trunk: 5 patches from dan.
This commit is contained in:
Chris PeBenito
parent
0cf1d56018
commit
3392356f36
@ -13,6 +13,7 @@
|
||||
- Remove node definitions and change node usage to generic nodes.
|
||||
- Add kernel_service access vectors, from Stephen Smalley.
|
||||
- Added modules:
|
||||
certmaster (Dan Walsh)
|
||||
git (Dan Walsh)
|
||||
guest (Dan Walsh)
|
||||
ifplugd (Dan Walsh)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork, 1.11.5)
|
||||
policy_module(corenetwork, 1.11.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -79,6 +79,7 @@ network_port(audit, tcp,60,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||
network_port(certmaster, tcp,51235,s0)
|
||||
network_port(clamd, tcp,3310,s0)
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
||||
@ -145,6 +146,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
network_port(postgrey, tcp,60000,s0)
|
||||
network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
|
||||
7
policy/modules/services/certmaster.fc
Normal file
7
policy/modules/services/certmaster.fc
Normal file
@ -0,0 +1,7 @@
|
||||
/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
|
||||
/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
|
||||
|
||||
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
|
||||
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
|
||||
126
policy/modules/services/certmaster.if
Normal file
126
policy/modules/services/certmaster.if
Normal file
@ -0,0 +1,126 @@
|
||||
## <summary>Certmaster SSL certificate distribution service</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run certmaster.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_domtrans',`
|
||||
gen_require(`
|
||||
type certmaster_t, certmaster_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## read certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_read_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_append_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## certmaster logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`certmaster_manage_log',`
|
||||
gen_require(`
|
||||
type certmaster_var_log_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an snort environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`certmaster_admin',`
|
||||
gen_require(`
|
||||
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
|
||||
type certmaster_etc_rw_t, certmaster_var_log_t;
|
||||
type certmaster_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 certmaster_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, certmaster_t)
|
||||
|
||||
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 certmaster_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
miscfiles_manage_cert_dirs($1)
|
||||
miscfiles_manage_cert_files($1)
|
||||
|
||||
admin_pattern($1, certmaster_etc_rw_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, certmaster_var_run_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, certmaster_var_log_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, certmaster_var_lib_t)
|
||||
')
|
||||
72
policy/modules/services/certmaster.te
Normal file
72
policy/modules/services/certmaster.te
Normal file
@ -0,0 +1,72 @@
|
||||
|
||||
policy_module(certmaster, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type certmaster_t;
|
||||
type certmaster_exec_t;
|
||||
init_daemon_domain(certmaster_t, certmaster_exec_t)
|
||||
|
||||
type certmaster_initrc_exec_t;
|
||||
init_script_file(certmaster_initrc_exec_t)
|
||||
|
||||
type certmaster_etc_rw_t;
|
||||
files_type(certmaster_etc_rw_t)
|
||||
|
||||
type certmaster_var_lib_t;
|
||||
files_type(certmaster_var_lib_t)
|
||||
|
||||
type certmaster_var_log_t;
|
||||
logging_log_file(certmaster_var_log_t)
|
||||
|
||||
type certmaster_var_run_t;
|
||||
files_pid_file(certmaster_var_run_t)
|
||||
|
||||
###########################################
|
||||
#
|
||||
# certmaster local policy
|
||||
#
|
||||
|
||||
allow certmaster_t self:capability sys_tty_config;
|
||||
allow certmaster_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# config files
|
||||
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
|
||||
manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
|
||||
|
||||
# var/lib files for certmaster
|
||||
manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
|
||||
manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
|
||||
files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
|
||||
|
||||
# log files
|
||||
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
|
||||
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file )
|
||||
|
||||
# pid file
|
||||
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
|
||||
files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
|
||||
|
||||
# read meminfo
|
||||
kernel_read_system_state(certmaster_t)
|
||||
|
||||
corecmd_search_bin(certmaster_t)
|
||||
corecmd_getattr_bin_files(certmaster_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(certmaster_t)
|
||||
corenet_tcp_bind_certmaster_port(certmaster_t)
|
||||
|
||||
files_search_etc(certmaster_t)
|
||||
