cleanup inspired by sediff
This commit is contained in:
parent
16e9b0cb6b
commit
32e53ac1b8
@ -254,6 +254,12 @@ kernel_compute_selinux_relabel_context(rpm_script_t)
|
|||||||
kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
|
kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
|
||||||
kernel_read_system_state(rpm_script_t)
|
kernel_read_system_state(rpm_script_t)
|
||||||
|
|
||||||
|
# ideally we would not need this
|
||||||
|
devices_manage_generic_block_devices(rpm_script_t)
|
||||||
|
devices_manage_generic_character_devices(rpm_script_t)
|
||||||
|
devices_manage_all_block_devices(rpm_script_t)
|
||||||
|
devices_manage_all_character_devices(rpm_script_t)
|
||||||
|
|
||||||
filesystem_manage_nfs_files(rpm_script_t)
|
filesystem_manage_nfs_files(rpm_script_t)
|
||||||
filesystem_get_nfs_filesystem_attributes(rpm_script_t)
|
filesystem_get_nfs_filesystem_attributes(rpm_script_t)
|
||||||
# why is this not using mount?
|
# why is this not using mount?
|
||||||
@ -274,6 +280,7 @@ authlogin_manage_all_files_except_shadow(rpm_script_t)
|
|||||||
corecommands_execute_general_programs(rpm_script_t)
|
corecommands_execute_general_programs(rpm_script_t)
|
||||||
corecommands_execute_system_programs(rpm_script_t)
|
corecommands_execute_system_programs(rpm_script_t)
|
||||||
|
|
||||||
|
domain_read_all_domains_process_state(rpm_script_t)
|
||||||
domain_use_widely_inheritable_file_descriptors(rpm_script_t)
|
domain_use_widely_inheritable_file_descriptors(rpm_script_t)
|
||||||
domain_execute_all_entrypoint_programs(rpm_script_t)
|
domain_execute_all_entrypoint_programs(rpm_script_t)
|
||||||
domain_signal_all_domains(rpm_script_t)
|
domain_signal_all_domains(rpm_script_t)
|
||||||
@ -310,24 +317,12 @@ ifdef(`TODO',`
|
|||||||
|
|
||||||
allow rpm_script_t sysfs_t:dir r_dir_perms;
|
allow rpm_script_t sysfs_t:dir r_dir_perms;
|
||||||
|
|
||||||
# ideally we would not need this
|
|
||||||
allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
|
||||||
|
|
||||||
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
|
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
|
||||||
|
|
||||||
allow rpm_script_t autofs_t:dir { search getattr };
|
allow rpm_script_t autofs_t:dir { search getattr };
|
||||||
|
|
||||||
can_ypbind(rpm_script_t)
|
can_ypbind(rpm_script_t)
|
||||||
|
|
||||||
allow rpm_script_t domain:dir { search getattr read };
|
|
||||||
allow rpm_script_t domain:{ file lnk_file } { read getattr };
|
|
||||||
allow rpm_script_t domain:process getattr;
