todo cleanup
This commit is contained in:
Chris PeBenito
parent
93070cbaed
commit
3774e4eb28
@ -67,6 +67,7 @@ optional_policy(`authlogin.te', `
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_read_pipe(consoletype_t)
|
||||
cron_use_system_job_fd(consoletype_t)
|
||||
')
|
||||
|
||||
optional_policy(`firstboot.te',`
|
||||
@ -95,8 +96,6 @@ optional_policy(`userdomain.te',`
|
||||
ifdef(`TODO',`
|
||||
allow consoletype_t nfs_t:file write;
|
||||
|
||||
allow consoletype_t system_crond_t:fd use;
|
||||
|
||||
optional_policy(`xdm.te', `
|
||||
allow consoletype_t xdm_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -120,8 +120,10 @@ optional_policy(`samba.te',`
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_domtrans_useradd(firstboot_t)
|
||||
usermanage_domtrans_chfn(firstboot_t)
|
||||
usermanage_domtrans_groupadd(firstboot_t)
|
||||
usermanage_domtrans_passwd(firstboot_t)
|
||||
usermanage_domtrans_useradd(firstboot_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -85,6 +85,8 @@ corecmd_exec_ls(logrotate_t)
|
||||
domain_signal_all_domains(logrotate_t)
|
||||
domain_use_wide_inherit_fd(logrotate_t)
|
||||
domain_getattr_all_entry_files(logrotate_t)
|
||||
# Read /proc/PID directories for all domains.
|
||||
domain_read_all_domains_state(logrotate_t)
|
||||
|
||||
files_read_usr_files(logrotate_t)
|
||||
files_read_etc_files(logrotate_t)
|
||||
@ -163,21 +165,11 @@ optional_policy(`squid.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
#from privmail this needs more work:
|
||||
allow mta_user_agent logrotate_t:fd use;
|
||||
allow mta_user_agent logrotate_t:process sigchld;
|
||||
allow mta_user_agent logrotate_t:fifo_file { read write };
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
|
||||
|
||||
# it should not require this
|
||||
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
|
||||
|
||||
# Read /proc/PID directories for all domains.
|
||||
allow logrotate_t domain:notdevfile_class_set r_file_perms;
|
||||
allow logrotate_t domain:dir r_dir_perms;
|
||||
|
||||
# for /var/backups on Debian
|
||||
ifdef(`backup.te', `
|
||||
rw_dir_create_file(logrotate_t, backup_store_t)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.0)
|
||||
policy_module(netutils,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -6,11 +6,12 @@ policy_module(rpm,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type rpm_t; #, priv_system_role;
|
||||
type rpm_t;
|
||||
type rpm_exec_t;
|
||||
init_system_domain(rpm_t,rpm_exec_t)
|
||||
domain_obj_id_change_exempt(rpm_t)
|
||||
domain_role_change_exempt(rpm_t)
|
||||
domain_system_change_exempt(rpm_t)
|
||||
domain_wide_inherit_fd(rpm_t)
|
||||
role system_r types rpm_t;
|
||||
|
||||
@ -30,9 +31,10 @@ type rpm_var_lib_t;
|
||||
files_type(rpm_var_lib_t)
|
||||
typealias rpm_var_lib_t alias var_lib_rpm_t;
|
||||
|
||||
type rpm_script_t; #, admin, privmem, priv_system_role;
|
||||
type rpm_script_t;
|
||||
type rpm_script_exec_t;
|
||||
domain_obj_id_change_exempt(rpm_script_t)
|
||||
domain_system_change_exempt(rpm_script_t)
|
||||
corecmd_shell_entry_type(rpm_script_t)
|
||||
domain_type(rpm_script_t)
|
||||
domain_entry_file(rpm_t,rpm_script_exec_t)
|
||||
@ -92,7 +94,7 @@ fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
|
||||
# Access /var/lib/rpm files
|
||||
allow rpm_t rpm_var_lib_t:file create_file_perms;
|
||||
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
|
||||
files_create_var_lib(rpm_t,rpm_var_lib_t,dir)
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
@ -114,7 +116,7 @@ dev_list_usbfs(rpm_t)
|
||||
dev_read_urand(rpm_t)
|
||||
#devices_manage_all_device_types(rpm_t)
|
||||
|
||||
#fs_manage_nfs_dir(rpm_t)
|
||||
fs_manage_nfs_dirs(rpm_t)
|
||||
fs_manage_nfs_files(rpm_t)
|
||||
fs_manage_nfs_symlinks(rpm_t)
|
||||
fs_getattr_all_fs(rpm_t)
|
||||
@ -183,10 +185,6 @@ ifdef(`TODO',`
|
||||
# cjp: this seems way out of place
|
||||
role sysadm_r types initrc_t;
|
||||
|
||||
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
|
||||
|
||||
dontaudit rpm_t domain:process ptrace;
|
||||
|
||||