files_list_var(certmaster_t)
|
||||
files_search_var_lib(certmaster_t)
|
||||
|
||||
auth_use_nsswitch(certmaster_t)
|
||||
|
||||
miscfiles_read_localization(certmaster_t)
|
||||
|
||||
miscfiles_manage_cert_dirs(certmaster_t)
|
||||
miscfiles_manage_cert_files(certmaster_t)
|
||||
@ -10,6 +10,8 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
||||
|
||||
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
|
||||
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||
|
||||
@ -140,6 +140,63 @@ interface(`mysql_manage_db_dirs',`
|
||||
allow $1 mysqld_db_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to the MySQL database directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_append_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write to the MySQL database directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_rw_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete MySQL database files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mysql_manage_db_files',`
|
||||
gen_require(`
|
||||
type mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write to the MySQL database
|
||||
@ -180,6 +237,25 @@ interface(`mysql_write_log',`
|
||||
allow $1 mysqld_log_t:file { write_file_perms setattr };
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Search MySQL PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`mysql_search_pid_files',`
|
||||
gen_require(`
|
||||
type mysqld_var_run_t;
|
||||
')
|
||||
|
||||
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate an mysql environment
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mysql, 1.10.3)
|
||||
policy_module(mysql, 1.10.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,10 @@ type mysqld_t;
|
||||
type mysqld_exec_t;
|
||||
init_daemon_domain(mysqld_t, mysqld_exec_t)
|
||||
|
||||
type mysqld_safe_t;
|
||||
type mysqld_safe_exec_t;
|
||||
init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
|
||||
|
||||
type mysqld_var_run_t;
|
||||
files_pid_file(mysqld_var_run_t)
|
||||
|
||||
@ -121,3 +125,34 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(mysqld_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Local mysqld_safe policy
|
||||
#
|
||||
|
||||
allow mysqld_safe_t self:capability { dac_override fowner chown };
|
||||
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||
|
||||
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
kernel_read_system_state(mysqld_safe_t)
|
||||
|
||||
dev_list_sysfs(mysqld_safe_t)
|
||||
|
||||
files_read_etc_files(mysqld_safe_t)
|
||||
files_read_usr_files(mysqld_safe_t)
|
||||
|
||||
corecmd_exec_bin(mysqld_safe_t)
|
||||
|
||||
hostname_exec(mysqld_safe_t)
|
||||
|
||||
miscfiles_read_localization(mysqld_safe_t)
|
||||
|
||||
mysql_append_db_files(mysqld_safe_t)
|
||||
mysql_read_config(mysqld_safe_t)
|
||||
mysql_search_pid_files(mysqld_safe_t)
|
||||
mysql_write_log(mysqld_safe_t)
|
||||
|
||||
@ -8,5 +8,7 @@
|
||||
|
||||
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
||||
/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
|
||||
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
|
||||
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
|
||||
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
||||
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
||||
@ -19,6 +19,24 @@ interface(`squid_domtrans',`
|
||||
domtrans_pattern($1, squid_exec_t, squid_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute squid
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_exec',`
|
||||
gen_require(`
|
||||
type squid_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1, squid_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to squid.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(squid, 1.8.2)
|
||||
policy_module(squid, 1.8.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -118,6 +118,7 @@ dev_read_urand(squid_t)
|
||||
|
||||
fs_getattr_all_fs(squid_t)
|
||||
fs_search_auto_mountpoints(squid_t)
|
||||
fs_list_inotifyfs(squid_t)
|
||||
|
||||
selinux_dontaudit_getattr_dir(squid_t)
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(tor, 1.5.2)
|
||||
policy_module(tor, 1.5.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -34,7 +34,7 @@ files_pid_file(tor_var_run_t)
|
||||
# tor local policy
|
||||
#
|
||||
|
||||
allow tor_t self:capability { setgid setuid };
|
||||
allow tor_t self:capability { setgid setuid sys_tty_config };
|
||||
allow tor_t self:fifo_file rw_fifo_file_perms;
|
||||
allow tor_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
@ -55,6 +55,7 @@ ifdef(`distro_gentoo',`
|
||||
/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
|
||||
@ -94,6 +95,7 @@ ifdef(`distro_gentoo',`
|
||||
# /var
|
||||
#
|
||||
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
|
||||
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
|
||||
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
|
||||
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
|
||||
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(lvm, 1.10.2)
|
||||
