rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: merge strict and targeted policies. merge shlib_t into lib_t.

Browse Source
This commit is contained in:
Chris PeBenito 2007-10-02 16:04:50 +00:00
parent cb811cda3b
commit 350b6ab767
299 changed files with 2002 additions and 3694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Changelog
View File

@ -1,3 +1,9 @@
- Merge shlib_t into lib_t.
- Merge strict and targeted policies. The policy will now behave like the
strict policy if the unconfined module is not present. If it is, it will
behave like the targeted policy. Added an unconfined role to have a mix
of confined and unconfined users.
* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928 * Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
- Add support for setting the unknown permissions handling. - Add support for setting the unknown permissions handling.
- Fix XML building for external reference builds and headers builds. - Fix XML building for external reference builds and headers builds.

14
Makefile
View File

@ -158,18 +158,8 @@ modpkgdir = $(sharedir)/$(strip $(NAME))
headerdir = $(modpkgdir)/include headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME) docsdir = $(prefix)/share/doc/$(PKGNAME)
# compile strict policy if requested.
ifneq ($(findstring strict,$(TYPE)),)
M4PARAM += -D strict_policy
endif
# compile targeted policy if requested.
ifneq ($(findstring targeted,$(TYPE)),)
M4PARAM += -D targeted_policy
endif
# enable MLS if requested. # enable MLS if requested.
ifneq ($(findstring -mls,$(TYPE)),) ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls M4PARAM += -D enable_mls
CHECKPOLICY += -M CHECKPOLICY += -M
CHECKMODULE += -M CHECKMODULE += -M
@ -177,7 +167,7 @@ ifneq ($(findstring -mls,$(TYPE)),)
endif endif
# enable MLS if MCS requested. # enable MLS if MCS requested.
ifneq ($(findstring -mcs,$(TYPE)),) ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs M4PARAM += -D enable_mcs
CHECKPOLICY += -M CHECKPOLICY += -M
CHECKMODULE += -M CHECKMODULE += -M

12
README
View File

@ -83,13 +83,10 @@ restorelabels Relabel the filesystem and report each file that is
2) Reference Policy Build Options (build.conf) 2) Reference Policy Build Options (build.conf)
TYPE String. Available options are strict, targeted, TYPE String. Available options are standard, mls, and mcs.
strict-mls, targeted-mls, strict-mcs, and targeted-mcs. This optionally enables multi-level security (MLS) or
This sets the policy type as strict or targeted, and
optionally enables multi-leve security (MLS) or
multi-category security (MCS) features. This option multi-category security (MCS) features. This option
controls strict_policy, targeted_policy, enable_mls, controls enable_mls, and enable_mcs policy blocks.
and enable_mcs policy blocks.
NAME String (optional). Sets the name of the policy; the NAME String (optional). Sets the name of the policy; the
NAME is used when installing files to e.g., NAME is used when installing files to e.g.,
@ -136,8 +133,7 @@ Rules.modular Makefile rules specific to building loadable module
Rules.monolithic Makefile rules specific to building monolithic policies. Rules.monolithic Makefile rules specific to building monolithic policies.
build.conf Options which influence the building of the policy, build.conf Options which influence the building of the policy,
such as the policy type (strict, targeted, etc.) such as the policy type and distribution.
and distribution.
config/appconfig-* Application configuration files for all configurations config/appconfig-* Application configuration files for all configurations
of the Reference Policy (targeted/strict with or without of the Reference Policy (targeted/strict with or without

6
build.conf
View File

@ -11,10 +11,8 @@
#OUTPUT_POLICY = 18 #OUTPUT_POLICY = 18
# Policy Type # Policy Type
# strict, targeted, # standard, mls, mcs
# strict-mls, targeted-mls, TYPE = standard
# strict-mcs, targeted-mcs
TYPE = strict
# Policy Name # Policy Name
# If set, this will be used as the policy # If set, this will be used as the policy

0
config/appconfig-strict-mcs/dbus_contexts → config/appconfig-mcs/dbus_contexts
View File

15
config/appconfig-mcs/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

1
config/appconfig-strict-mcs/default_type → config/appconfig-mcs/default_type
View File

@ -1,3 +1,4 @@
sysadm_r:sysadm_t sysadm_r:sysadm_t
staff_r:staff_t staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t user_r:user_t

0
config/appconfig-strict-mcs/failsafe_context → config/appconfig-mcs/failsafe_context
View File

0
config/appconfig-strict-mcs/initrc_context → config/appconfig-mcs/initrc_context
View File

0
config/appconfig-strict-mcs/media → config/appconfig-mcs/media
View File

0
config/appconfig-strict-mcs/removable_context → config/appconfig-mcs/removable_context
View File

11
config/appconfig-mcs/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

0
config/appconfig-strict-mcs/seusers → config/appconfig-mcs/seusers
View File

0
config/appconfig-strict-mcs/userhelper_context → config/appconfig-mcs/userhelper_context
View File