# read/write/create any files in the system
|
||||
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
|
||||
allow rpm_t ttyfile:chr_file unlink;
|
||||
@ -312,10 +310,6 @@ seutil_domtrans_restorecon(rpm_script_t)
|
||||
|
||||
userdom_use_all_user_fd(rpm_script_t)
|
||||
|
||||
if (allow_execmem) {
|
||||
allow rpm_script_t self:process execmem;
|
||||
}
|
||||
|
||||
# this should be tunable_policy, but
|
||||
# typeattribute does not work in conditionals
|
||||
ifdef(`unlimitedRPM',`
|
||||
@ -323,6 +317,10 @@ ifdef(`unlimitedRPM',`
|
||||
unconfined_domain_template(rpm_script_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
allow rpm_script_t self:process execmem;
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_domtrans(rpm_script_t)
|
||||
')
|
||||
|
||||
@ -96,6 +96,9 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
# for SSP
|
||||
dev_read_urand(chfn_t)
|
||||
|
||||
auth_domtrans_chk_passwd(chfn_t)
|
||||
auth_dontaudit_read_shadow(chfn_t)
|
||||
|
||||
# can exec /sbin/unix_chkpwd
|
||||
corecmd_search_bin(chfn_t)
|
||||
corecmd_search_sbin(chfn_t)
|
||||
@ -117,31 +120,23 @@ miscfiles_read_localization(chfn_t)
|
||||
|
||||
logging_send_syslog_msg(chfn_t)
|
||||
|
||||
auth_domtrans_chk_passwd(chfn_t)
|
||||
auth_dontaudit_read_shadow(chfn_t)
|
||||
# uses unix_chkpwd for checking passwords
|
||||
seutil_dontaudit_search_config(chfn_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(chfn_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(chfn_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(chfn_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`firstboot.te',`
|
||||
domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
|
||||
')
|
||||
|
||||
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
|
||||
|
||||
# allow checking if a shell is executable
|
||||
allow chfn_t shell_exec_t:file execute;
|
||||
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
|
||||
|
||||
# uses unix_chkpwd for checking passwords
|
||||
dontaudit chfn_t selinux_config_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -180,16 +175,11 @@ libs_use_shared_libs(crack_t)
|
||||
|
||||
logging_send_syslog_msg(crack_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`crond.te', `
|
||||
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
|
||||
allow crack_t crond_t:fifo_file rw_file_perms;
|
||||
allow crack_t crond_t:fd use;
|
||||
allow crack_t crond_t:process sigchld;
|
||||
')
|
||||
userdom_dontaudit_search_sysadm_home_dir(crack_t)
|
||||
|
||||
dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
|
||||
') dnl endif TODO
|
||||
optional_policy(`cron.te',`
|
||||
cron_system_entry(crack_t,crack_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -250,6 +240,8 @@ auth_rw_lastlog(groupadd_t)
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(groupadd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_sysadm_home_dir(groupadd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(groupadd_t)
|
||||
@ -265,15 +257,11 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
|
||||
|
||||
# for when /root is the cwd
|
||||
dontaudit groupadd_t sysadm_home_dir_t:dir search;
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -314,6 +302,8 @@ selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
auth_manage_shadow(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_script_pid(passwd_t)
|
||||
@ -323,6 +313,7 @@ domain_use_wide_inherit_fd(passwd_t)
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
files_manage_etc_files(passwd_t)
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
|
||||
libs_use_ld_so(passwd_t)
|
||||
libs_use_shared_libs(passwd_t)
|
||||
@ -331,20 +322,18 @@ logging_send_syslog_msg(passwd_t)
|
||||
|
||||
miscfiles_read_localization(passwd_t)
|
||||
|
||||
auth_manage_shadow(passwd_t)
|
||||
seutil_dontaudit_search_config(passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(passwd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(passwd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
ifdef(`firstboot.te',`
|
||||
domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