|
|
||||||
# We need to suppress this denial because procps tries to access
|
|
||||||
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
||||||
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
||||||
# running in a privileged domain.
|
|
||||||
dontaudit rpm_script_t domain:process ptrace;
|
|
||||||
|
|
||||||
optional_policy(`automount.te', `
|
optional_policy(`automount.te', `
|
||||||
allow rpm_script_t autofs_t:dir { search getattr };
|
allow rpm_script_t autofs_t:dir { search getattr };
|
||||||
')
|
')
|
||||||
|
@ -298,9 +298,6 @@ devices_get_pseudorandom_data(passwd_t)
|
|||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(passwd_t)
|
filesystem_get_persistent_filesystem_attributes(passwd_t)
|
||||||
|
|
||||||
terminal_use_all_private_physical_terminals(passwd_t)
|
|
||||||
terminal_use_all_private_pseudoterminals(passwd_t)
|
|
||||||
|
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_script_ignore_modify_runtime_data(passwd_t)
|
init_script_ignore_modify_runtime_data(passwd_t)
|
||||||
@ -320,7 +317,10 @@ miscfiles_read_localization(passwd_t)
|
|||||||
authlogin_manage_shadow_passwords(passwd_t)
|
authlogin_manage_shadow_passwords(passwd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types passwd_t;
|
|
||||||
|
ifdef(`firstboot.te',`
|
||||||
|
domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
# Update /etc/shadow and /etc/passwd
|
# Update /etc/shadow and /etc/passwd
|
||||||
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||||
@ -340,7 +340,7 @@ allow passwd_t shell_exec_t:file execute;
|
|||||||
# user generally runs this from their home directory, so do not audit a search
|
# user generally runs this from their home directory, so do not audit a search
|
||||||
# on user home dir
|
# on user home dir
|
||||||
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
|
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
|
||||||
in_user_role(passwd_t)
|
|
||||||
# make sure that getcon succeeds
|
# make sure that getcon succeeds
|
||||||
allow passwd_t userdomain:dir search;
|
allow passwd_t userdomain:dir search;
|
||||||
allow passwd_t userdomain:file read;
|
allow passwd_t userdomain:file read;
|
||||||
@ -356,7 +356,6 @@ allow passwd_t crack_db_t:file r_file_perms;
|
|||||||
', `
|
', `
|
||||||
dontaudit passwd_t var_t:dir search;
|
dontaudit passwd_t var_t:dir search;
|
||||||
')
|
')
|
||||||
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -218,6 +218,38 @@ class chr_file { getattr read write ioctl };
|
|||||||
class blk_file { getattr read write ioctl };
|
class blk_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_manage_generic_block_devices(domain)
|
||||||
|
#
|
||||||
|
define(`devices_manage_generic_block_devices',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 device_t:dir { getattr search read write add_name remove_name };
|
||||||
|
allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_manage_generic_block_devices_depend',`
|
||||||
|
type device_t;
|
||||||
|
class dir { getattr search read };
|
||||||
|
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_manage_generic_character_devices(domain)
|
||||||
|
#
|
||||||
|
define(`devices_manage_generic_character_devices',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 device_t:dir { getattr search read write add_name remove_name };
|
||||||
|
allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_manage_generic_character_devices_depend',`
|
||||||
|
type device_t;
|
||||||
|
class dir { getattr search read };
|
||||||
|
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# devices_create_dev_entry(domain,file,objectclass(es))
|
# devices_create_dev_entry(domain,file,objectclass(es))
|
||||||
@ -324,6 +356,44 @@ attribute device_node;
|
|||||||
class chr_file setattr;
|
class chr_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_manage_all_block_devices(domain)
|
||||||
|
#
|
||||||
|
define(`devices_manage_all_block_devices',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 device_t:dir { getattr search read write add_name remove_name };
|
||||||
|
allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
# these next rules are to satisfy assertions broken by the above lines.
|
||||||
|
storage_raw_read_fixed_disk($1)
|
||||||
|
storage_raw_write_fixed_disk($1)
|
||||||
|
storage_read_scsi_generic($1)
|
||||||
|
storage_write_scsi_generic($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_manage_generic_block_devices_depend',`
|
||||||
|
attribute device_node;
|
||||||
|
class dir { getattr search read };
|
||||||
|
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# devices_manage_all_character_devices(domain)
|
||||||
|
#
|
||||||
|
define(`devices_manage_all_character_devices',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 device_t:dir { getattr search read write add_name remove_name };
|
||||||
|
allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
typeattribute $1 memory_raw_read, memory_raw_write;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`devices_manage_all_character_devices_depend',`
|
||||||
|
attribute device_node, memory_raw_read, memory_raw_write;
|
||||||
|
class dir { getattr search read };
|
||||||
|
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# devices_raw_read_memory(domain)
|
# devices_raw_read_memory(domain)
|
||||||
|
@ -1,8 +1,17 @@
|
|||||||
# Copyright (C) 2005 Tresys Technology, LLC
|
# Copyright (C) 2005 Tresys Technology, LLC
|
||||||
|
## <module name="hostname" layer="keyservices">
|
||||||
|
## <summary>Policy for changing the system host name.</summary>
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="hostname_transition">
|
||||||
# hostname_transition(domain)
|
## <description>
|
||||||
|
## Execute hostname in the hostname domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`hostname_transition',`
|
define(`hostname_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -18,6 +27,36 @@ class file { getattr read execute };
|
|||||||
class process { transition noatsecure siginh rlimitinh };
|
class process { transition noatsecure siginh rlimitinh };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="hostname_transition_add_role_use_terminal">
