl };
|
||||
r_dir_file(hotplug_t, usbdevfs_t)
|
||||
allow hotplug_t usbfs_t:dir r_dir_perms;
|
||||
allow hotplug_t usbfs_t:file { getattr read };
|
||||
|
||||
# read config files
|
||||
allow hotplug_t etc_t:dir r_dir_perms;
|
||||
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
allow hotplug_t kernel_t:process { sigchld setpgid };
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
allow hotplug_t var_lock_t:dir search;
|
||||
allow hotplug_t var_lock_t:file getattr;
|
||||
')
|
||||
|
||||
ifdef(`hald.te', `
|
||||
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
||||
allow hald_t hotplug_etc_t:dir search;
|
||||
allow hald_t hotplug_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
# for killall
|
||||
allow hotplug_t self:process { getsession getattr };
|
||||
allow hotplug_t self:file getattr;
|
||||
|
||||
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
|
||||
ifdef(`mount.te', `
|
||||
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
|
||||
')
|
||||
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
|
||||
ifdef(`updfstab.te', `
|
||||
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
|
||||
')
|
||||
|
||||
# init scripts run /etc/hotplug/usb.rc
|
||||
domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
|
||||
allow initrc_t hotplug_etc_t:dir r_dir_perms;
|
||||
|
||||
ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
|
||||
|
||||
r_dir_file(hotplug_t, modules_object_t)
|
||||
allow hotplug_t modules_dep_t:file { getattr read ioctl };
|
||||
|
||||
# for lsmod
|
||||
dontaudit hotplug_t self:capability { sys_module sys_admin };
|
||||
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
||||
|
||||
ifdef(`fsadm.te', `
|
||||
domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
|
||||
')
|
||||
|
||||
allow hotplug_t var_log_t:dir search;
|
||||
|
||||
# for ps
|
||||
dontaudit hotplug_t domain:dir { getattr search };
|
||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||
ifdef(`initrc.te', `
|
||||
can_ps(hotplug_t, initrc_t)
|
||||
')
|
||||
|
||||
# for when filesystems are not mounted early in the boot
|
||||
dontaudit hotplug_t file_t:dir { search getattr };
|
||||
|
||||
# kernel threads inherit from shared descriptor table used by init
|
||||
dontaudit hotplug_t initctl_t:fifo_file { read write };
|
||||
|
||||
# Read /usr/lib/gconv/.*
|
||||
allow hotplug_t lib_t:file { getattr read };
|
||||
|
||||
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
||||
allow hotplug_t sysfs_t:dir { getattr read search write };
|
||||
allow hotplug_t sysfs_t:file rw_file_perms;
|
||||
allow hotplug_t sysfs_t:lnk_file { getattr read };
|
||||
r_dir_file(hotplug_t, hwdata_t)
|
||||
allow hotplug_t udev_runtime_t:file rw_file_perms;
|
||||
ifdef(`lpd.te', `
|
||||
allow hotplug_t printer_device_t:chr_file setattr;
|
||||
')
|
||||
allow hotplug_t fixed_disk_device_t:blk_file setattr;
|
||||
allow hotplug_t removable_device_t:blk_file setattr;
|
||||
allow hotplug_t sound_device_t:chr_file setattr;
|
||||
|
||||
ifdef(`udev.te', `
|
||||
domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
|
||||
')
|
||||
|
||||
file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
|
||||
|
||||
can_network_server(hotplug_t)
|
||||
can_ypbind(hotplug_t)
|
||||
dbusd_client(system, hotplug)
|
||||
|
||||
# Allow hotplug (including /sbin/ifup-local) to start/stop services
|
||||
domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
|
||||
|
||||
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
|
||||
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
dontaudit hotplug_t selinux_config_t:dir search;
|
21
mls/domains/program/howl.te
Normal file
21
mls/domains/program/howl.te
Normal file
@ -0,0 +1,21 @@
|
||||
#DESC howl - port of Apple Rendezvous multicast DNS
|
||||
#
|
||||
# Author: Russell Coker <rcoker@redhat.com>
|
||||
#
|
||||
|
||||
daemon_domain(howl, `, privsysmod')
|
||||
r_dir_file(howl_t, proc_net_t)
|
||||
can_network_server(howl_t)
|
||||
can_ypbind(howl_t)
|
||||
allow howl_t self:unix_dgram_socket create_socket_perms;
|
||||
allow howl_t self:capability { kill net_admin sys_module };
|
||||
|
||||
allow howl_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
|
||||
allow howl_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow howl_t etc_t:file { getattr read };
|
||||
allow howl_t initrc_var_run_t:file rw_file_perms;
|
||||
|
50
mls/domains/program/hwclock.te
Normal file
50
mls/domains/program/hwclock.te
Normal file
@ -0,0 +1,50 @@
|
||||
#DESC Hwclock - Hardware clock manager
|
||||
#
|
||||
# Author: David A. Wheeler <dwheeler@ida.org>
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: util-linux
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the hwclock_t domain.
|
||||
# This domain moves time information between the "hardware clock"
|
||||
# (which runs when the system is off) and the "system clock",
|
||||
# and it stores adjustment values in /etc/adjtime so that errors in the
|
||||
# hardware clock are corrected.
|
||||
# Note that any errors from this domain are NOT recorded by the system logger,
|
||||
# because the system logger isnt running when this domain is active.
|
||||
#
|
||||
daemon_base_domain(hwclock)
|
||||
role sysadm_r types hwclock_t;
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
|
||||
')
|
||||
type adjtime_t, file_type, sysadmfile;
|
||||
|
||||
allow hwclock_t fs_t:filesystem getattr;
|
||||
|
||||
read_locale(hwclock_t)
|
||||
|
||||
# Give hwclock the capabilities it requires. dac_override is a surprise,
|
||||
# but hwclock does require it.
|
||||
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
|
||||
|
||||
# Allow hwclock to set the hardware clock.
|
||||
allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
|
||||
|
||||
# Allow hwclock to store & retrieve correction factors.
|
||||
allow hwclock_t adjtime_t:file { setattr rw_file_perms };
|
||||
|
||||
# Read and write console and ttys.
|
||||
allow hwclock_t tty_device_t:chr_file rw_file_perms;
|
||||
allow hwclock_t ttyfile:chr_file rw_file_perms;
|
||||
allow hwclock_t ptyfile:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
|
||||
|
||||
read_locale(hwclock_t)
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit hwclock_t file_t:dir search;
|
||||
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
r_dir_file(hwclock_t, etc_t)
|
33
mls/domains/program/i18n_input.te
Normal file
33
mls/domains/program/i18n_input.te
Normal file
@ -0,0 +1,33 @@
|
||||
# i18n_input.te
|
||||
# Security Policy for IIIMF htt server
|
||||
# Date: 2004, 12th April (Monday)
|
||||
|
||||
# Establish i18n_input as a daemon
|
||||
daemon_domain(i18n_input)
|
||||
|
||||
can_exec(i18n_input_t, i18n_input_exec_t)
|
||||
can_network(i18n_input_t)
|
||||
allow i18n_input_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(i18n_input_t)
|
||||
|
||||
can_tcp_connect(userdomain, i18n_input_t)
|
||||
can_unix_connect(i18n_input_t, initrc_t)
|
||||
|
||||
allow i18n_input_t self:fifo_file rw_file_perms;
|
||||
allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
|
||||
|
||||
allow i18n_input_t self:capability { kill setgid setuid };
|
||||
allow i18n_input_t self:process { setsched setpgid };
|
||||
|
||||
allow i18n_input_t { bin_t sbin_t }:dir search;
|
||||
can_exec(i18n_input_t, bin_t)
|
||||
|
||||
allow i18n_input_t etc_t:file r_file_perms;
|
||||
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
|
||||
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
|
||||
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
|
||||
allow i18n_input_t usr_t:file { getattr read };
|
||||
allow i18n_input_t home_root_t:dir search;
|
||||
allow i18n_input_t etc_runtime_t:file { getattr read };
|
||||
allow i18n_input_t proc_t:file { getattr read };
|
74
mls/domains/program/ifconfig.te
Normal file
74
mls/domains/program/ifconfig.te
Normal file
@ -0,0 +1,74 @@
|
||||
#DESC Ifconfig - Configure network interfaces
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: net-tools
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the ifconfig_t domain.
|
||||
#
|
||||
# ifconfig_t is the domain for the ifconfig program.
|
||||
# ifconfig_exec_t is the type of the corresponding program.
|
||||
#
|
||||
type ifconfig_t, domain, privlog, privmodule;
|
||||
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
role system_r types ifconfig_t;
|
||||
role sysadm_r types ifconfig_t;
|
||||
|
||||
uses_shlib(ifconfig_t)
|
||||
general_domain_access(ifconfig_t)
|
||||
|
||||
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
|
||||
')
|
||||
|
||||
# for /sbin/ip
|
||||
allow ifconfig_t self:packet_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
allow ifconfig_t etc_t:file { getattr read };
|
||||
|
||||
allow ifconfig_t self:socket create_socket_perms;
|
||||
|
||||
# Use capabilities.
|
||||
allow ifconfig_t self:capability { net_raw net_admin };
|
||||
dontaudit ifconfig_t self:capability sys_module;
|
||||
allow ifconfig_t self:capability sys_tty_config;
|
||||
|
||||
# Inherit and use descriptors from init.
|
||||
allow ifconfig_t { kernel_t init_t }:fd use;
|
||||
|
||||
# Access /proc
|
||||
r_dir_file(ifconfig_t, proc_t)
|
||||
r_dir_file(ifconfig_t, proc_net_t)
|
||||
|
||||
allow ifconfig_t privfd:fd use;
|
||||
allow ifconfig_t run_init_t:fd use;
|
||||
|
||||
# Create UDP sockets, necessary when called from dhcpc
|
||||
allow ifconfig_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Access terminals.