policy_module(lvm, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -44,9 +44,9 @@ files_tmp_file(lvm_tmp_t)
|
||||
# Cluster LVM daemon local policy
|
||||
#
|
||||
|
||||
allow clvmd_t self:capability { sys_admin mknod };
|
||||
allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
|
||||
dontaudit clvmd_t self:capability sys_tty_config;
|
||||
allow clvmd_t self:process signal_perms;
|
||||
allow clvmd_t self:process { signal_perms setsched };
|
||||
dontaudit clvmd_t self:process ptrace;
|
||||
allow clvmd_t self:socket create_socket_perms;
|
||||
allow clvmd_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -85,10 +85,15 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
|
||||
corenet_sendrecv_generic_server_packets(clvmd_t)
|
||||
|
||||
dev_read_sysfs(clvmd_t)
|
||||
dev_manage_generic_symlinks(clvmd_t)
|
||||
dev_relabel_generic_dev_dirs(clvmd_t)
|
||||
dev_manage_generic_blk_files(clvmd_t)
|
||||
dev_manage_generic_chr_files(clvmd_t)
|
||||
dev_rw_lvm_control(clvmd_t)
|
||||
dev_dontaudit_getattr_all_blk_files(clvmd_t)
|
||||
dev_dontaudit_getattr_all_chr_files(clvmd_t)
|
||||
dev_create_generic_dirs(clvmd_t)
|
||||
dev_delete_generic_dirs(clvmd_t)
|
||||
|
||||
files_read_etc_files(clvmd_t)
|
||||
files_list_usr(clvmd_t)
|
||||
@ -99,19 +104,26 @@ fs_dontaudit_list_tmpfs(clvmd_t)
|
||||
fs_dontaudit_read_removable_files(clvmd_t)
|
||||
|
||||
storage_dontaudit_getattr_removable_dev(clvmd_t)
|
||||
storage_manage_fixed_disk(clvmd_t)
|
||||
storage_dev_filetrans_fixed_disk(clvmd_t)
|
||||
storage_relabel_fixed_disk(clvmd_t)
|
||||
storage_raw_read_fixed_disk(clvmd_t)
|
||||
|
||||
domain_use_interactive_fds(clvmd_t)
|
||||
|
||||
storage_raw_read_fixed_disk(clvmd_t)
|
||||
|
||||
auth_use_nsswitch(clvmd_t)
|
||||
|
||||
init_dontaudit_getattr_initctl(clvmd_t)
|
||||
|
||||
logging_send_syslog_msg(clvmd_t)
|
||||
|
||||
miscfiles_read_localization(clvmd_t)
|
||||
|
||||
seutil_dontaudit_search_config(clvmd_t)
|
||||
seutil_sigchld_newrole(clvmd_t)
|
||||
seutil_read_config(clvmd_t)
|
||||
seutil_read_file_contexts(clvmd_t)
|
||||
seutil_search_default_contexts(clvmd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(clvmd_t)
|
||||
@ -119,6 +131,12 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t)
|
||||
lvm_domtrans(clvmd_t)
|
||||
lvm_read_config(clvmd_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
unconfined_domain(clvmd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ccs_stream_connect(clvmd_t)
|
||||
')
|
||||
@ -143,17 +161,19 @@ optional_policy(`
|
||||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
# rawio needed for dmraid
|
||||
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
|
||||
# net_admin for multipath
|
||||
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
|
||||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
allow lvm_t self:process setsched;
|
||||
allow lvm_t self:file rw_file_perms;
|
||||
allow lvm_t self:fifo_file rw_file_perms;
|
||||
allow lvm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow lvm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
allow lvm_t clvmd_t:unix_stream_socket connectto;
|
||||
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
|
||||
|
||||
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
|
||||
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
|
||||
@ -185,6 +205,7 @@ read_lnk_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t)
|
||||
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
|
||||
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
|
||||
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
|
||||
files_search_mnt(lvm_t)
|
||||
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_read_kernel_sysctls(lvm_t)
|
||||
@ -192,6 +213,7 @@ kernel_read_kernel_sysctls(lvm_t)
|
||||
kernel_read_kernel_sysctls(lvm_t)
|
||||
# it has no reason to need this
|
||||
kernel_dontaudit_getattr_core_if(lvm_t)
|
||||
kernel_use_fds(lvm_t)
|
||||
|
||||
selinux_get_fs_mount(lvm_t)
|
||||
selinux_validate_context(lvm_t)
|
||||
@ -244,7 +266,9 @@ corecmd_exec_bin(lvm_t)
|
||||
corecmd_exec_shell(lvm_t)
|
||||
|
||||
domain_use_interactive_fds(lvm_t)
|
||||
domain_read_all_domains_state(lvm_t)
|
||||
|
||||
files_read_usr_files(lvm_t)
|
||||
files_read_etc_files(lvm_t)
|
||||
files_read_etc_runtime_files(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
@ -268,6 +292,10 @@ userdom_use_user_terminals(lvm_t)
|
||||
ifdef(`distro_redhat',`
|
||||
# this is from the initrd:
|
||||
files_rw_isid_type_dirs(lvm_t)
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(lvm_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -282,6 +310,25 @@ optional_policy(`
|
||||
gpm_dontaudit_getattr_gpmctl(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(lvm_t)
|
||||
|
||||
hal_dbus_chat(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_insmod(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_manage_script_tmp_files(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xen_append_log(lvm_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(lvm_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user