0
config/appconfig-strict-mls/dbus_contexts → config/appconfig-mls/dbus_contexts
View File

15
config/appconfig-mls/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

9
config/appconfig-strict-mls/default_type → config/appconfig-mls/default_type
View File

@ -1,5 +1,6 @@
sysadm_r:sysadm_t
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
auditadm_r:auditadm_t auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

0
config/appconfig-strict-mls/failsafe_context → config/appconfig-mls/failsafe_context
View File

0
config/appconfig-strict-mls/initrc_context → config/appconfig-mls/initrc_context
View File

0
config/appconfig-strict-mls/media → config/appconfig-mls/media
View File

0
config/appconfig-strict-mls/removable_context → config/appconfig-mls/removable_context
View File

11
config/appconfig-mls/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

0
config/appconfig-strict-mls/seusers → config/appconfig-mls/seusers
View File

0
config/appconfig-strict-mls/userhelper_context → config/appconfig-mls/userhelper_context
View File

0
config/appconfig-strict/dbus_contexts → config/appconfig-standard/dbus_contexts
View File

15
config/appconfig-standard/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:sulogin_t sysadm_r:sysadm_t
system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t

1
config/appconfig-strict/default_type → config/appconfig-standard/default_type
View File

@ -1,3 +1,4 @@
sysadm_r:sysadm_t sysadm_r:sysadm_t
staff_r:staff_t staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t user_r:user_t

0
config/appconfig-strict/failsafe_context → config/appconfig-standard/failsafe_context
View File

0
config/appconfig-strict/initrc_context → config/appconfig-standard/initrc_context
View File

0
config/appconfig-strict/media → config/appconfig-standard/media
View File

0
config/appconfig-strict/removable_context → config/appconfig-standard/removable_context
View File

11
config/appconfig-standard/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

0
config/appconfig-strict/seusers → config/appconfig-standard/seusers
View File

0
config/appconfig-strict/userhelper_context → config/appconfig-standard/userhelper_context
View File

12
config/appconfig-strict-mcs/default_contexts
View File

@ -1,12 +0,0 @@
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

9
config/appconfig-strict-mcs/root_default_contexts
View File

@ -1,9 +0,0 @@
system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

12
config/appconfig-strict-mls/default_contexts
View File

@ -1,12 +0,0 @@
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

9
config/appconfig-strict-mls/root_default_contexts
View File

@ -1,9 +0,0 @@
system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

12
config/appconfig-strict/default_contexts
View File

@ -1,12 +0,0 @@
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t

9
config/appconfig-strict/root_default_contexts
View File

@ -1,9 +0,0 @@
system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

6
config/appconfig-targeted-mcs/dbus_contexts
View File

@ -1,6 +0,0 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

9
config/appconfig-targeted-mcs/default_contexts
View File

@ -1,9 +0,0 @@
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:xdm_t:s0 system_r:unconfined_t:s0

1
config/appconfig-targeted-mcs/default_type
View File

@ -1 +0,0 @@
system_r:unconfined_t

1
config/appconfig-targeted-mcs/failsafe_context
View File

@ -1 +0,0 @@
system_r:unconfined_t:s0

1
config/appconfig-targeted-mcs/initrc_context
View File

@ -1 +0,0 @@
user_u:system_r:initrc_t:s0

3
config/appconfig-targeted-mcs/media
View File

@ -1,3 +0,0 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

1
config/appconfig-targeted-mcs/removable_context
View File

@ -1 +0,0 @@
system_u:object_r:removable_t:s0

2
config/appconfig-targeted-mcs/root_default_contexts
View File

@ -1,2 +0,0 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0

2
config/appconfig-targeted-mcs/seusers
View File

@ -1,2 +0,0 @@
root:root:s0-mcs_systemhigh
__default__:user_u:s0

1
config/appconfig-targeted-mcs/userhelper_context
View File

@ -1 +0,0 @@
system_u:system_r:unconfined_t:s0

6
config/appconfig-targeted-mls/dbus_contexts
View File

@ -1,6 +0,0 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

9
config/appconfig-targeted-mls/default_contexts
View File

@ -1,9 +0,0 @@
system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:xdm_t:s0 system_r:unconfined_t:s0

1
config/appconfig-targeted-mls/default_type
View File

@ -1 +0,0 @@
system_r:unconfined_t

1
config/appconfig-targeted-mls/failsafe_context
View File

@ -1 +0,0 @@
system_r:unconfined_t:s0

1
config/appconfig-targeted-mls/initrc_context
View File

@ -1 +0,0 @@
user_u:system_r:initrc_t:s0-mls_systemhigh

3
config/appconfig-targeted-mls/media
View File

@ -1,3 +0,0 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

1
config/appconfig-targeted-mls/removable_context
View File

@ -1 +0,0 @@
system_u:object_r:removable_t:s0

2
config/appconfig-targeted-mls/root_default_contexts
View File

@ -1,2 +0,0 @@
system_r:unconfined_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0