|
||||
can_access_pty(ifconfig_t, initrc)
|
||||
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
|
||||
# ifconfig attempts to search some sysctl entries.
|
||||
# Do not audit those attempts; comment out these rules if it is desired to
|
||||
# see the denials.
|
||||
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
|
||||
|
||||
allow ifconfig_t fs_t:filesystem getattr;
|
||||
|
||||
read_locale(ifconfig_t)
|
||||
allow ifconfig_t lib_t:file { getattr read };
|
||||
|
||||
rhgb_domain(ifconfig_t)
|
||||
allow ifconfig_t userdomain:fd use;
|
||||
dontaudit ifconfig_t root_t:file read;
|
||||
r_dir_file(ifconfig_t, sysfs_t)
|
64
mls/domains/program/inetd.te
Normal file
64
mls/domains/program/inetd.te
Normal file
@ -0,0 +1,64 @@
|
||||
#DESC Inetd - Internet services daemon
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the inetd_t domain and
|
||||
# the inetd_child_t domain.
|
||||
#
|
||||
|
||||
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
|
||||
|
||||
can_network(inetd_t)
|
||||
allow inetd_t port_type:tcp_socket name_connect;
|
||||
allow inetd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow inetd_t self:unix_stream_socket create_socket_perms;
|
||||
allow inetd_t self:fifo_file rw_file_perms;
|
||||
allow inetd_t etc_t:file { getattr read ioctl };
|
||||
allow inetd_t self:process setsched;
|
||||
|
||||
log_domain(inetd)
|
||||
tmp_domain(inetd)
|
||||
|
||||
# Use capabilities.
|
||||
allow inetd_t self:capability { setuid setgid net_bind_service };
|
||||
|
||||
# allow any domain to connect to inetd
|
||||
can_tcp_connect(userdomain, inetd_t)
|
||||
|
||||
# Run each daemon with a defined domain in its own domain.
|
||||
# These rules have been moved to the individual target domain .te files.
|
||||
|
||||
# Run other daemons in the inetd_child_t domain.
|
||||
allow inetd_t { bin_t sbin_t }:dir search;
|
||||
allow inetd_t sbin_t:lnk_file read;
|
||||
|
||||
# Bind to the telnet, ftp, rlogin and rsh ports.
|
||||
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
|
||||
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
|
||||
ifdef(`talk.te', `
|
||||
allow inetd_t talk_port_t:tcp_socket name_bind;
|
||||
allow inetd_t ntalk_port_t:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
allow inetd_t auth_port_t:tcp_socket name_bind;
|
||||
# Communicate with the portmapper.
|
||||
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
|
||||
|
||||
|
||||
inetd_child_domain(inetd_child)
|
||||
allow inetd_child_t proc_net_t:dir search;
|
||||
allow inetd_child_t proc_net_t:file { getattr read };
|
||||
|
||||
ifdef(`unconfined.te', `
|
||||
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
ifdef(`unlimitedInetd', `
|
||||
unconfined_domain(inetd_t)
|
||||
')
|
||||
|
147
mls/domains/program/init.te
Normal file
147
mls/domains/program/init.te
Normal file
@ -0,0 +1,147 @@
|
||||
#DESC Init - Process initialization
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: sysvinit
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the init_t domain.
|
||||
#
|
||||
# init_t is the domain of the init process.
|
||||
# init_exec_t is the type of the init program.
|
||||
# initctl_t is the type of the named pipe created
|
||||
# by init during initialization. This pipe is used
|
||||
# to communicate with init.
|
||||
#
|
||||
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
|
||||
role system_r types init_t;
|
||||
uses_shlib(init_t);
|
||||
type init_exec_t, file_type, sysadmfile, exec_type;
|
||||
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
||||
|
||||
# for init to determine whether SE Linux is active so it can know whether to
|
||||
# activate it
|
||||
allow init_t security_t:dir search;
|
||||
allow init_t security_t:file { getattr read };
|
||||
|
||||
# for mount points
|
||||
allow init_t file_t:dir search;
|
||||
|
||||
# Use capabilities.
|
||||
allow init_t self:capability ~sys_module;
|
||||
|
||||
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
|
||||
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
|
||||
|
||||
# Run the shell in the sysadm_t domain for single-user mode.
|
||||
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
|
||||
|
||||
# Run /sbin/update in the init_t domain.
|
||||
can_exec(init_t, sbin_t)
|
||||
|
||||
# Run init.
|
||||
can_exec(init_t, init_exec_t)
|
||||
|
||||
# Run chroot from initrd scripts.
|
||||
ifdef(`chroot.te', `
|
||||
can_exec(init_t, chroot_exec_t)
|
||||
')
|
||||
|
||||
# Create /dev/initctl.
|
||||
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
|
||||
ifdef(`distro_redhat', `
|
||||
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
|
||||
')
|
||||
|
||||
# Create ioctl.save.
|
||||
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
|
||||
|
||||
# Update /etc/ld.so.cache
|
||||
allow init_t ld_so_cache_t:file rw_file_perms;
|
||||
|
||||
# Allow access to log files
|
||||
allow init_t var_t:dir search;
|
||||
allow init_t var_log_t:dir search;
|
||||
allow init_t var_log_t:file rw_file_perms;
|
||||
|
||||
read_locale(init_t)
|
||||
|
||||
# Create unix sockets
|
||||
allow init_t self:unix_dgram_socket create_socket_perms;
|
||||
allow init_t self:unix_stream_socket create_socket_perms;
|
||||
allow init_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Permissions required for system startup
|
||||
allow init_t { bin_t sbin_t }:dir r_dir_perms;
|
||||
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
|
||||
|
||||
# allow init to fork
|
||||
allow init_t self:process { fork sigchld };
|
||||
|
||||
# Modify utmp.
|
||||
allow init_t var_run_t:file rw_file_perms;
|
||||
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
|
||||
can_unix_connect(init_t, initrc_t)
|
||||
|
||||
# For /var/run/shutdown.pid.
|
||||
var_run_domain(init)
|
||||
|
||||
# Shutdown permissions
|
||||
r_dir_file(init_t, proc_t)
|
||||
r_dir_file(init_t, self)
|
||||
allow init_t devpts_t:dir r_dir_perms;
|
||||
|
||||
# Modify wtmp.
|
||||
allow init_t wtmp_t:file rw_file_perms;
|
||||
|
||||
# Kill all processes.
|
||||
allow init_t domain:process signal_perms;
|
||||
|
||||
# Allow all processes to send SIGCHLD to init.
|
||||
allow domain init_t:process { sigchld signull };
|
||||
|
||||
# If you load a new policy that removes active domains, processes can
|
||||
# get stuck if you do not allow unlabeled processes to signal init
|
||||
# If you load an incompatible policy, you should probably reboot,
|
||||
# since you may have compromised system security.
|
||||
allow unlabeled_t init_t:process sigchld;
|
||||
|
||||
# for loading policy
|
||||
allow init_t policy_config_t:file r_file_perms;
|
||||
|
||||
# Set booleans.
|
||||
can_setbool(init_t)
|
||||
|
||||
# Read and write the console and ttys.
|
||||
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
|
||||
ifdef(`distro_redhat', `
|
||||
allow init_t tmpfs_t:chr_file rw_file_perms;
|
||||
')
|
||||
allow init_t ttyfile:chr_file rw_file_perms;
|
||||
allow init_t ptyfile:chr_file rw_file_perms;
|
||||
|
||||
# Run system executables.
|
||||
can_exec(init_t,bin_t)
|
||||
ifdef(`consoletype.te', `
|
||||
can_exec(init_t, consoletype_exec_t)
|
||||
')
|
||||
|
||||
# Run /etc/X11/prefdm.
|
||||
can_exec(init_t,etc_t)
|
||||
|
||||
allow init_t lib_t:file { getattr read };
|
||||
|
||||
allow init_t devtty_t:chr_file { read write };
|
||||
allow init_t ramfs_t:dir search;
|
||||
allow init_t ramfs_t:sock_file write;
|
||||
r_dir_file(init_t, sysfs_t)
|
||||
|
||||
r_dir_file(init_t, selinux_config_t)
|
||||
|
||||
# file descriptors inherited from the rootfs.
|
||||
dontaudit init_t root_t:{ file chr_file } { read write };
|
||||
ifdef(`targeted_policy', `
|
||||
unconfined_domain(init_t)
|
||||
')
|
||||
|
346
mls/domains/program/initrc.te
Normal file
346
mls/domains/program/initrc.te
Normal file
@ -0,0 +1,346 @@
|
||||
#DESC Initrc - System initialization scripts
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: sysvinit policycoreutils
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the initrc_t domain.