|
||||||
|
## <description>
|
||||||
|
## Execute hostname in the hostname domain, and
|
||||||
|
## allow the specified role the hostname domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <parameter name="role">
|
||||||
|
## The role to be allowed the hostname domain.
|
||||||
|
## </parameter>
|
||||||
|
## <parameter name="terminal">
|
||||||
|
## The type of the terminal allow the hostname domain to use.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
|
define(`hostname_transition_add_role_use_terminal',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
hostname_transition($1)
|
||||||
|
role $2 types hostname_t;
|
||||||
|
allow hostname_t $3:chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`hostname_transition_add_role_use_terminal_depend',`
|
||||||
|
type hostname_t;
|
||||||
|
class chr_file { getattr read write ioctl };
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hostname_execute(domain)
|
# hostname_execute(domain)
|
||||||
@ -31,3 +70,5 @@ define(`hostname_execute_depend',`
|
|||||||
type hostname_exec_t;
|
type hostname_exec_t;
|
||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
@ -205,6 +205,11 @@ if (user_ttyfile_stat) {
|
|||||||
terminal_get_all_private_physical_terminal_attributes($1_t)
|
terminal_get_all_private_physical_terminal_attributes($1_t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
optional_policy(`usermanage.te',`
|
||||||
|
usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
|
usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||||
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
# When the user domain runs ps, there will be a number of access
|
# When the user domain runs ps, there will be a number of access
|
||||||
|
@ -75,6 +75,7 @@ bool user_tcp_server false;
|
|||||||
# Allow w to display everyone
|
# Allow w to display everyone
|
||||||
bool user_ttyfile_stat false;
|
bool user_ttyfile_stat false;
|
||||||
|
|
||||||
|
admin_domain_template(sysadm)
|
||||||
user_domain_template(staff)
|
user_domain_template(staff)
|
||||||
user_domain_template(user)
|
user_domain_template(user)
|
||||||
|
|
||||||
@ -83,18 +84,38 @@ user_domain_template(user)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
#allow privhome home_root_t:dir { getattr search };
|
# user role change rules:
|
||||||
|
define(`role_change',`
|
||||||
|
allow $1_r $2_r;
|
||||||
|
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
|
||||||
|
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
|
||||||
|
# avoid annoying messages on terminal hangup
|
||||||
|
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
|
||||||
|
')
|
||||||
|
|
||||||
|
# sysadm_r can change to user roles
|
||||||
|
role_change(sysadm, user)
|
||||||
|
role_change(sysadm, staff)
|
||||||
|
|
||||||
|
# only staff_r can change to sysadm_r
|
||||||
|
role_change(staff, sysadm)
|
||||||
|
|
||||||
|
tunable_policy(`user_canbe_sysadm',`
|
||||||
|
role_change(user,sysadm)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
allow privhome home_root_t:dir { getattr search };
|
||||||
|
|
||||||
# Add/remove user home directories
|
# Add/remove user home directories
|
||||||
#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Sysadm local policy
|
# Sysadm local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
admin_domain_template(sysadm)
|
|
||||||
|
|
||||||
# for su
|
# for su
|
||||||
allow sysadm_t userdomain:fd use;
|
allow sysadm_t userdomain:fd use;
|
||||||
|
|
||||||
@ -102,6 +123,14 @@ optional_policy(`bootloader.te',`
|
|||||||
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`clock.te',`
|
||||||
|
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`hostname.te',`
|
||||||
|
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`iptables.te',`
|
optional_policy(`iptables.te',`
|
||||||
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
@ -142,6 +171,7 @@ optional_policy(`sysnetwork.te',`
|
|||||||
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`clock.te',`
|
optional_policy(`usermanage.te',`
|
||||||
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
|
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user