|
||||
')
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
@ -354,18 +343,10 @@ ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
|
||||
# allow checking if a shell is executable
|
||||
allow passwd_t shell_exec_t:file execute;
|
||||
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
|
||||
|
||||
# make sure that getcon succeeds
|
||||
allow passwd_t userdomain:dir search;
|
||||
allow passwd_t userdomain:file read;
|
||||
allow passwd_t userdomain:process getattr;
|
||||
|
||||
dontaudit passwd_t selinux_config_t:dir search;
|
||||
|
||||
dontaudit passwd_t var_run_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -424,6 +405,8 @@ domain_use_wide_inherit_fd(sysadm_passwd_t)
|
||||
|
||||
files_manage_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
@ -436,7 +419,12 @@ miscfiles_read_localization(sysadm_passwd_t)
|
||||
|
||||
logging_send_syslog_msg(sysadm_passwd_t)
|
||||
|
||||
seutil_dontaudit_search_config(sysadm_passwd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(sysadm_passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_all_users_home(sysadm_passwd_t)
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(sysadm_passwd_t)
|
||||
@ -452,20 +440,9 @@ ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
|
||||
# allow checking if a shell is executable
|
||||
allow sysadm_passwd_t shell_exec_t:file execute;
|
||||
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# for vipw - vi looks in the root home directory for config
|
||||
dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
|
||||
|
||||
# for nscd lookups
|
||||
dontaudit sysadm_passwd_t var_run_t:dir search;
|
||||
|
||||
dontaudit sysadm_passwd_t selinux_config_t:dir search;
|
||||
ifdef(`targeted_policy', `
|
||||
role system_r types sysadm_passwd_t;
|
||||
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
|
||||
@ -534,6 +511,12 @@ seutil_read_config(useradd_t)
|
||||
seutil_read_file_contexts(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(useradd_t)
|
||||
# for when /root is the cwd
|
||||
userdom_dontaudit_search_sysadm_home_dir(useradd_t)
|
||||
# Add/remove user home directories
|
||||
userdom_create_user_home_dir(useradd_t)
|
||||
userdom_manage_user_home_dir(useradd_t)
|
||||
userdom_create_user_home(useradd_t,notdevfile_class_set)
|
||||
|
||||
mta_manage_spool(useradd_t)
|
||||
|
||||
@ -551,21 +534,12 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
|
||||
|
||||
# for when /root is the cwd
|
||||
dontaudit useradd_t sysadm_home_dir_t:dir search;
|
||||
|
||||
# Add/remove user home directories
|
||||
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
|
||||
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
|
||||
|
||||
# /var/mail is a link to /var/spool/mail
|
||||
allow useradd_t mail_spool_t:lnk_file read;
|
||||
|
||||
') dnl end TODO
|
||||
|
||||
@ -96,6 +96,7 @@ sysnet_create_config(vpnc_t)
|
||||
sysnet_manage_config(vpnc_t)
|
||||
|
||||
userdom_use_all_user_fd(vpnc_t)
|
||||
userdom_dontaudit_search_all_users_home(vpnc_t)
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(vpnc_t)
|
||||
@ -108,7 +109,3 @@ optional_policy(`nis.te',`
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(vpnc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit vpnc_t user_home_dir_type:dir search;
|
||||
')
|
||||
|
||||
@ -98,6 +98,8 @@ template(`cron_per_userdomain_template',`
|
||||
fs_getattr_all_fs($1_crond_t)
|
||||
|
||||
domain_exec_all_entry_files($1_crond_t)
|
||||
# quiet other ps operations
|
||||
domain_dontaudit_read_all_domains_state($1_crond_t)
|
||||
|
||||
files_read_usr_files($1_crond_t)
|
||||
files_exec_etc_files($1_crond_t)
|
||||
@ -113,6 +115,8 @@ template(`cron_per_userdomain_template',`
|
||||
libs_exec_ld_so($1_crond_t)
|
||||
|
||||
files_read_etc_runtime_files($1_crond_t)
|
||||
files_read_var_files($1_crond_t)
|
||||
files_search_spool($1_crond_t)
|
||||
|
||||
logging_search_logs($1_crond_t)
|
||||
|
||||
@ -126,6 +130,13 @@ template(`cron_per_userdomain_template',`
|
||||
userdom_manage_user_tmp_sockets($1,$1_crond_t)