|
||||
#
|
||||
# initrc_t is the domain of the init rc scripts.
|
||||
# initrc_exec_t is the type of the init program.
|
||||
#
|
||||
# do not use privmail for sendmail as it creates a type transition conflict
|
||||
type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
|
||||
|
||||
role system_r types initrc_t;
|
||||
uses_shlib(initrc_t);
|
||||
can_network(initrc_t)
|
||||
allow initrc_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(initrc_t)
|
||||
type initrc_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# for halt to down interfaces
|
||||
allow initrc_t self:udp_socket create_socket_perms;
|
||||
|
||||
# read files in /etc/init.d
|
||||
allow initrc_t etc_t:lnk_file r_file_perms;
|
||||
|
||||
read_locale(initrc_t)
|
||||
|
||||
r_dir_file(initrc_t, usr_t)
|
||||
|
||||
# Read system information files in /proc.
|
||||
r_dir_file(initrc_t, { proc_t proc_net_t })
|
||||
allow initrc_t proc_mdstat_t:file { getattr read };
|
||||
|
||||
# Allow IPC with self
|
||||
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
||||
allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow initrc_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Read the root directory of a usbdevfs filesystem, and
|
||||
# the devices and drivers files. Permit stating of the
|
||||
# device nodes, but nothing else.
|
||||
allow initrc_t usbdevfs_t:dir r_dir_perms;
|
||||
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
|
||||
allow initrc_t usbdevfs_t:file getattr;
|
||||
allow initrc_t usbfs_t:dir r_dir_perms;
|
||||
allow initrc_t usbfs_t:file getattr;
|
||||
|
||||
# allow initrc to fork and renice itself
|
||||
allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
|
||||
|
||||
# Can create ptys for open_init_pty
|
||||
can_create_pty(initrc)
|
||||
|
||||
tmp_domain(initrc)
|
||||
#
|
||||
# Some initscripts generate scripts that they need to execute (ldap)
|
||||
#
|
||||
can_exec(initrc_t, initrc_tmp_t)
|
||||
|
||||
var_run_domain(initrc)
|
||||
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
|
||||
allow initrc_t var_run_t:dir { create rmdir };
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow initrc_t { etc_t device_t }:dir setattr;
|
||||
|
||||
# for storing state under /dev/shm
|
||||
allow initrc_t tmpfs_t:dir setattr;
|
||||
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
|
||||
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
|
||||
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
|
||||
')
|
||||
|
||||
allow initrc_t framebuf_device_t:chr_file r_file_perms;
|
||||
|
||||
# Use capabilities.
|
||||
allow initrc_t self:capability ~{ sys_admin sys_module };
|
||||
|
||||
# Use system operations.
|
||||
allow initrc_t kernel_t:system *;
|
||||
|
||||
# Set values in /proc/sys.
|
||||
can_sysctl(initrc_t)
|
||||
|
||||
# Run helper programs in the initrc_t domain.
|
||||
allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
|
||||
allow initrc_t {bin_t sbin_t }:lnk_file read;
|
||||
can_exec(initrc_t, etc_t)
|
||||
can_exec(initrc_t, lib_t)
|
||||
can_exec(initrc_t, bin_t)
|
||||
can_exec(initrc_t, sbin_t)
|
||||
can_exec(initrc_t, exec_type)
|
||||
#
|
||||
# These rules are here to allow init scripts to su
|
||||
#
|
||||
ifdef(`su.te', `
|
||||
su_restricted_domain(initrc,system)
|
||||
role system_r types initrc_su_t;
|
||||
')
|
||||
allow initrc_t self:passwd rootok;
|
||||
|
||||
# read /lib/modules
|
||||
allow initrc_t modules_object_t:dir { search read };
|
||||
|
||||
# Read conf.modules.
|
||||
allow initrc_t modules_conf_t:file r_file_perms;
|
||||
|
||||
# Run other rc scripts in the initrc_t domain.
|
||||
can_exec(initrc_t, initrc_exec_t)
|
||||
|
||||
# Run init (telinit) in the initrc_t domain.
|
||||
can_exec(initrc_t, init_exec_t)
|
||||
|
||||
# Communicate with the init process.
|
||||
allow initrc_t initctl_t:fifo_file rw_file_perms;
|
||||
|
||||
# Read /proc/PID directories for all domains.
|
||||
r_dir_file(initrc_t, domain)
|
||||
allow initrc_t domain:process { getattr getsession };
|
||||
|
||||
# Mount and unmount file systems.
|
||||
allow initrc_t fs_type:filesystem mount_fs_perms;
|
||||
allow initrc_t file_t:dir { read search getattr mounton };
|
||||
|
||||
# during boot up initrc needs to do the following
|
||||
allow initrc_t default_t:dir { write read search getattr mounton };
|
||||
|
||||
# rhgb-console writes to ramfs
|
||||
allow initrc_t ramfs_t:fifo_file write;
|
||||
|
||||
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
|
||||
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
|
||||
|
||||
# Update /etc/ld.so.cache.
|
||||
allow initrc_t ld_so_cache_t:file rw_file_perms;
|
||||
|
||||
# Update /var/log/wtmp and /var/log/dmesg.
|
||||
allow initrc_t wtmp_t:file { setattr rw_file_perms };
|
||||
allow initrc_t var_log_t:dir rw_dir_perms;
|
||||
allow initrc_t var_log_t:file create_file_perms;
|
||||
allow initrc_t lastlog_t:file { setattr rw_file_perms };
|
||||
allow initrc_t logfile:file { read append };
|
||||
|
||||
# remove old locks
|
||||
allow initrc_t lockfile:dir rw_dir_perms;
|
||||
allow initrc_t lockfile:file { getattr unlink };
|
||||
|
||||
# Access /var/lib/random-seed.
|
||||
allow initrc_t var_lib_t:file rw_file_perms;
|
||||
allow initrc_t var_lib_t:file unlink;
|
||||
|
||||
# Create lock file.
|
||||
allow initrc_t var_lock_t:dir create_dir_perms;
|
||||
allow initrc_t var_lock_t:file create_file_perms;
|
||||
|
||||
# Set the clock.
|
||||
allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
|
||||
|
||||
# Kill all processes.
|
||||
allow initrc_t domain:process signal_perms;
|
||||
|
||||
# Write to /dev/urandom.
|
||||
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
|
||||
|
||||
# for cryptsetup
|
||||
allow initrc_t fixed_disk_device_t:blk_file getattr;
|
||||
|
||||
# Set device ownerships/modes.
|
||||
allow initrc_t framebuf_device_t:chr_file setattr;
|
||||
allow initrc_t misc_device_t:devfile_class_set setattr;
|
||||
allow initrc_t device_t:devfile_class_set setattr;
|
||||
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
|
||||
allow initrc_t removable_device_t:devfile_class_set setattr;
|
||||
allow initrc_t device_t:lnk_file read;
|
||||
allow initrc_t xconsole_device_t:fifo_file setattr;
|
||||
|
||||
# Stat any file.
|
||||
allow initrc_t file_type:notdevfile_class_set getattr;
|
||||
allow initrc_t file_type:dir { search getattr };
|
||||
|
||||
# Read and write console and ttys.
|
||||
allow initrc_t devtty_t:chr_file rw_file_perms;
|
||||
allow initrc_t console_device_t:chr_file rw_file_perms;
|
||||
allow initrc_t tty_device_t:chr_file rw_file_perms;
|
||||
allow initrc_t ttyfile:chr_file rw_file_perms;
|
||||
allow initrc_t ptyfile:chr_file rw_file_perms;
|
||||
|
||||
# Reset tty labels.
|
||||
allow initrc_t ttyfile:chr_file relabelfrom;
|
||||
allow initrc_t tty_device_t:chr_file relabelto;
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Create and read /boot/kernel.h and /boot/System.map.
|
||||
# Redhat systems typically create this file at boot time.
|
||||
allow initrc_t boot_t:lnk_file rw_file_perms;
|
||||
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
|
||||
|
||||
allow initrc_t tmpfs_t:chr_file rw_file_perms;
|
||||
allow initrc_t tmpfs_t:dir r_dir_perms;
|
||||
|
||||
# Allow initrc domain to set the enforcing flag.
|
||||
can_setenforce(initrc_t)
|
||||
|
||||
#
|
||||
# readahead asks for these
|
||||
#
|
||||
allow initrc_t etc_aliases_t:file { getattr read };
|
||||
allow initrc_t var_lib_nfs_t:file { getattr read };
|
||||
|
||||
# for /halt /.autofsck and other flag files
|
||||
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
|
||||
|
||||
file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
|
||||
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
|
||||
allow initrc_t self:capability sys_admin;
|
||||
allow initrc_t device_t:dir create;
|
||||
# wants to delete /poweroff and other files
|
||||
allow initrc_t root_t:file unlink;
|
||||
# wants to read /.fonts directory
|
||||
allow initrc_t default_t:file { getattr read };
|
||||
ifdef(`xserver.te', `
|
||||
# wants to cleanup xserver log dir
|
||||
allow initrc_t xserver_log_t:dir rw_dir_perms;
|
||||
allow initrc_t xserver_log_t:file unlink;
|
||||
')
|
||||
')dnl end distro_redhat
|
||||
|
||||
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
|
||||
allow initrc_t var_spool_t:file rw_file_perms;
|
||||
|
||||
# Allow access to the sysadm TTYs. Note that this will give access to the
|
||||
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
||||
# started from init should be placed in their own domain.
|
||||
allow initrc_t admin_tty_type:chr_file rw_file_perms;
|
||||
|
||||
# Access sound device and files.
|
||||
allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
|
||||
|
||||
# Read user home directories.
|
||||
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
|
||||
allow initrc_t home_type:file r_file_perms;
|
||||
|
||||
# Read and unlink /var/run/*.pid files.
|
||||
allow initrc_t pidfile:file { getattr read unlink };
|
||||
|
||||
# for system start scripts
|
||||
allow initrc_t pidfile:dir { rmdir rw_dir_perms };
|
||||
allow initrc_t pidfile:sock_file unlink;
|
||||
|
||||
rw_dir_create_file(initrc_t, var_lib_t)
|
||||
|
||||
# allow start scripts to clean /tmp
|
||||
allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
|
||||
allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
|
||||
|
||||
# for lsof which is used by alsa shutdown
|
||||
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
|
||||
dontaudit initrc_t proc_kmsg_t:file getattr;
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the run_init_t domain.