2
config/appconfig-targeted-mls/seusers
View File

@ -1,2 +0,0 @@
root:root:s0-mls_systemhigh
__default__:user_u:s0

1
config/appconfig-targeted-mls/userhelper_context
View File

@ -1 +0,0 @@
system_u:system_r:unconfined_t:s0

6
config/appconfig-targeted/dbus_contexts
View File

@ -1,6 +0,0 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

9
config/appconfig-targeted/default_contexts
View File

@ -1,9 +0,0 @@
system_r:crond_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
system_r:local_login_t system_r:unconfined_t
system_r:remote_login_t system_r:unconfined_t
system_r:rshd_t system_r:unconfined_t
system_r:sshd_t system_r:unconfined_t
system_r:sysadm_su_t system_r:unconfined_t
system_r:unconfined_t system_r:unconfined_t
system_r:xdm_t system_r:unconfined_t

1
config/appconfig-targeted/default_type
View File

@ -1 +0,0 @@
system_r:unconfined_t

1
config/appconfig-targeted/failsafe_context
View File

@ -1 +0,0 @@
system_r:unconfined_t

1
config/appconfig-targeted/initrc_context
View File

@ -1 +0,0 @@
user_u:system_r:initrc_t

3
config/appconfig-targeted/media
View File

@ -1,3 +0,0 @@
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

1
config/appconfig-targeted/removable_context
View File

@ -1 +0,0 @@
system_u:object_r:removable_t

2
config/appconfig-targeted/root_default_contexts
View File

@ -1,2 +0,0 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t

2
config/appconfig-targeted/seusers
View File

@ -1,2 +0,0 @@
root:root
__default__:user_u

1
config/appconfig-targeted/userhelper_context
View File

@ -1 +0,0 @@
system_u:system_r:unconfined_t

55
policy/constraints
View File

@ -28,57 +28,34 @@
# #
# SELinux process identity change constraint: # SELinux process identity change constraint:
# #
ifdef(`strict_policy',` constrain process transition
constrain process transition (
( u1 == u2
u1 == u2
or ( t1 == can_change_process_identity and t2 == process_user_target ) or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u ) or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt ) or ( t1 == process_uncond_exempt )
); );
')
ifdef(`targeted_policy',`
constrain process transition
(
u1 == u2
or t1 == can_change_process_identity
);
')
# #
# SELinux process role change constraint: # SELinux process role change constraint:
# #
constrain process transition
(
r1 == r2
ifdef(`strict_policy',` or ( t1 == can_change_process_role and t2 == process_user_target )
constrain process transition
(
r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target ) or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == cron_source_domain and t2 == cron_job_domain ) or ( t1 == can_system_change and r2 == system_r )
or ( t1 == can_system_change and r2 == system_r ) or ( t1 == process_uncond_exempt )
);
or ( t1 == process_uncond_exempt )
);
')
ifdef(`targeted_policy',`
constrain process transition
(
r1 == r2
or t1 == can_change_process_role
);
')
# #
# SELinux dynamic transition constraint: # SELinux dynamic transition constraint:

2
policy/global_booleans
View File

@ -4,7 +4,6 @@
# file should be used. # file should be used.
# #
ifdef(`strict_policy',`
## <desc> ## <desc>
## <p> ## <p>
## Enabling secure mode disallows programs, such as ## Enabling secure mode disallows programs, such as
@ -13,7 +12,6 @@ ifdef(`strict_policy',`
## </p> ## </p>
## </desc> ## </desc>
gen_bool(secure_mode,false) gen_bool(secure_mode,false)
')
## <desc> ## <desc>
## <p> ## <p>

48
policy/global_tunables
View File

@ -4,11 +4,6 @@
# file should be used. # file should be used.
# #
########################################
#
# Common tunables
#
## <desc> ## <desc>
## <p> ## <p>
## Allow making the heap executable. ## Allow making the heap executable.
@ -67,6 +62,15 @@ gen_tunable(allow_ypbind,false)
## </desc> ## </desc>
gen_tunable(global_ssp,false) gen_tunable(global_ssp,false)
## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(mail_read_content,false)
## <desc> ## <desc>
## <p> ## <p>
## Allow nfs to be exported read/write. ## Allow nfs to be exported read/write.
@ -88,6 +92,15 @@ gen_tunable(nfs_export_all_ro,false)
## </desc> ## </desc>
gen_tunable(read_default_t,false) gen_tunable(read_default_t,false)
## <desc>
## <p>
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
## </p>
## </desc>
gen_tunable(read_untrusted_content,false)
## <desc> ## <desc>
## <p> ## <p>
## Support NFS home directories ## Support NFS home directories
@ -102,30 +115,6 @@ gen_tunable(use_nfs_home_dirs,false)
## </desc> ## </desc>
gen_tunable(use_samba_home_dirs,false) gen_tunable(use_samba_home_dirs,false)
########################################
#
# Strict policy specific
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(mail_read_content,false)
## <desc>
## <p>
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
## </p>
## </desc>
gen_tunable(read_untrusted_content,false)
## <desc> ## <desc>
## <p> ## <p>
## Allow users to run TCP servers (bind to ports and accept connection from ## Allow users to run TCP servers (bind to ports and accept connection from
@ -143,4 +132,3 @@ gen_tunable(user_tcp_server,false)
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(write_untrusted_content,false) gen_tunable(write_untrusted_content,false)
')