|
||||
# Run scripts in user home directory and access shared libs.
|
||||
userdom_exec_user_home_files($1,$1_crond_t)
|
||||
# Access user files and dirs.
|
||||
# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
|
||||
userdom_manage_user_home_subdir_files($1,$1_crond_t)
|
||||
userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
|
||||
userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
|
||||
userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
|
||||
# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
allow crond_t $1_cron_spool_t:file create_file_perms;
|
||||
@ -136,9 +147,6 @@ template(`cron_per_userdomain_template',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Access user files and dirs.
|
||||
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
|
||||
|
||||
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
|
||||
|
||||
@ -150,13 +158,6 @@ template(`cron_per_userdomain_template',`
|
||||
dontaudit $1_mail_t crond_t:fifo_file write;
|
||||
allow mta_user_agent $1_crond_t:fd use;
|
||||
')
|
||||
|
||||
allow $1_crond_t var_spool_t:dir search;
|
||||
allow $1_crond_t var_t:dir r_dir_perms;
|
||||
allow $1_crond_t var_t:file r_file_perms;
|
||||
|
||||
# quiet other ps operations
|
||||
dontaudit $1_crond_t domain:dir { getattr search };
|
||||
') dnl endif TODO
|
||||
|
||||
##############################
|
||||
@ -171,6 +172,12 @@ template(`cron_per_userdomain_template',`
|
||||
allow $1_crontab_t $2:fifo_file rw_file_perms;
|
||||
allow $1_crontab_t $2:process sigchld;
|
||||
|
||||
# crontab shows up in user ps
|
||||
allow $2 $1_crontab_t:dir { search getattr read };
|
||||
allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
|
||||
allow $2 $1_crontab_t:process getattr;
|
||||
dontaudit $2 $1_crontab_t:process ptrace;
|
||||
|
||||
# for ^Z
|
||||
allow $2 $1_crontab_t:process signal;
|
||||
|
||||
@ -229,15 +236,10 @@ template(`cron_per_userdomain_template',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
can_ps($1_t, $1_crontab_t)
|
||||
|
||||
dontaudit $1_crontab_t proc_t:dir search;
|
||||
|
||||
allow $1_crond_t tmp_t:dir rw_dir_perms;
|
||||
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
|
||||
|
||||
# Read user crontabs
|
||||
allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
|
||||
dontaudit $1_crontab_t $1_home_dir_t:dir write;
|
||||
|
||||
# Inherit and use descriptors from gnome-pty-helper.
|
||||
|
||||
@ -13,7 +13,7 @@ files_type(anacron_exec_t)
|
||||
type cron_spool_t;
|
||||
files_type(cron_spool_t)
|
||||
|
||||
type crond_t; #, privmail
|
||||
type crond_t;
|
||||
type crond_exec_t;
|
||||
init_daemon_domain(crond_t,crond_exec_t)
|
||||
domain_wide_inherit_fd(crond_t)
|
||||
@ -31,7 +31,7 @@ files_type(crontab_exec_t)
|
||||
type system_cron_spool_t, cron_spool_type;
|
||||
files_type(system_cron_spool_t)
|
||||
|
||||
type system_crond_t; #, privmail
|
||||
type system_crond_t;
|
||||
init_daemon_domain(system_crond_t,anacron_exec_t)
|
||||
corecmd_shell_entry_type(system_crond_t)
|
||||
role system_r types system_crond_t;
|
||||
@ -100,6 +100,9 @@ domain_use_wide_inherit_fd(crond_t)
|
||||
|
||||
files_read_etc_files(crond_t)
|
||||
files_read_generic_spools(crond_t)
|
||||
# Read from /var/spool/cron.
|
||||
files_search_var_lib(crond_t)
|
||||
files_search_default(crond_t)
|
||||
|
||||
init_use_fd(crond_t)
|
||||
init_use_script_pty(crond_t)
|
||||
@ -117,6 +120,8 @@ miscfiles_read_localization(crond_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(crond_t)
|
||||
|
||||
mta_send_mail(crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
@ -169,10 +174,6 @@ optional_policy(`rhgb.te', `
|
||||
rhgb_domain(crond_t)
|
||||
')