|
||||
#
|
||||
ifdef(`targeted_policy', `
|
||||
type run_init_exec_t, file_type, sysadmfile, exec_type;
|
||||
type run_init_t, domain;
|
||||
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
|
||||
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
|
||||
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
|
||||
typeattribute initrc_t privuser;
|
||||
domain_trans(initrc_t, shell_exec_t, unconfined_t)
|
||||
allow initrc_t unconfined_t:system syslog_mod;
|
||||
', `
|
||||
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
|
||||
')
|
||||
allow initrc_t privfd:fd use;
|
||||
|
||||
# Transition to system_r:initrc_t upon executing init scripts.
|
||||
ifdef(`direct_sysadm_daemon', `
|
||||
role_transition sysadm_r initrc_exec_t system_r;
|
||||
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
|
||||
ifdef(`mls_policy', `
|
||||
typeattribute initrc_t mlsrangetrans;
|
||||
range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
|
||||
')
|
||||
')
|
||||
|
||||
#
|
||||
# Shutting down xinet causes these
|
||||
#
|
||||
# Fam
|
||||
dontaudit initrc_t device_t:dir { read write };
|
||||
# Rsync
|
||||
dontaudit initrc_t mail_spool_t:lnk_file read;
|
||||
|
||||
allow initrc_t sysfs_t:dir { getattr read search };
|
||||
allow initrc_t sysfs_t:file { getattr read write };
|
||||
allow initrc_t sysfs_t:lnk_file { getattr read };
|
||||
allow initrc_t udev_runtime_t:file rw_file_perms;
|
||||
allow initrc_t device_type:chr_file setattr;
|
||||
allow initrc_t binfmt_misc_fs_t:dir { getattr search };
|
||||
allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
|
||||
|
||||
# for lsof in shutdown scripts
|
||||
can_kerberos(initrc_t)
|
||||
|
||||
#
|
||||
# Wants to remove udev.tbl
|
||||
#
|
||||
allow initrc_t device_t:dir rw_dir_perms;
|
||||
allow initrc_t device_t:lnk_file unlink;
|
||||
|
||||
r_dir_file(initrc_t,selinux_config_t)
|
||||
|
||||
ifdef(`unlimitedRC', `
|
||||
unconfined_domain(initrc_t)
|
||||
')
|
||||
#
|
||||
# initrc script does a cat /selinux/enforce
|
||||
#
|
||||
allow initrc_t security_t:dir { getattr search };
|
||||
allow initrc_t security_t:file { getattr read };
|
||||
|
||||
# init script state
|
||||
type initrc_state_t, file_type, sysadmfile;
|
||||
create_dir_file(initrc_t,initrc_state_t)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
# Gentoo integrated run_init+open_init_pty-runscript:
|
||||
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
|
||||
')
|
||||
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow initrc_t device_t:lnk_file create_file_perms;
|
||||
ifdef(`dbusd.te', `
|
||||
allow initrc_t system_dbusd_var_run_t:sock_file write;
|
||||
')
|
||||
|
||||
# Slapd needs to read cert files from its initscript
|
||||
r_dir_file(initrc_t, cert_t)
|
||||
ifdef(`use_mcs', `
|
||||
range_transition sysadm_t initrc_exec_t s0;
|
||||
')
|
81
mls/domains/program/innd.te
Normal file
81
mls/domains/program/innd.te
Normal file
@ -0,0 +1,81 @@
|
||||
#DESC INN - InterNetNews server
|
||||
#
|
||||
# Author: Faye Coker <faye@lurking-grue.org>
|
||||
# X-Debian-Packages: inn
|
||||
#
|
||||
################################
|
||||
|
||||
# Types for the server port and news spool.
|
||||
#
|
||||
type news_spool_t, file_type, sysadmfile;
|
||||
|
||||
|
||||
# need privmail attribute so innd can access system_mail_t
|
||||
daemon_domain(innd, `, privmail')
|
||||
|
||||
# allow innd to create files and directories of type news_spool_t
|
||||
create_dir_file(innd_t, news_spool_t)
|
||||
|
||||
# allow user domains to read files and directories these types
|
||||
r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
|
||||
|
||||
can_exec(initrc_t, innd_etc_t)
|
||||
can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
|
||||
ifdef(`hostname.te', `
|
||||
can_exec(innd_t, hostname_exec_t)
|
||||
')
|
||||
|
||||
allow innd_t var_spool_t:dir { getattr search };
|
||||
|
||||
can_network(innd_t)
|
||||
allow innd_t port_type:tcp_socket name_connect;
|
||||
can_ypbind(innd_t)
|
||||
|
||||
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
|
||||
allow innd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow innd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
can_unix_connect(innd_t, self)
|
||||
|
||||
allow innd_t self:fifo_file rw_file_perms;
|
||||
allow innd_t innd_port_t:tcp_socket name_bind;
|
||||
|
||||
allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
|
||||
allow innd_t self:process setsched;
|
||||
|
||||
allow innd_t { bin_t sbin_t }:dir search;
|
||||
allow innd_t usr_t:lnk_file read;
|
||||
allow innd_t usr_t:file { getattr read ioctl };
|
||||
allow innd_t lib_t:file ioctl;
|
||||
allow innd_t etc_t:file { getattr read };
|
||||
allow innd_t { proc_t etc_runtime_t }:file { getattr read };
|
||||
allow innd_t urandom_device_t:chr_file read;
|
||||
|
||||
allow innd_t innd_var_run_t:sock_file create_file_perms;
|
||||
|
||||
# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
|
||||
etcdir_domain(innd)
|
||||
|
||||
# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
|
||||
# it can write to
|
||||
logdir_domain(innd)
|
||||
|
||||
# allow innd read-write directory permissions to /var/lib/news.
|
||||
var_lib_domain(innd)
|
||||
|
||||
ifdef(`crond.te', `
|
||||
system_crond_entry(innd_exec_t, innd_t)
|
||||
allow system_crond_t innd_etc_t:file { getattr read };
|
||||
rw_dir_create_file(system_crond_t, innd_log_t)
|
||||
rw_dir_create_file(system_crond_t, innd_var_run_t)
|
||||
')
|
||||
|
||||
ifdef(`syslogd.te', `
|
||||
allow syslogd_t innd_log_t:dir search;
|
||||
allow syslogd_t innd_log_t:file create_file_perms;
|
||||
')
|
||||
|
||||
allow innd_t self:file { getattr read };
|
||||
dontaudit innd_t selinux_config_t:dir { search };
|
||||
allow system_crond_t innd_etc_t:file { getattr read };
|
||||
allow innd_t bin_t:lnk_file { read };
|
||||
allow innd_t sbin_t:lnk_file { read };
|
229
mls/domains/program/ipsec.te
Normal file
229
mls/domains/program/ipsec.te
Normal file
@ -0,0 +1,229 @@
|
||||
#DESC ipsec - TCP/IP encryption
|
||||
#
|
||||
# Authors: Mark Westerman mark.westerman@westcam.com
|
||||
# massively butchered by paul krumviede <pwk@acm.org>
|
||||
# further massaged by Chris Vance <cvance@tislabs.com>
|
||||
# X-Debian-Packages: freeswan
|
||||
#
|
||||
########################################
|
||||
#
|
||||
# Rules for the ipsec_t domain.
|
||||
#
|
||||
# a domain for things that need access to the PF_KEY socket
|
||||
daemon_base_domain(ipsec, `, privlog')
|
||||
|
||||
# type for ipsec configuration file(s) - not for keys
|
||||
type ipsec_conf_file_t, file_type, sysadmfile;
|
||||
|
||||
# type for file(s) containing ipsec keys - RSA or preshared
|
||||
type ipsec_key_file_t, file_type, sysadmfile;
|
||||
|
||||
# type for runtime files, including pluto.ctl
|
||||
# lots of strange stuff for the ipsec_var_run_t - need to check it
|
||||
var_run_domain(ipsec)
|
||||
|
||||
type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
|
||||
type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
|
||||
domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
|
||||
file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
|
||||
file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
|
||||
file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
|
||||
|
||||
allow ipsec_mgmt_t modules_object_t:dir search;
|
||||
allow ipsec_mgmt_t modules_object_t:file getattr;
|
||||
|
||||
allow ipsec_t self:capability { net_admin net_bind_service };
|
||||
allow ipsec_t self:process signal;
|
||||
allow ipsec_t etc_t:lnk_file read;