6
policy/modules/admin/acct.te
View File

@ -69,12 +69,6 @@ miscfiles_read_localization(acct_t)
userdom_dontaudit_search_sysadm_home_dirs(acct_t) userdom_dontaudit_search_sysadm_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
files_dontaudit_read_root_files(acct_t)
')
optional_policy(` optional_policy(`
optional_policy(` optional_policy(`
# for monthly cron job # for monthly cron job

8
policy/modules/admin/apt.te
View File

@ -113,10 +113,6 @@ seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t) sysnet_read_config(apt_t)
ifdef(`targeted_policy',`
unconfined_domain(apt_t)
')
# with boolean, for cron-apt and such? # with boolean, for cron-apt and such?
#optional_policy(` #optional_policy(`
# cron_system_entry(apt_t,apt_exec_t) # cron_system_entry(apt_t,apt_exec_t)
@ -137,3 +133,7 @@ optional_policy(`
rpm_read_db(apt_t) rpm_read_db(apt_t)
rpm_domtrans(apt_t) rpm_domtrans(apt_t)
') ')
optional_policy(`
unconfined_domain(apt_t)
')

5
policy/modules/admin/bootloader.te
View File

@ -174,11 +174,6 @@ ifdef(`distro_redhat',`
mount_domtrans(bootloader_t) mount_domtrans(bootloader_t)
') ')
ifdef(`targeted_policy',`
term_use_unallocated_ttys(bootloader_t)
term_use_generic_ptys(bootloader_t)
')
optional_policy(` optional_policy(`
fstools_exec(bootloader_t) fstools_exec(bootloader_t)
') ')

5
policy/modules/admin/brctl.te
View File

@ -37,11 +37,6 @@ libs_use_shared_libs(brctl_t)
miscfiles_read_localization(brctl_t) miscfiles_read_localization(brctl_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(brctl_t)
term_dontaudit_use_generic_ptys(brctl_t)
')
optional_policy(` optional_policy(`
xen_append_log(brctl_t) xen_append_log(brctl_t)
') ')

14
policy/modules/admin/consoletype.te
View File

@ -10,14 +10,9 @@ type consoletype_t;
type consoletype_exec_t; type consoletype_exec_t;
application_executable_file(consoletype_exec_t) application_executable_file(consoletype_exec_t)
init_domain(consoletype_t,consoletype_exec_t) init_domain(consoletype_t,consoletype_exec_t)
mls_file_read_all_levels(consoletype_t) init_system_domain(consoletype_t,consoletype_exec_t)
mls_file_write_all_levels(consoletype_t)
role system_r types consoletype_t; role system_r types consoletype_t;
ifdef(`targeted_policy',`',`
init_system_domain(consoletype_t,consoletype_exec_t)
')
######################################## ########################################
# #
# Local declarations # Local declarations
@ -44,6 +39,9 @@ fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t) fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t) fs_write_nfs_files(consoletype_t)
mls_file_read_all_levels(consoletype_t)
mls_file_write_all_levels(consoletype_t)
term_use_console(consoletype_t) term_use_console(consoletype_t)
term_use_unallocated_ttys(consoletype_t) term_use_unallocated_ttys(consoletype_t)
@ -60,10 +58,6 @@ files_list_usr(consoletype_t)
libs_use_ld_so(consoletype_t) libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t) libs_use_shared_libs(consoletype_t)
userdom_use_sysadm_terms(consoletype_t)
userdom_use_sysadm_fds(consoletype_t)
userdom_rw_sysadm_pipes(consoletype_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t) fs_rw_tmpfs_chr_files(consoletype_t)
') ')

40
policy/modules/admin/dmesg.if
View File

@ -11,26 +11,12 @@
## </param> ## </param>
# #
interface(`dmesg_domtrans',` interface(`dmesg_domtrans',`
ifdef(`targeted_policy',` gen_require(`
gen_require(` type dmesg_t, dmesg_exec_t;
type dmesg_exec_t;
')
# $0(): disabled in targeted policy as there
# is no dmesg domain.
',`
gen_require(`
type dmesg_t, dmesg_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1,dmesg_exec_t,dmesg_t)
allow $1 dmesg_t:fd use;
allow dmesg_t $1:fd use;
allow dmesg_t $1:fifo_file rw_file_perms;
allow dmesg_t $1:process sigchld;
') ')
corecmd_search_bin($1)
domtrans_pattern($1, dmesg_exec_t, dmesg_t)
') ')
######################################## ########################################
@ -45,16 +31,10 @@ interface(`dmesg_domtrans',`
## <rolecap/> ## <rolecap/>
# #
interface(`dmesg_exec',` interface(`dmesg_exec',`
ifdef(`targeted_policy',` gen_require(`
# $0(): the dmesg program is an alias type dmesg_exec_t;
# of generic bin programs.
corecmd_exec_bin($1)
',`
gen_require(`
type dmesg_exec_t;
')
corecmd_search_bin($1)
can_exec($1,dmesg_exec_t)
') ')
corecmd_search_bin($1)
can_exec($1,dmesg_exec_t)
') ')