|
||||
|
||||
# Read from /var/spool/cron.
|
||||
allow crond_t var_lib_t:dir search;
|
||||
allow crond_t default_t:dir search;
|
||||
|
||||
# crond tries to search /root. Not sure why.
|
||||
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
||||
|
||||
@ -257,6 +258,8 @@ corecmd_exec_bin(system_crond_t)
|
||||
corecmd_exec_sbin(system_crond_t)
|
||||
|
||||
domain_exec_all_entry_files(system_crond_t)
|
||||
# quiet other ps operations
|
||||
domain_dontaudit_read_all_domains_state(system_crond_t)
|
||||
|
||||
files_exec_etc_files(system_crond_t)
|
||||
files_read_etc_files(system_crond_t)
|
||||
@ -296,6 +299,8 @@ miscfiles_manage_man_pages(system_crond_t)
|
||||
|
||||
seutil_read_config(system_crond_t)
|
||||
|
||||
mta_send_mail(system_crond_t)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||||
# via redirection of standard out.
|
||||
@ -342,9 +347,6 @@ optional_policy(`squid.te',`
|
||||
ifdef(`TODO',`
|
||||
dontaudit userdomain system_crond_t:fd use;
|
||||
|
||||
# quiet other ps operations
|
||||
dontaudit system_crond_t domain:dir { getattr search };
|
||||
|
||||
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
||||
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
||||
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
||||
|
||||
@ -6,7 +6,7 @@ policy_module(inetd,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type inetd_t; # ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')
|
||||
type inetd_t;
|
||||
type inetd_exec_t;
|
||||
init_daemon_domain(inetd_t,inetd_exec_t)
|
||||
|
||||
@ -127,6 +127,11 @@ optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(inetd_t)
|
||||
')
|
||||
|
||||
# Communicate with the portmapper.
|
||||
optional_policy(`portmap.te',`
|
||||
portmap_udp_sendto(inetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(inetd_t)
|
||||
')
|
||||
@ -146,13 +151,9 @@ ifdef(`unlimitedInetd', `
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(inetd_t)
|
||||
')
|
||||
|
||||
# Communicate with the portmapper.
|
||||
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
|
||||
') dnl TODO
|
||||
|
||||
########################################
|
||||
|
||||
@ -145,9 +145,6 @@ ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(kadmind_t)
|
||||
')
|
||||
|
||||
# cjp: not sure, but I think this has no effect
|
||||
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -250,9 +247,4 @@ optional_policy(`rhgb.te',`
|
||||
# Allow user programs to talk to KDC
|
||||
allow krb5kdc_t userdomain:udp_socket recvfrom;
|
||||
allow userdomain krb5kdc_t:udp_socket recvfrom;
|
||||
|
||||
# cjp: not sure, but I think these have no effect
|
||||
can_udp_send(kerberos_port_t, krb5kdc_t)
|
||||
can_udp_send(krb5kdc_t, kerberos_port_t)
|
||||
can_tcp_connect(kerberos_port_t, krb5kdc_t)
|
||||
') dnl end TODO
|
||||
|
||||
@ -35,3 +35,21 @@ interface(`ldap_read_config',`
|
||||
files_search_etc($1)
|
||||
allow $1 slapd_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use LDAP over TCP connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`ldap_use',`
|
||||
gen_require(`
|
||||
type slapd_t;
|
||||
')
|
||||
|
||||
allow $1 slapd_t:tcp_socket { connectto recvfrom };
|
||||
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
||||
@ -59,6 +59,7 @@ files_create_pid(slapd_t,slapd_var_run_t)
|
||||
|
||||
kernel_read_system_state(slapd_t)
|
||||
kernel_read_kernel_sysctl(slapd_t)
|
||||
kernel_tcp_recvfrom(slapd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(slapd_t)
|
||||
corenet_udp_sendrecv_all_if(slapd_t)
|
||||
@ -124,7 +125,4 @@ r_dir_file(slapd_t, cert_t)
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(slapd_t)
|
||||
')