|
||||
|
||||
domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
|
||||
|
||||
# Inherit and use descriptors from init.
|
||||
# allow access (for, e.g., klipsdebug) to console
|
||||
allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
|
||||
allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
|
||||
|
||||
# I do not know where this pesky pipe is...
|
||||
allow ipsec_t initrc_t:fifo_file write;
|
||||
|
||||
r_dir_file(ipsec_t, ipsec_conf_file_t)
|
||||
r_dir_file(ipsec_t, ipsec_key_file_t)
|
||||
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
|
||||
rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
|
||||
|
||||
allow ipsec_t self:key_socket { create write read setopt };
|
||||
|
||||
# for lsof
|
||||
allow sysadm_t ipsec_t:key_socket getattr;
|
||||
|
||||
# the ipsec wrapper wants to run /usr/bin/logger (should we put
|
||||
# it in its own domain?)
|
||||
can_exec(ipsec_mgmt_t, bin_t)
|
||||
# logger, running in ipsec_mgmt_t needs to use sockets
|
||||
allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# also need to run things like whack and shell scripts
|
||||
can_exec(ipsec_mgmt_t, ipsec_exec_t)
|
||||
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
|
||||
can_exec(ipsec_mgmt_t, shell_exec_t)
|
||||
can_exec(ipsec_t, shell_exec_t)
|
||||
can_exec(ipsec_t, bin_t)
|
||||
can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
||||
# now for a icky part...
|
||||
# pluto runs an updown script (by calling popen()!); as this is by default
|
||||
# a shell script, we need to find a way to make things work without
|
||||
# letting all sorts of stuff possibly be run...
|
||||
# so try flipping back into the ipsec_mgmt_t domain
|
||||
domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
|
||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||
|
||||
# the default updown script wants to run route
|
||||
can_exec(ipsec_mgmt_t, sbin_t)
|
||||
allow ipsec_mgmt_t sbin_t:lnk_file read;
|
||||
allow ipsec_mgmt_t self:capability { net_admin dac_override };
|
||||
|
||||
# need access to /proc/sys/net/ipsec/icmp
|
||||
allow ipsec_mgmt_t sysctl_t:file write;
|
||||
allow ipsec_mgmt_t sysctl_net_t:dir search;
|
||||
allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
|
||||
|
||||
# whack needs to be able to read/write pluto.ctl
|
||||
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
|
||||
# and it wants to connect to a socket...
|
||||
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
|
||||
|
||||
# allow system administrator to use the ipsec script to look
|
||||
# at things (e.g., ipsec auto --status)
|
||||
# probably should create an ipsec_admin role for this kind of thing
|
||||
can_exec(sysadm_t, ipsec_mgmt_exec_t)
|
||||
allow sysadm_t ipsec_t:unix_stream_socket connectto;
|
||||
|
||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||
# run ps on that pid, and delete the file
|
||||
allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
allow ipsec_mgmt_t boot_t:dir search;
|
||||
allow ipsec_mgmt_t system_map_t:file { read getattr };
|
||||
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
|
||||
|
||||
# suppress audit messages about unnecessary socket access
|
||||
dontaudit ipsec_mgmt_t domain:key_socket { read write };
|
||||
dontaudit ipsec_mgmt_t domain:udp_socket { read write };
|
||||
|
||||
# from rbac
|
||||
role system_r types { ipsec_t ipsec_mgmt_t };
|
||||
|
||||
# from initrc.te
|
||||
domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
||||
domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
|
||||
|
||||
|
||||
########## The following rules were added by cvance@tislabs.com ##########
|
||||
|
||||
# allow pluto and startup scripts to access /dev/urandom
|
||||
allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
|
||||
|
||||
# allow pluto to access /proc/net/ipsec_eroute;
|
||||
general_proc_read_access(ipsec_t)
|
||||
general_proc_read_access(ipsec_mgmt_t)
|
||||
|
||||
# allow pluto to search the root directory (not sure why, but mostly harmless)
|
||||
# Are these all really necessary?
|
||||
allow ipsec_t var_t:dir search;
|
||||
allow ipsec_t bin_t:dir search;
|
||||
allow ipsec_t device_t:dir { getattr search };
|
||||
allow ipsec_mgmt_t device_t:dir { getattr search read };
|
||||
dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
|
||||
dontaudit ipsec_mgmt_t devpts_t:dir getattr;
|
||||
allow ipsec_mgmt_t etc_t:lnk_file read;
|
||||
allow ipsec_mgmt_t var_t:dir search;
|
||||
allow ipsec_mgmt_t sbin_t:dir search;
|
||||
allow ipsec_mgmt_t bin_t:dir search;
|
||||
allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
|
||||
|
||||
# Startup scripts
|
||||
# use libraries
|
||||
uses_shlib({ ipsec_t ipsec_mgmt_t })
|
||||
# Read and write /dev/tty
|
||||
allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
|
||||
# fork
|
||||
allow ipsec_mgmt_t self:process fork;
|
||||
# startup script runs /bin/gawk with a pipe
|
||||
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
|
||||
# read /etc/mtab Why?
|
||||
allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
|
||||
# read link for /bin/sh
|
||||
allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
|
||||
|
||||
#
|
||||
allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
|
||||
|
||||
# Allow read/write access to /var/run/pluto.ctl
|
||||
allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
|
||||
|
||||
# Pluto needs network access
|
||||
can_network_server(ipsec_t)
|
||||
can_ypbind(ipsec_t)
|
||||
allow ipsec_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# for sleep
|
||||
allow ipsec_mgmt_t fs_t:filesystem getattr;
|
||||
|
||||
# for the start script
|
||||
can_exec(ipsec_mgmt_t, etc_t)
|
||||
|
||||
# allow access to /etc/localtime
|
||||
allow ipsec_mgmt_t etc_t:file { read getattr };
|
||||
allow ipsec_t etc_t:file { read getattr };
|
||||
|
||||
# allow access to /dev/null
|
||||
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
|
||||
allow ipsec_t null_device_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow scripts to use /var/lock/subsys/ipsec
|
||||
lock_domain(ipsec_mgmt)
|
||||
|
||||
# allow tncfg to create sockets
|
||||
allow ipsec_mgmt_t self:udp_socket { create ioctl };
|
||||
|
||||
#When running ipsec auto --up <conname>
|
||||
allow ipsec_t self:process { fork sigchld };
|
||||
allow ipsec_t self:fifo_file { read getattr };
|
||||
|
||||
# ideally it would not need this. It wants to write to /root/.rnd
|
||||
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
|
||||
|
||||
allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
|
||||
allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
|
||||
allow ipsec_mgmt_t self:lnk_file read;
|
||||
|
||||
allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
|
||||
read_locale(ipsec_mgmt_t)
|
||||
var_run_domain(ipsec_mgmt)
|
||||
dontaudit ipsec_mgmt_t default_t:dir getattr;
|
||||
dontaudit ipsec_mgmt_t default_t:file getattr;
|
||||
allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
|
||||
allow ipsec_mgmt_t self:key_socket { create setopt };
|
||||
can_exec(ipsec_mgmt_t, initrc_exec_t)
|
||||
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
|
||||
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
read_locale(ipsec_t)
|
||||
ifdef(`consoletype.te', `
|
||||
can_exec(ipsec_mgmt_t, consoletype_exec_t )
|
||||
')
|
||||
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
|
||||
dontaudit ipsec_t ttyfile:chr_file { read write };
|
||||
allow ipsec_t self:capability { dac_override dac_read_search };
|
||||
allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
|
||||
allow ipsec_mgmt_t dev_fs:file_class_set getattr;
|
||||
dontaudit ipsec_mgmt_t device_t:lnk_file read;
|
||||
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
|
||||
allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
|
||||
rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
|
||||
rw_dir_create_file(initrc_t, ipsec_var_run_t)
|
||||
allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
|
63
mls/domains/program/iptables.te
Normal file
63
mls/domains/program/iptables.te
Normal file
@ -0,0 +1,63 @@
|
||||
#DESC Ipchains - IP packet filter administration
|
||||
#
|
||||
# Authors: Justin Smith <jsmith@mcs.drexel.edu>
|
||||
# Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: ipchains iptables
|
||||
#
|
||||
|
||||
#
|
||||
# Rules for the iptables_t domain.
|
||||
#
|
||||
daemon_base_domain(iptables, `, privmodule')
|
||||
role sysadm_r types iptables_t;
|
||||
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
|
||||
|
||||
ifdef(`modutil.te', `
|
||||
# for modprobe
|
||||
allow iptables_t sbin_t:dir search;
|
||||
allow iptables_t sbin_t:lnk_file read;
|
||||
')
|
||||
|
||||
read_locale(iptables_t)
|
||||
|
||||
# to allow rules to be saved on reboot
|
||||
allow iptables_t initrc_tmp_t:file rw_file_perms;
|
||||
|
||||
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
|
||||
allow iptables_t var_t:dir search;
|
||||
var_run_domain(iptables)
|
||||
|
||||
allow iptables_t self:process { fork signal_perms };
|
||||
|
||||
allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
|
||||
allow iptables_t sysctl_modprobe_t:file { getattr read };
|
||||
|
||||
tmp_domain(iptables)
|
||||
|
||||
# for iptables -L
|
||||
allow iptables_t self:unix_stream_socket create_socket_perms;
|
||||
can_resolve(iptables_t)
|
||||
can_ypbind(iptables_t)
|
||||
|
||||
allow iptables_t iptables_exec_t:file execute_no_trans;
|
||||
allow iptables_t self:capability { net_admin net_raw };
|
||||
allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow iptables_t etc_t:file { getattr read };
|
||||
|
||||
allow iptables_t fs_t:filesystem getattr;
|
||||
allow iptables_t { userdomain kernel_t }:fd use;
|
||||
|
||||
# Access terminals.
|
||||
allow iptables_t admin_tty_type:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow iptables_t proc_t:file { getattr read };
|
||||
allow iptables_t proc_net_t:dir search;
|
||||
allow iptables_t proc_net_t:file { read getattr };
|
||||
|
||||
# system-config-network appends to /var/log
|
||||
allow iptables_t var_log_t:file append;
|
||||
ifdef(`firstboot.te', `
|
||||
allow iptables_t firstboot_t:fifo_file write;
|
||||
')
|
12
mls/domains/program/irc.te
Normal file
12
mls/domains/program/irc.te
Normal file
@ -0,0 +1,12 @@
|
||||
#DESC Irc - IRC client
|
||||
#
|
||||
# Domains for the irc program.
|
||||
# X-Debian-Packages: tinyirc ircii
|
||||
|
||||
#
|
||||
# irc_exec_t is the type of the irc executable.
|
||||
#
|
||||
type irc_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# Everything else is in the irc_domain macro in
|
||||
# macros/program/irc_macros.te.
|
15
mls/domains/program/irqbalance.te
Normal file
15
mls/domains/program/irqbalance.te
Normal file
@ -0,0 +1,15 @@
|
||||
#DESC IRQBALANCE - IRQ balance daemon
|
||||
#
|
||||
# Author: Ulrich Drepper <drepper@redhat.com>
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the irqbalance_t domain.