80
policy/modules/admin/dmesg.te
View File

@ -6,69 +6,57 @@ policy_module(dmesg,1.0.0)
# Declarations # Declarations
# #
ifdef(`strict_policy',` type dmesg_t;
type dmesg_t; type dmesg_exec_t;
type dmesg_exec_t; init_system_domain(dmesg_t,dmesg_exec_t)
init_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t;
')
ifdef(`targeted_policy',`
# dmesg domain is disabled in the
# targeted policy. for compatibility
# with strict:
corecmd_bin_alias(dmesg_exec_t)
')
######################################## ########################################
# #
# Local policy # Local policy
# #
ifdef(`strict_policy',` allow dmesg_t self:capability sys_admin;
allow dmesg_t self:capability sys_admin; dontaudit dmesg_t self:capability sys_tty_config;
dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms; allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctls(dmesg_t) kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t) kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t) kernel_change_ring_buffer_level(dmesg_t)
kernel_list_proc(dmesg_t) kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t) kernel_read_proc_symlinks(dmesg_t)
dev_read_sysfs(dmesg_t) dev_read_sysfs(dmesg_t)
fs_search_auto_mountpoints(dmesg_t) fs_search_auto_mountpoints(dmesg_t)
term_dontaudit_use_console(dmesg_t) term_dontaudit_use_console(dmesg_t)
domain_use_interactive_fds(dmesg_t) domain_use_interactive_fds(dmesg_t)
files_list_etc(dmesg_t) files_list_etc(dmesg_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t) files_dontaudit_search_isid_type_dirs(dmesg_t)
init_use_fds(dmesg_t) init_use_fds(dmesg_t)
init_use_script_ptys(dmesg_t) init_use_script_ptys(dmesg_t)
libs_use_ld_so(dmesg_t) libs_use_ld_so(dmesg_t)
libs_use_shared_libs(dmesg_t) libs_use_shared_libs(dmesg_t)
logging_send_syslog_msg(dmesg_t) logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t) logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t) miscfiles_read_localization(dmesg_t)
userdom_use_sysadm_terms(dmesg_t) userdom_use_sysadm_terms(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t) userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
optional_policy(` optional_policy(`
seutil_sigchld_newrole(dmesg_t) seutil_sigchld_newrole(dmesg_t)
') ')
optional_policy(` optional_policy(`
udev_read_db(dmesg_t) udev_read_db(dmesg_t)
')
') ')

5
policy/modules/admin/dmidecode.te
View File

@ -31,8 +31,3 @@ libs_use_ld_so(dmidecode_t)
libs_use_shared_libs(dmidecode_t) libs_use_shared_libs(dmidecode_t)
locallogin_use_fds(dmidecode_t) locallogin_use_fds(dmidecode_t)
ifdef(`targeted_policy',`
term_use_generic_ptys(dmidecode_t)
term_use_unallocated_ttys(dmidecode_t)
')

28
policy/modules/admin/dpkg.te
View File

@ -172,10 +172,6 @@ dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet... # since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute; allow dpkg_t dpkg_var_lib_t:file execute;
ifdef(`targeted_policy',`
unconfined_domain(dpkg_t)
')
# TODO: allow? # TODO: allow?
#optional_policy(` #optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t) # cron_system_entry(dpkg_t,dpkg_exec_t)
@ -185,6 +181,10 @@ optional_policy(`
nis_use_ypbind(dpkg_t) nis_use_ypbind(dpkg_t)
') ')
optional_policy(`
unconfined_domain(dpkg_t)
')
# TODO: the following was copied from dpkg_script_t, and could probably # TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used... # be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t) domain_signal_all_domains(dpkg_t)
@ -309,22 +309,14 @@ seutil_domtrans_setfiles(dpkg_script_t)
userdom_use_all_users_fds(dpkg_script_t) userdom_use_all_users_fds(dpkg_script_t)
ifdef(`distro_redhat',`
unconfined_domain(dpkg_script_t)
')
ifdef(`targeted_policy',`
unconfined_domain(dpkg_script_t)
',`
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
')
tunable_policy(`allow_execmem',` tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem; allow dpkg_script_t self:process execmem;
') ')
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
optional_policy(` optional_policy(`
mta_send_mail(dpkg_script_t) mta_send_mail(dpkg_script_t)
') ')
@ -333,6 +325,10 @@ optional_policy(`
nis_use_ypbind(dpkg_script_t) nis_use_ypbind(dpkg_script_t)
') ')
optional_policy(`
unconfined_domain(dpkg_script_t)
')
optional_policy(` optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t) usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t) usermanage_domtrans_useradd(dpkg_script_t)