|
||||
# allow any domain to connect to the LDAP server
|
||||
# cjp: how does this relate to the old can_ldap() macro?
|
||||
can_tcp_connect(domain, slapd_t)
|
||||
') dnl end TODO
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
policy_module(nscd,1.0)
|
||||
|
||||
gen_require(`
|
||||
class nscd { admin getstat };
|
||||
class nscd all_nscd_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -86,7 +86,4 @@ ifdef(`TODO',`
|
||||
optional_policy(`rlogind.te', `
|
||||
allow rshd_t rlogind_tmp_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
allow rshd_t selinux_config_t:lnk_file { getattr read };
|
||||
allow rshd_t default_context_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -21,6 +21,7 @@ files_type(samba_log_t)
|
||||
|
||||
type samba_net_t;
|
||||
domain_type(samba_net_t)
|
||||
role system_r types samba_net_t;
|
||||
|
||||
type samba_net_exec_t;
|
||||
domain_entry_file(samba_net_t,samba_net_exec_t)
|
||||
@ -126,7 +127,6 @@ optional_policy(`nscd.te',`
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
role system_r types samba_net_t;
|
||||
in_user_role(samba_net_t)
|
||||
')
|
||||
|
||||
|
||||
@ -32,13 +32,6 @@ template(`authlogin_per_userdomain_template',`
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords;
|
||||
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
||||
class file rx_file_perms;
|
||||
class process { getattr transition sigchld };
|
||||
class capability setuid;
|
||||
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||
@ -63,6 +56,8 @@ template(`authlogin_per_userdomain_template',`
|
||||
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
||||
allow $1_chkpwd_t $2:process sigchld;
|
||||
|
||||
dontaudit $2 shadow_t:file { getattr read };
|
||||
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state($1_chkpwd_t)
|
||||
|
||||
@ -114,7 +109,6 @@ template(`authlogin_per_userdomain_template',`
|
||||
ifdef(`TODO',`
|
||||
can_winbind($1)
|
||||
r_dir_file($1, cert_t)
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -71,6 +71,11 @@ interface(`domain_type',`
|
||||
unconfined_sigchld($1)
|
||||
')
|
||||
|
||||
# allow any domain to connect to the LDAP server
|
||||
optional_policy(`ldap.te',`
|
||||
ldap_use($1)
|
||||
')
|
||||
|
||||
# this seems highly questionable:
|
||||
optional_policy(`rpm.te',`
|
||||
rpm_use_fd($1)
|
||||
@ -129,6 +134,24 @@ interface(`domain_dyntrans_type',`
|
||||
typeattribute $1 set_curr_context;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Makes caller and execption to the constraint
|
||||
## preventing changing to the system user
|
||||
## identity and system role.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_system_change_exempt',`
|
||||
gen_require(`
|
||||
attribute can_system_change;
|
||||
')
|
||||
|
||||
typeattribute $1 can_system_change;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
|
||||
@ -78,6 +78,8 @@ corecmd_exec_shell(hotplug_t)
|
||||
corecmd_exec_sbin(hotplug_t)
|
||||
|
||||
domain_use_wide_inherit_fd(hotplug_t)
|
||||
# for ps
|
||||
domain_dontaudit_read_all_domains_state(hotplug_t)
|
||||
|
||||
files_read_etc_files(hotplug_t)
|
||||
files_manage_etc_runtime_files(hotplug_t)
|
||||
@ -187,16 +189,9 @@ optional_policy(`rhgb.te',`
|
||||
rhgb_domain(hotplug_t)
|
||||
')
|
||||
|
||||
# for ps
|
||||
dontaudit hotplug_t domain:dir { getattr search };
|
||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||
|
||||
optional_policy(`hald.te', `
|
||||
allow hotplug_t hald_t:unix_dgram_socket sendto;
|
||||
')
|
||||
|
||||
# this block goes to hald:
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_read_config(hald_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
@ -6,7 +6,7 @@ policy_module(raid,1.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type mdadm_t; # privmail
|
||||
type mdadm_t;
|
||||
type mdadm_exec_t;
|
||||
init_daemon_domain(mdadm_t,mdadm_exec_t)
|
||||
role system_r types mdadm_t;
|
||||
@ -67,6 +67,8 @@ miscfiles_read_localization(mdadm_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
|
||||
userdom_dontaudit_use_sysadm_tty(mdadm_t)
|
||||
|
||||
mta_send_mail(mdadm_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(mdadm_t)
|
||||
term_dontaudit_use_generic_pty(mdadm_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user