|
||||
#
|
||||
daemon_domain(irqbalance)
|
||||
|
||||
# irqbalance needs access to /proc.
|
||||
allow irqbalance_t proc_t:file { read getattr };
|
||||
allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
|
||||
allow irqbalance_t sysctl_irq_t:file rw_file_perms;
|
14
mls/domains/program/java.te
Normal file
14
mls/domains/program/java.te
Normal file
@ -0,0 +1,14 @@
|
||||
#DESC Java VM
|
||||
#
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
# X-Debian-Packages: java
|
||||
#
|
||||
|
||||
# Type for the netscape, java or other browser executables.
|
||||
type java_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# Allow java executable stack
|
||||
bool allow_java_execstack false;
|
||||
|
||||
# Everything else is in the java_domain macro in
|
||||
# macros/program/java_macros.te.
|
91
mls/domains/program/kerberos.te
Normal file
91
mls/domains/program/kerberos.te
Normal file
@ -0,0 +1,91 @@
|
||||
#DESC Kerberos5 - MIT Kerberos5
|
||||
# supports krb5kdc and kadmind daemons
|
||||
# kinit, kdestroy, klist clients
|
||||
# ksu support not complete
|
||||
#
|
||||
# includes rules for OpenSSH daemon compiled with both
|
||||
# kerberos5 and SELinux support
|
||||
#
|
||||
# Not supported : telnetd, ftpd, kprop/kpropd daemons
|
||||
#
|
||||
# Author: Kerry Thompson <kerry@crypt.gen.nz>
|
||||
# Modified by Colin Walters <walters@redhat.com>
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the krb5kdc_t,kadmind_t domains.
|
||||
#
|
||||
daemon_domain(krb5kdc)
|
||||
daemon_domain(kadmind)
|
||||
|
||||
can_exec(krb5kdc_t, krb5kdc_exec_t)
|
||||
can_exec(kadmind_t, kadmind_exec_t)
|
||||
|
||||
# types for general configuration files in /etc
|
||||
type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
|
||||
|
||||
# types for KDC configs and principal file(s)
|
||||
type krb5kdc_conf_t, file_type, sysadmfile;
|
||||
type krb5kdc_principal_t, file_type, sysadmfile;
|
||||
|
||||
# Use capabilities. Surplus capabilities may be allowed.
|
||||
allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
|
||||
allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
|
||||
|
||||
# krb5kdc and kadmind can use network
|
||||
can_network_server( { krb5kdc_t kadmind_t } )
|
||||
can_ypbind( { krb5kdc_t kadmind_t } )
|
||||
|
||||
# allow UDP transfer to/from any program
|
||||
can_udp_send(kerberos_port_t, krb5kdc_t)
|
||||
can_udp_send(krb5kdc_t, kerberos_port_t)
|
||||
can_tcp_connect(kerberos_port_t, krb5kdc_t)
|
||||
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
|
||||
|
||||
# Bind to the kerberos, kerberos-adm ports.
|
||||
allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
|
||||
allow kadmind_t reserved_port_t:tcp_socket name_bind;
|
||||
dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
|
||||
|
||||
#
|
||||
# Rules for Kerberos5 KDC daemon
|
||||
allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
|
||||
allow krb5kdc_t self:unix_stream_socket create_socket_perms;
|
||||
allow kadmind_t self:unix_stream_socket create_socket_perms;
|
||||
allow krb5kdc_t krb5kdc_conf_t:dir search;
|
||||
allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
|
||||
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
|
||||
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
|
||||
allow krb5kdc_t locale_t:file { getattr read };
|
||||
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
||||
allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
|
||||
allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
|
||||
allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
|
||||
dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
|
||||
tmp_domain(krb5kdc)
|
||||
log_domain(krb5kdc)
|
||||
allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
|
||||
allow kadmind_t random_device_t:chr_file { getattr read };
|
||||
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow krb5kdc_t proc_t:dir r_dir_perms;
|
||||
allow krb5kdc_t proc_t:file { getattr read };
|
||||
|
||||
#
|
||||
# Rules for Kerberos5 Kadmin daemon
|
||||
allow kadmind_t self:unix_dgram_socket { connect create write };
|
||||
allow kadmind_t krb5kdc_conf_t:dir search;
|
||||
allow kadmind_t krb5kdc_conf_t:file r_file_perms;
|
||||
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
|
||||
read_locale(kadmind_t)
|
||||
dontaudit kadmind_t krb5kdc_conf_t:file write;
|
||||
tmp_domain(kadmind)
|
||||
log_domain(kadmind)
|
||||
|
||||
#
|
||||
# Allow user programs to talk to KDC
|
||||
allow krb5kdc_t userdomain:udp_socket recvfrom;
|
||||
allow userdomain krb5kdc_t:udp_socket recvfrom;
|
||||
allow initrc_t krb5_conf_t:file ioctl;
|
48
mls/domains/program/klogd.te
Normal file
48
mls/domains/program/klogd.te
Normal file
@ -0,0 +1,48 @@
|
||||
#DESC Klogd - Kernel log daemon
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# X-Debian-Packages: klogd
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the klogd_t domain.
|
||||
#
|
||||
daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
|
||||
|
||||
tmp_domain(klogd)
|
||||
allow klogd_t proc_t:dir r_dir_perms;
|
||||
allow klogd_t proc_t:lnk_file r_file_perms;
|
||||
allow klogd_t proc_t:file { getattr read };
|
||||
allow klogd_t self:dir r_dir_perms;
|
||||
allow klogd_t self:lnk_file r_file_perms;
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
allow klogd_t etc_t:lnk_file read;
|
||||
allow klogd_t etc_t:file r_file_perms;
|
||||
|
||||
read_locale(klogd_t)
|
||||
|
||||
allow klogd_t etc_runtime_t:file { getattr read };
|
||||
|
||||
# Create unix sockets
|
||||
allow klogd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
# Use the sys_admin and sys_rawio capabilities.
|
||||
allow klogd_t self:capability { sys_admin sys_rawio };
|
||||
dontaudit klogd_t self:capability sys_resource;
|
||||
|
||||
|
||||
# Read /proc/kmsg and /dev/mem.
|
||||
allow klogd_t proc_kmsg_t:file r_file_perms;
|
||||
allow klogd_t memory_device_t:chr_file r_file_perms;
|
||||
|
||||
# Control syslog and console logging
|
||||
allow klogd_t kernel_t:system { syslog_mod syslog_console };
|
||||
|
||||
# Read /boot/System.map*
|
||||
allow klogd_t system_map_t:file r_file_perms;
|
||||
allow klogd_t boot_t:dir r_dir_perms;
|
||||
ifdef(`targeted_policy', `
|
||||
allow klogd_t unconfined_t:system syslog_mod;
|
||||
')
|
14
mls/domains/program/ktalkd.te
Normal file
14
mls/domains/program/ktalkd.te
Normal file
@ -0,0 +1,14 @@
|
||||
#DESC ktalkd - KDE version of the talk server
|
||||
#
|
||||
# Author: Dan Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
# Depends: inetd.te
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the ktalkd_t domain.