8
policy/modules/admin/firstboot.te
View File

@ -96,10 +96,6 @@ userdom_manage_generic_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_generic_user_home_dir(firstboot_t) userdom_home_filetrans_generic_user_home_dir(firstboot_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file }) userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
ifdef(`targeted_policy',`
unconfined_domtrans(firstboot_t)
')
optional_policy(` optional_policy(`
hal_dbus_chat(firstboot_t) hal_dbus_chat(firstboot_t)
') ')
@ -112,6 +108,10 @@ optional_policy(`
samba_rw_config(firstboot_t) samba_rw_config(firstboot_t)
') ')
optional_policy(`
unconfined_domtrans(firstboot_t)
')
optional_policy(` optional_policy(`
usermanage_domtrans_chfn(firstboot_t) usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t) usermanage_domtrans_groupadd(firstboot_t)

22
policy/modules/admin/kudzu.te
View File

@ -125,19 +125,6 @@ sysnet_read_config(kudzu_t)
userdom_search_sysadm_home_dirs(kudzu_t) userdom_search_sysadm_home_dirs(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(kudzu_t)
term_dontaudit_use_generic_ptys(kudzu_t)
files_dontaudit_read_root_files(kudzu_t)
# cjp: this was originally in the else block
# of ifdef userhelper.te, but it seems to
# make more sense here. also, require
# blocks curently do not work in the
# else block of optionals
unconfined_domain(kudzu_t)
')
optional_policy(` optional_policy(`
gpm_getattr_gpmctl(kudzu_t) gpm_getattr_gpmctl(kudzu_t)
') ')
@ -154,6 +141,15 @@ optional_policy(`
udev_read_db(kudzu_t) udev_read_db(kudzu_t)
') ')
optional_policy(`
# cjp: this was originally in the else block
# of ifdef userhelper.te, but it seems to
# make more sense here. also, require
# blocks curently do not work in the
# else block of optionals
unconfined_domain(kudzu_t)
')
ifdef(`TODO',` ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink; allow kudzu_t modules_conf_t:file unlink;
optional_policy(` optional_policy(`

6
policy/modules/admin/mrtg.te
View File

@ -126,12 +126,6 @@ ifdef(`distro_redhat',`
filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file) filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
') ')
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(mrtg_t)
term_dontaudit_use_generic_ptys(mrtg_t)
files_dontaudit_read_root_files(mrtg_t)
')
optional_policy(` optional_policy(`
apache_manage_sys_content(mrtg_t) apache_manage_sys_content(mrtg_t)
') ')

27
policy/modules/admin/netutils.te
View File

@ -6,14 +6,12 @@ policy_module(netutils,1.5.0)
# Declarations # Declarations
# #
ifdef(`strict_policy',`
## <desc> ## <desc>
## <p> ## <p>
## Control users use of ping and traceroute ## Control users use of ping and traceroute
## </p> ## </p>
## </desc> ## </desc>
gen_tunable(user_ping,false) gen_tunable(user_ping,false)
')
type netutils_t; type netutils_t;
type netutils_exec_t; type netutils_exec_t;
@ -91,11 +89,6 @@ sysnet_read_config(netutils_t)
userdom_use_all_users_fds(netutils_t) userdom_use_all_users_fds(netutils_t)
ifdef(`targeted_policy',`
term_use_generic_ptys(netutils_t)
term_use_unallocated_ttys(netutils_t)
')
optional_policy(` optional_policy(`
nis_use_ypbind(netutils_t) nis_use_ypbind(netutils_t)
') ')
@ -144,16 +137,9 @@ ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t) init_dontaudit_use_fds(ping_t)
') ')
ifdef(`targeted_policy',` tunable_policy(`user_ping',`
term_use_unallocated_ttys(ping_t)
term_use_generic_ptys(ping_t)
term_use_all_user_ttys(ping_t) term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t) term_use_all_user_ptys(ping_t)
',`
tunable_policy(`user_ping',`
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
')
') ')
optional_policy(` optional_policy(`
@ -228,14 +214,9 @@ files_read_usr_files(traceroute_t)
sysnet_read_config(traceroute_t) sysnet_read_config(traceroute_t)
ifdef(`targeted_policy',` tunable_policy(`user_ping',`
term_use_unallocated_ttys(traceroute_t) term_use_all_user_ttys(traceroute_t)
term_use_generic_ptys(traceroute_t) term_use_all_user_ptys(traceroute_t)
',`
tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t)
')
') ')
optional_policy(` optional_policy(`

1
policy/modules/admin/portage.te
View File

@ -104,7 +104,6 @@ libs_use_shared_libs(gcc_config_t)
libs_read_lib_files(gcc_config_t) libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t) libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t) libs_manage_shared_libs(gcc_config_t)
lib_filetrans_shared_lib(gcc_config_t,file)
# gcc-config creates a temp dir for the libs # gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t) libs_manage_lib_dirs(gcc_config_t)

31
policy/modules/admin/prelink.if
View File

@ -19,6 +19,37 @@ interface(`prelink_domtrans',`
domtrans_pattern($1, prelink_exec_t, prelink_t) domtrans_pattern($1, prelink_exec_t, prelink_t)
') ')
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the prelink domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the prelink domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`prelink_run',`
gen_require(`
type prelink_t;
')
prelink_domtrans($1)
role $2 types prelink_t;
allow prelink_t $3:chr_file rw_term_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Make the specified file type prelinkable. ## Make the specified file type prelinkable.