|
||||
#
|
||||
# ktalkd_exec_t is the type of the ktalkd executable.
|
||||
#
|
||||
|
||||
inetd_child_domain(ktalkd, udp)
|
117
mls/domains/program/kudzu.te
Normal file
117
mls/domains/program/kudzu.te
Normal file
@ -0,0 +1,117 @@
|
||||
#DESC kudzu - Red Hat utility to recognise new hardware
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
#
|
||||
|
||||
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
|
||||
|
||||
read_locale(kudzu_t)
|
||||
|
||||
# for /etc/sysconfig/hwconf - probably need a new type
|
||||
allow kudzu_t etc_runtime_t:file rw_file_perms;
|
||||
|
||||
# for kmodule
|
||||
if (allow_execmem) {
|
||||
allow kudzu_t self:process execmem;
|
||||
}
|
||||
allow kudzu_t zero_device_t:chr_file rx_file_perms;
|
||||
allow kudzu_t memory_device_t:chr_file { read write execute };
|
||||
|
||||
allow kudzu_t ramfs_t:dir search;
|
||||
allow kudzu_t ramfs_t:sock_file write;
|
||||
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
|
||||
allow kudzu_t modules_conf_t:file { getattr read unlink rename };
|
||||
allow kudzu_t modules_object_t:dir r_dir_perms;
|
||||
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
|
||||
allow kudzu_t mouse_device_t:chr_file { read write };
|
||||
allow kudzu_t proc_net_t:dir r_dir_perms;
|
||||
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
|
||||
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
|
||||
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
|
||||
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
|
||||
allow kudzu_t { bin_t sbin_t }:lnk_file read;
|
||||
read_sysctl(kudzu_t)
|
||||
allow kudzu_t sysctl_dev_t:dir { getattr search read };
|
||||
allow kudzu_t sysctl_dev_t:file { getattr read };
|
||||
allow kudzu_t sysctl_kernel_t:file write;
|
||||
allow kudzu_t usbdevfs_t:dir search;
|
||||
allow kudzu_t usbdevfs_t:file { getattr read };
|
||||
allow kudzu_t usbfs_t:dir search;
|
||||
allow kudzu_t usbfs_t:file { getattr read };
|
||||
var_run_domain(kudzu)
|
||||
allow kudzu_t kernel_t:system syslog_console;
|
||||
allow kudzu_t self:udp_socket { create ioctl };
|
||||
allow kudzu_t var_lock_t:dir search;
|
||||
allow kudzu_t devpts_t:dir search;
|
||||
|
||||
# so it can write messages to the console
|
||||
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
|
||||
|
||||
role sysadm_r types kudzu_t;
|
||||
ifdef(`targeted_policy', `', `
|
||||
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
|
||||
')
|
||||
ifdef(`anaconda.te', `
|
||||
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
|
||||
')
|
||||
|
||||
allow kudzu_t sysadm_home_dir_t:dir search;
|
||||
rw_dir_create_file(kudzu_t, etc_t)
|
||||
|
||||
rw_dir_create_file(kudzu_t, mnt_t)
|
||||
can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
|
||||
# Read /usr/lib/gconv/gconv-modules.*
|
||||
allow kudzu_t lib_t:file { read getattr };
|
||||
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
|
||||
allow kudzu_t usr_t:file { read getattr };
|
||||
r_dir_file(kudzu_t, hwdata_t)
|
||||
|
||||
# Communicate with rhgb-client.
|
||||
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow kudzu_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
ifdef(`rhgb.te', `
|
||||
allow kudzu_t rhgb_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
allow kudzu_t self:file { getattr read };
|
||||
allow kudzu_t self:fifo_file rw_file_perms;
|
||||
ifdef(`gpm.te', `
|
||||
allow kudzu_t gpmctl_t:sock_file getattr;
|
||||
')
|
||||
|
||||
can_exec(kudzu_t, shell_exec_t)
|
||||
|
||||
# Write to /proc/sys/kernel/hotplug. Why?
|
||||
allow kudzu_t sysctl_hotplug_t:file { read write };
|
||||
|
||||
allow kudzu_t sysfs_t:dir { getattr read search };
|
||||
allow kudzu_t sysfs_t:file { getattr read };
|
||||
allow kudzu_t sysfs_t:lnk_file read;
|
||||
file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
|
||||
allow kudzu_t tape_device_t:chr_file r_file_perms;
|
||||
tmp_domain(kudzu, `', `{ file dir chr_file }')
|
||||
|
||||
# for file systems that are not yet mounted
|
||||
dontaudit kudzu_t file_t:dir search;
|
||||
ifdef(`lpd.te', `
|
||||
allow kudzu_t printconf_t:file { getattr read };
|
||||
')
|
||||
ifdef(`cups.te', `
|
||||
allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
|
||||
')
|
||||
dontaudit kudzu_t src_t:dir search;
|
||||
ifdef(`xserver.te', `
|
||||
allow kudzu_t xserver_exec_t:file getattr;
|
||||
')
|
||||
|
||||
ifdef(`userhelper.te', `
|
||||
role system_r types sysadm_userhelper_t;
|
||||
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
|
||||
', `
|
||||
unconfined_domain(kudzu_t)
|
||||
')
|
||||
|
||||
allow kudzu_t initrc_t:unix_stream_socket connectto;
|
||||
allow kudzu_t net_conf_t:file { getattr read };
|
||||
|
52
mls/domains/program/ldconfig.te
Normal file
52
mls/domains/program/ldconfig.te
Normal file
@ -0,0 +1,52 @@
|
||||
#DESC Ldconfig - Configure dynamic linker bindings
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: libc6
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the ldconfig_t domain.
|
||||
#
|
||||
type ldconfig_t, domain, privlog, etc_writer;
|
||||
type ldconfig_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
role sysadm_r types ldconfig_t;
|
||||
role system_r types ldconfig_t;
|
||||
|
||||
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
|
||||
dontaudit ldconfig_t device_t:dir search;
|
||||
can_access_pty(ldconfig_t, initrc)
|
||||
allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
|
||||
allow ldconfig_t privfd:fd use;
|
||||
|
||||
uses_shlib(ldconfig_t)
|
||||
|
||||
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
|
||||
allow ldconfig_t lib_t:dir rw_dir_perms;
|
||||
allow ldconfig_t lib_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow ldconfig_t userdomain:fd use;
|
||||
# unlink for when /etc/ld.so.cache is mislabeled
|
||||
allow ldconfig_t etc_t:file { getattr read unlink };
|
||||
allow ldconfig_t etc_t:lnk_file read;
|
||||
|
||||
allow ldconfig_t fs_t:filesystem getattr;
|
||||
allow ldconfig_t tmp_t:dir search;
|
||||
|
||||
ifdef(`apache.te', `
|
||||
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
|
||||
dontaudit ldconfig_t httpd_modules_t:dir search;
|
||||
')
|
||||
|
||||
allow ldconfig_t { var_t var_lib_t }:dir search;
|
||||
allow ldconfig_t proc_t:file { getattr read };
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
ifdef(`unconfined.te',`
|
||||
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
|
||||
');
|
||||
')dnl end hide_broken_symptoms
|
||||
ifdef(`targeted_policy', `
|
||||
allow ldconfig_t lib_t:file r_file_perms;
|
||||
unconfined_domain(ldconfig_t)
|
||||
')
|
65
mls/domains/program/load_policy.te
Normal file
65
mls/domains/program/load_policy.te
Normal file
@ -0,0 +1,65 @@
|
||||
#DESC LoadPolicy - SELinux policy loading utilities
|
||||
#
|
||||
# Authors: Frank Mayer, mayerf@tresys.com
|
||||
# X-Debian-Packages: policycoreutils
|
||||
#
|
||||
|
||||
###########################
|
||||
# load_policy_t is the domain type for load_policy
|
||||
# load_policy_exec_t is the file type for the executable
|
||||
|
||||
# boolean to determine whether the system permits loading policy, setting
|
||||
# enforcing mode, and changing boolean values. Set this to true and you
|
||||
# have to reboot to set it back
|
||||
bool secure_mode_policyload false;
|
||||
|
||||
type load_policy_t, domain;
|
||||
role sysadm_r types load_policy_t;
|
||||
role secadm_r types load_policy_t;
|
||||
role system_r types load_policy_t;
|
||||
|
||||
type load_policy_exec_t, file_type, exec_type, sysadmfile;
|
||||
|
||||
##########################
|
||||
#
|
||||
# Rules
|
||||
|
||||
domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
|
||||
|
||||
allow load_policy_t console_device_t:chr_file { read write };
|
||||
|
||||
# Reload the policy configuration (sysadm_t no longer has this ability)
|
||||
can_loadpol(load_policy_t)
|
||||
|
||||
# Reset policy boolean values.
|
||||
can_setbool(load_policy_t)
|
||||
|
||||
|
||||
###########################
|
||||
# constrain from where load_policy can load a policy, specifically
|
||||
# policy_config_t files
|
||||
#
|
||||
|
||||
# only allow read of policy config files
|
||||
allow load_policy_t policy_src_t:dir search;
|
||||
r_dir_file(load_policy_t, policy_config_t)
|
||||
r_dir_file(load_policy_t, selinux_config_t)
|
||||
|
||||
# directory search permissions for path to binary policy files
|
||||
allow load_policy_t root_t:dir search;
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
# for mcs.conf
|
||||
allow load_policy_t etc_t:file { getattr read };
|
||||
|
||||
# Other access
|
||||
can_access_pty(load_policy_t, initrc)
|
||||
allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
|
||||
uses_shlib(load_policy_t)
|
||||
allow load_policy_t self:capability dac_override;
|
||||
|
||||
allow load_policy_t { userdomain privfd initrc_t }:fd use;
|
||||
|
||||
allow load_policy_t fs_t:filesystem getattr;
|
||||
|
||||
read_locale(load_policy_t)
|
45
mls/domains/program/loadkeys.te
Normal file
45
mls/domains/program/loadkeys.te
Normal file
@ -0,0 +1,45 @@
|
||||
#DESC loadkeys - for changing to unicode at login time
|
||||
#
|
||||
# Author: Russell Coker <russell@coker.com.au>
|
||||
#
|
||||
# X-Debian-Packages: console-tools
|
||||
|
||||
#
|
||||
# loadkeys_exec_t is the type of the wrapper
|
||||
#
|
||||
type loadkeys_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
can_exec(initrc_t, loadkeys_exec_t)