13
policy/modules/admin/prelink.te
View File

@ -77,23 +77,10 @@ libs_relabel_ld_so(prelink_t)
libs_use_shared_libs(prelink_t) libs_use_shared_libs(prelink_t)
libs_manage_shared_libs(prelink_t) libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t) libs_relabel_shared_libs(prelink_t)
libs_use_lib_files(prelink_t)
libs_manage_lib_files(prelink_t)
libs_relabel_lib_files(prelink_t)
libs_delete_lib_symlinks(prelink_t) libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t) miscfiles_read_localization(prelink_t)
ifdef(`targeted_policy',`
term_use_unallocated_ttys(prelink_t)
term_use_generic_ptys(prelink_t)
# prelink executables in the user homedir
userdom_manage_generic_user_home_content_files(prelink_t)
userdom_mmap_generic_user_home_content_files(prelink_t)
userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)
')
optional_policy(` optional_policy(`
amanda_manage_lib(prelink_t) amanda_manage_lib(prelink_t)
') ')

6
policy/modules/admin/quota.te
View File

@ -77,12 +77,6 @@ logging_send_syslog_msg(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t) userdom_dontaudit_use_unpriv_user_fds(quota_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(quota_t)
term_dontaudit_use_generic_ptys(quota_t)
files_dontaudit_read_root_files(quota_t)
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(quota_t) seutil_sigchld_newrole(quota_t)
') ')

6
policy/modules/admin/readahead.te
View File

@ -81,12 +81,6 @@ miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t) userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_sysadm_home_dirs(readahead_t) userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
ifdef(`targeted_policy',`
files_dontaudit_read_root_files(readahead_t)
term_dontaudit_use_unallocated_ttys(readahead_t)
term_dontaudit_use_generic_ptys(readahead_t)
')
optional_policy(` optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t) cron_system_entry(readahead_t, readahead_exec_t)
') ')

58
policy/modules/admin/rpm.te
View File

@ -71,6 +71,9 @@ allow rpm_t self:msg { send receive };
allow rpm_t self:dir search; allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;; allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t,rpm_log_t,file)
manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@ -172,22 +175,6 @@ sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fds(rpm_t) userdom_use_unpriv_users_fds(rpm_t)
ifdef(`distro_redhat',`
unconfined_domain(rpm_t)
')
ifdef(`targeted_policy',`
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
',`
# cjp: these are here to stop type_transition
# conflicts since rpm_t is an alias of
# unconfined in the targeted policy
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t,rpm_log_t,file)
')
optional_policy(` optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t) cron_system_entry(rpm_t,rpm_exec_t)
') ')
@ -204,6 +191,12 @@ optional_policy(`
prelink_domtrans(rpm_t) prelink_domtrans(rpm_t)
') ')
optional_policy(`
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# read/write/create any files in the system # read/write/create any files in the system
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
@ -331,26 +324,6 @@ seutil_domtrans_semanage(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t) userdom_use_all_users_fds(rpm_script_t)
ifdef(`distro_redhat',`
unconfined_domain(rpm_script_t)
')
ifdef(`targeted_policy',`
unconfined_domain(rpm_script_t)
optional_policy(`
java_domtrans(rpm_script_t)
')
optional_policy(`
mono_domtrans(rpm_script_t)
')
optional_policy(`
unconfined_domtrans(rpm_script_t)
')
')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
optional_policy(` optional_policy(`
mta_send_mail(rpm_script_t) mta_send_mail(rpm_script_t)
@ -374,6 +347,19 @@ optional_policy(`
tzdata_domtrans(rpm_script_t) tzdata_domtrans(rpm_script_t)
') ')
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
optional_policy(`
java_domtrans(rpm_script_t)
')
optional_policy(`
mono_domtrans(rpm_script_t)
')
')
optional_policy(` optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t)

31
policy/modules/admin/su.if
View File

@ -254,35 +254,20 @@ template(`su_per_role_template',`
seutil_read_config($1_su_t) seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t) seutil_read_default_contexts($1_su_t)
ifdef(`strict_policy',` if(secure_mode) {
if(secure_mode) { # Only allow transitions to unprivileged user domains.
# Only allow transitions to unprivileged user domains. userdom_spec_domtrans_unpriv_users($1_su_t)
userdom_spec_domtrans_unpriv_users($1_su_t) } else {
} else { # Allow transitions to all user domains
# Allow transitions to all user domains userdom_spec_domtrans_all_users($1_su_t)
userdom_spec_domtrans_all_users($1_su_t) }
}
')
ifdef(`targeted_policy',` optional_policy(`
unconfined_domtrans($1_su_t) unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t) unconfined_signal($1_su_t)
') ')
') ')
ifdef(`targeted_policy',`
# allow user to suspend terminal.
# does not work in strict since the
# parent may not be able to use
# the terminal if we newrole,
# which relabels the terminal.
allow $1_su_t self:process sigstop;
corecmd_exec_bin($1_su_t)
userdom_manage_all_users_home_content_files($1_su_t)
userdom_manage_all_users_home_content_symlinks($1_su_t)
')
tunable_policy(`allow_polyinstantiation',` tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t) fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t)

6
policy/modules/admin/sxid.te
View File

@ -88,12 +88,6 @@ userdom_dontaudit_use_unpriv_user_fds(sxid_t)
cron_system_entry(sxid_t,sxid_exec_t) cron_system_entry(sxid_t,sxid_exec_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(sxid_t)
term_dontaudit_use_generic_ptys(sxid_t)
files_dontaudit_read_root_files(sxid_t)
')
optional_policy(` optional_policy(`
mta_send_mail(sxid_t) mta_send_mail(sxid_t)
') ')

31
policy/modules/admin/tzdata.if
View File

@ -17,3 +17,34 @@ interface(`tzdata_domtrans',`
domtrans_pattern($1,tzdata_exec_t,tzdata_t) domtrans_pattern($1,tzdata_exec_t,tzdata_t)
') ')
########################################
## <summary>
## Execute the tzdata program in the tzdata domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the tzdata domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the tzdata domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`tzdata_run',`
gen_require(`
type tzdata_t;
')
tzdata_domtrans($1)
role $2 types tzdata_t;
allow tzdata_t $3:chr_file rw_term_perms;
')

5
policy/modules/admin/tzdata.te
View File

@ -30,11 +30,6 @@ miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t) miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(tzdata_t)
term_dontaudit_use_generic_ptys(tzdata_t)
')
# tzdata looks for /var/spool/postfix/etc/localtime. # tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(` optional_policy(`
postfix_search_spool(tzdata_t) postfix_search_spool(tzdata_t)

7
policy/modules/admin/updfstab.te
View File

@ -79,16 +79,9 @@ seutil_read_config(updfstab_t)
seutil_read_default_contexts(updfstab_t) seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t) seutil_read_file_contexts(updfstab_t)
userdom_use_sysadm_ttys(updfstab_t)
userdom_dontaudit_search_all_users_home_content(updfstab_t) userdom_dontaudit_search_all_users_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(updfstab_t)
term_dontaudit_use_generic_ptys(updfstab_t)
files_dontaudit_read_root_files(updfstab_t)
')
optional_policy(` optional_policy(`
auth_domtrans_pam_console(updfstab_t) auth_domtrans_pam_console(updfstab_t)
') ')

2
policy/modules/apps/ada.fc
View File

@ -1,9 +1,7 @@
# #
# /usr # /usr
# #
ifdef(`targeted_policy',`
/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
')

32
policy/modules/apps/ada.if
View File

@ -11,16 +11,12 @@
## </param> ## </param>
# #
interface(`ada_domtrans',` interface(`ada_domtrans',`
ifdef(`targeted_policy',` gen_require(`
gen_require(` type ada_t, ada_exec_t;
type ada_t, ada_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
') ')
corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
') ')
######################################## ########################################
@ -30,7 +26,7 @@ interface(`ada_domtrans',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## The type of the process performing this action. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <param name="role"> ## <param name="role">
@ -45,15 +41,11 @@ interface(`ada_domtrans',`
## </param> ## </param>
# #
interface(`ada_run',` interface(`ada_run',`
ifdef(`targeted_policy',` gen_require(`
gen_require(` type ada_t;
type ada_t;
')
ada_domtrans($1)
role $2 types ada_t;
allow ada_t $3:chr_file rw_term_perms;
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
') ')
ada_domtrans($1)
role $2 types ada_t;
allow ada_t $3:chr_file rw_term_perms;
') ')

7
policy/modules/apps/ada.te
View File

@ -9,14 +9,15 @@ policy_module(ada,1.1.0)
type ada_t; type ada_t;
type ada_exec_t; type ada_exec_t;
application_domain(ada_t,ada_exec_t) application_domain(ada_t,ada_exec_t)
role system_r types ada_t;
######################################## ########################################
# #
# Local policy # Local policy
# #
ifdef(`targeted_policy',` allow ada_t self:process { execstack execmem };
allow ada_t self:process { execstack execmem };
optional_policy(`
unconfined_domain_noaudit(ada_t) unconfined_domain_noaudit(ada_t)
role system_r types ada_t;
') ')

Some files were not shown because too many files have changed in this diff Show More