|
||||
|
||||
# Derived domain based on the calling user domain and the program.
|
||||
type loadkeys_t, domain;
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
|
||||
|
||||
uses_shlib(loadkeys_t)
|
||||
dontaudit loadkeys_t proc_t:dir search;
|
||||
allow loadkeys_t proc_t:file { getattr read };
|
||||
allow loadkeys_t self:process { fork sigchld };
|
||||
|
||||
allow loadkeys_t self:fifo_file rw_file_perms;
|
||||
allow loadkeys_t bin_t:dir search;
|
||||
allow loadkeys_t bin_t:lnk_file read;
|
||||
can_exec(loadkeys_t, { shell_exec_t bin_t })
|
||||
|
||||
read_locale(loadkeys_t)
|
||||
|
||||
dontaudit loadkeys_t etc_runtime_t:file { getattr read };
|
||||
|
||||
# Use capabilities.
|
||||
allow loadkeys_t self:capability { setuid sys_tty_config };
|
||||
|
||||
allow loadkeys_t local_login_t:fd use;
|
||||
allow loadkeys_t devtty_t:chr_file rw_file_perms;
|
||||
|
||||
# The user role is authorized for this domain.
|
||||
in_user_role(loadkeys_t)
|
||||
|
||||
# Write to the user domain tty.
|
||||
allow loadkeys_t ttyfile:chr_file rw_file_perms;
|
||||
|
11
mls/domains/program/lockdev.te
Normal file
11
mls/domains/program/lockdev.te
Normal file
@ -0,0 +1,11 @@
|
||||
#DESC Lockdev - libblockdev helper application
|
||||
#
|
||||
# Authors: Daniel Walsh <dwalsh@redhat.com>
|
||||
#
|
||||
|
||||
|
||||
# Type for the lockdev
|
||||
type lockdev_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
# Everything else is in the lockdev_domain macro in
|
||||
# macros/program/lockdev_macros.te.
|
234
mls/domains/program/login.te
Normal file
234
mls/domains/program/login.te
Normal file
@ -0,0 +1,234 @@
|
||||
#DESC Login - Local/remote login utilities
|
||||
#
|
||||
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||||
# Macroised by Russell Coker <russell@coker.com.au>
|
||||
# X-Debian-Packages: login
|
||||
#
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the local_login_t domain
|
||||
# and the remote_login_t domain.
|
||||
#
|
||||
|
||||
# $1 is the name of the domain (local or remote)
|
||||
define(`login_domain', `
|
||||
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
|
||||
role system_r types $1_login_t;
|
||||
|
||||
dontaudit $1_login_t shadow_t:file { getattr read };
|
||||
|
||||
general_domain_access($1_login_t);
|
||||
|
||||
# Read system information files in /proc.
|
||||
r_dir_file($1_login_t, proc_t)
|
||||
|
||||
base_file_read_access($1_login_t)
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
allow $1_login_t readable_t:dir r_dir_perms;
|
||||
allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Read /var, /var/spool
|
||||
allow $1_login_t { var_t var_spool_t }:dir search;
|
||||
|
||||
# for when /var/mail is a sym-link
|
||||
allow $1_login_t var_t:lnk_file read;
|
||||
|
||||
# Read /etc.
|
||||
r_dir_file($1_login_t, etc_t)
|
||||
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
||||
|
||||
read_locale($1_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
allow $1_login_t urandom_device_t:chr_file { getattr read };
|
||||
|
||||
# Read executable types.
|
||||
allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow $1_login_t device_t:dir r_dir_perms;
|
||||
allow $1_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
uses_shlib($1_login_t);
|
||||
|
||||
tmp_domain($1_login)
|
||||
|
||||
ifdef(`pam.te', `
|
||||
can_exec($1_login_t, pam_exec_t)
|
||||
')
|
||||
|
||||
ifdef(`pamconsole.te', `
|
||||
rw_dir_create_file($1_login_t, pam_var_console_t)
|
||||
domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
|
||||
')
|
||||
|
||||
ifdef(`alsa.te', `
|
||||
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
||||
')
|
||||
|
||||
# Use capabilities
|
||||
allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
||||
allow $1_login_t self:process setrlimit;
|
||||
dontaudit $1_login_t sysfs_t:dir search;
|
||||
|
||||
# Set exec context.
|
||||
can_setexec($1_login_t)
|
||||
|
||||
allow $1_login_t autofs_t:dir { search read getattr };
|
||||
allow $1_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
if (use_nfs_home_dirs) {
|
||||
r_dir_file($1_login_t, nfs_t)
|
||||
}
|
||||
|
||||
if (use_samba_home_dirs) {
|
||||
r_dir_file($1_login_t, cifs_t)
|
||||
}
|
||||
|
||||
# Login can polyinstantiate
|
||||
polyinstantiater($1_login_t)
|
||||
|
||||
# FIXME: what is this for?
|
||||
ifdef(`xdm.te', `
|
||||
allow xdm_t $1_login_t:process signull;
|
||||
')
|
||||
|
||||
ifdef(`crack.te', `
|
||||
allow $1_login_t crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
||||
# Permit login to search the user home directories.
|
||||
allow $1_login_t home_root_t:dir search;
|
||||
allow $1_login_t home_dir_type:dir search;
|
||||
|
||||
# Write to /var/run/utmp.
|
||||
allow $1_login_t var_run_t:dir search;
|
||||
allow $1_login_t initrc_var_run_t:file rw_file_perms;
|
||||
|
||||
# Write to /var/log/wtmp.
|
||||
allow $1_login_t var_log_t:dir search;
|
||||
allow $1_login_t wtmp_t:file rw_file_perms;
|
||||
|
||||
# Write to /var/log/lastlog.
|
||||
allow $1_login_t lastlog_t:file rw_file_perms;
|
||||
|
||||
# Write to /var/log/btmp
|
||||
allow $1_login_t faillog_t:file { lock append read write };
|
||||
|
||||
# Search for mail spool file.
|
||||
allow $1_login_t mail_spool_t:dir r_dir_perms;
|
||||
allow $1_login_t mail_spool_t:file getattr;
|
||||
allow $1_login_t mail_spool_t:lnk_file read;
|
||||
|
||||
# Get security policy decisions.
|
||||
can_getsecurity($1_login_t)
|
||||
|
||||
# allow read access to default_contexts in /etc/security
|
||||
allow $1_login_t default_context_t:file r_file_perms;
|
||||
allow $1_login_t default_context_t:dir search;
|
||||
r_dir_file($1_login_t, selinux_config_t)
|
||||
|
||||
allow $1_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
unconfined_domain($1_login_t)
|
||||
domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
')dnl end login_domain macro
|
||||
#################################
|
||||
#
|
||||
# Rules for the local_login_t domain.
|
||||
#
|
||||
# local_login_t is the domain of a login process
|
||||
# spawned by getty.
|
||||
#
|
||||
# remote_login_t is the domain of a login process
|
||||
# spawned by rlogind.
|
||||
#
|
||||
# login_exec_t is the type of the login program
|
||||
#
|
||||
type login_exec_t, file_type, sysadmfile, exec_type;
|
||||
|
||||
login_domain(local)
|
||||
|
||||
# But also permit other user domains to be entered by login.
|
||||
login_spawn_domain(local_login, userdomain)
|
||||
|
||||
# Do not audit denied attempts to access devices.
|
||||
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
|
||||
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
|
||||
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
||||
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
||||
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Do not audit denied attempts to access /mnt.
|
||||
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
|
||||
# Create lock file.
|
||||
lock_domain(local_login)
|
||||
|
||||
# Read and write ttys.
|
||||
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
|
||||
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
|
||||
|
||||
# Relabel ttys.
|
||||
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
|
||||
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
|
||||
|
||||
ifdef(`gpm.te',
|
||||
`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
|
||||
|
||||
# Allow setting of attributes on sound devices.
|
||||
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
||||
|
||||
# Allow setting of attributes on power management devices.
|
||||
allow local_login_t power_device_t:chr_file { getattr setattr };
|
||||
dontaudit local_login_t init_t:fd use;
|
||||
|
||||
#################################
|
||||
#
|
||||
# Rules for the remote_login_t domain.
|
||||
#
|
||||
|
||||
login_domain(remote)
|
||||
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
# since very weak authentication is used.
|
||||
login_spawn_domain(remote_login, unpriv_userdomain)
|
||||
|
||||
allow remote_login_t userpty_type:chr_file { setattr write };
|
||||
|
||||
# Use the pty created by rlogind.
|
||||
ifdef(`rlogind.te', `
|
||||
can_access_pty(remote_login_t, rlogind)
|
||||
# Relabel ptys created by rlogind.
|
||||
allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
# Use the pty created by telnetd.
|
||||
ifdef(`telnetd.te', `
|
||||
can_access_pty(remote_login_t, telnetd)
|
||||
# Relabel ptys created by telnetd.
|
||||
allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
|
||||
')
|
||||
|
||||
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
|
||||
allow remote_login_t fs_t:filesystem { getattr };
|
||||
|
||||
# Allow remote login to resolve host names (passed in via the -h switch)
|
||||
can_resolve(remote_login_t)
|
||||
|
||||
ifdef(`use_mcs', `
|
||||
ifdef(`getty.te', `
|
||||
range_transition getty_t login_exec_t s0 - s0:c0.c127;
|
||||
')
|
||||
')
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user