trunk: 6 patches from dan.
This commit is contained in:
parent
d3cdc3d07c
commit
3c9b2e9bc6
|
@ -11,6 +11,9 @@
|
||||||
- Add support for labeled Booleans.
|
- Add support for labeled Booleans.
|
||||||
- Remove node definitions and change node usage to generic nodes.
|
- Remove node definitions and change node usage to generic nodes.
|
||||||
- Add kernel_service access vectors, from Stephen Smalley.
|
- Add kernel_service access vectors, from Stephen Smalley.
|
||||||
|
- Added modules:
|
||||||
|
logadm (Dan Walsh)
|
||||||
|
zosremote (Dan Walsh)
|
||||||
|
|
||||||
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
|
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
|
||||||
- Fix consistency of audioentropy and iscsi module naming.
|
- Fix consistency of audioentropy and iscsi module naming.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(logwatch, 1.9.0)
|
policy_module(logwatch, 1.9.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
|
@ -43,6 +43,8 @@ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
|
||||||
kernel_read_fs_sysctls(logwatch_t)
|
kernel_read_fs_sysctls(logwatch_t)
|
||||||
kernel_read_kernel_sysctls(logwatch_t)
|
kernel_read_kernel_sysctls(logwatch_t)
|
||||||
kernel_read_system_state(logwatch_t)
|
kernel_read_system_state(logwatch_t)
|
||||||
|
kernel_read_net_sysctls(logwatch_t)
|
||||||
|
kernel_read_network_state(logwatch_t)
|
||||||
|
|
||||||
corecmd_exec_bin(logwatch_t)
|
corecmd_exec_bin(logwatch_t)
|
||||||
corecmd_exec_shell(logwatch_t)
|
corecmd_exec_shell(logwatch_t)
|
||||||
|
@ -54,6 +56,7 @@ dev_read_sysfs(logwatch_t)
|
||||||
domain_read_all_domains_state(logwatch_t)
|
domain_read_all_domains_state(logwatch_t)
|
||||||
|
|
||||||
files_list_var(logwatch_t)
|
files_list_var(logwatch_t)
|
||||||
|
files_read_var_symlinks(logwatch_t)
|
||||||
files_read_etc_files(logwatch_t)
|
files_read_etc_files(logwatch_t)
|
||||||
files_read_etc_runtime_files(logwatch_t)
|
files_read_etc_runtime_files(logwatch_t)
|
||||||
files_read_usr_files(logwatch_t)
|
files_read_usr_files(logwatch_t)
|
||||||
|
@ -66,10 +69,12 @@ files_dontaudit_search_all_dirs(logwatch_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(logwatch_t)
|
fs_getattr_all_fs(logwatch_t)
|
||||||
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
||||||
|
fs_list_inotifyfs(logwatch_t)
|
||||||
|
|
||||||
term_dontaudit_getattr_pty_dirs(logwatch_t)
|
term_dontaudit_getattr_pty_dirs(logwatch_t)
|
||||||
term_dontaudit_list_ptys(logwatch_t)
|
term_dontaudit_list_ptys(logwatch_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(logwatch_t)
|
||||||
auth_dontaudit_read_shadow(logwatch_t)
|
auth_dontaudit_read_shadow(logwatch_t)
|
||||||
|
|
||||||
init_read_utmp(logwatch_t)
|
init_read_utmp(logwatch_t)
|
||||||
|
@ -85,6 +90,7 @@ miscfiles_read_localization(logwatch_t)
|
||||||
selinux_dontaudit_getattr_dir(logwatch_t)
|
selinux_dontaudit_getattr_dir(logwatch_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(logwatch_t)
|
sysnet_dns_name_resolve(logwatch_t)
|
||||||
|
sysnet_exec_ifconfig(logwatch_t)
|
||||||
|
|
||||||
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
||||||
|
|
||||||
|
@ -94,10 +100,6 @@ optional_policy(`
|
||||||
apache_read_log(logwatch_t)
|
apache_read_log(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
auth_use_nsswitch(logwatch_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
avahi_dontaudit_search_pid(logwatch_t)
|
avahi_dontaudit_search_pid(logwatch_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -115,6 +115,24 @@ interface(`usermanage_domtrans_passwd',`
|
||||||
domtrans_pattern($1, passwd_exec_t, passwd_t)
|
domtrans_pattern($1, passwd_exec_t, passwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send sigkills to passwd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`usermanage_kill_passwd',`
|
||||||
|
gen_require(`
|
||||||
|
type passwd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 passwd_t:process sigkill;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute passwd in the passwd domain, and
|
## Execute passwd in the passwd domain, and
|
||||||
|
@ -138,6 +156,7 @@ interface(`usermanage_run_passwd',`
|
||||||
|
|
||||||
usermanage_domtrans_passwd($1)
|
usermanage_domtrans_passwd($1)
|
||||||
role $2 types passwd_t;
|
role $2 types passwd_t;
|
||||||
|
auth_run_chk_passwd(passwd_t, $2)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(usermanage, 1.12.0)
|
policy_module(usermanage, 1.12.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -288,6 +288,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||||
term_use_all_user_ttys(passwd_t)
|
term_use_all_user_ttys(passwd_t)
|
||||||
term_use_all_user_ptys(passwd_t)
|
term_use_all_user_ptys(passwd_t)
|
||||||
|
|
||||||
|
auth_domtrans_chk_passwd(passwd_t)
|
||||||
auth_manage_shadow(passwd_t)
|
auth_manage_shadow(passwd_t)
|
||||||
auth_relabel_shadow(passwd_t)
|
auth_relabel_shadow(passwd_t)
|
||||||
auth_etc_filetrans_shadow(passwd_t)
|
auth_etc_filetrans_shadow(passwd_t)
|
||||||
|
@ -307,6 +308,7 @@ files_relabel_etc_files(passwd_t)
|
||||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||||
# correctly without it. Do not audit write denials to utmp.
|
# correctly without it. Do not audit write denials to utmp.
|
||||||
init_dontaudit_rw_utmp(passwd_t)
|
init_dontaudit_rw_utmp(passwd_t)
|
||||||
|
init_use_fds(passwd_t)
|
||||||
|
|
||||||
logging_send_audit_msgs(passwd_t)
|
logging_send_audit_msgs(passwd_t)
|
||||||
logging_send_syslog_msg(passwd_t)
|
logging_send_syslog_msg(passwd_t)
|
||||||
|
@ -320,6 +322,7 @@ userdom_use_unpriv_users_fds(passwd_t)
|
||||||
# make sure that getcon succeeds
|
# make sure that getcon succeeds
|
||||||
userdom_getattr_all_users(passwd_t)
|
userdom_getattr_all_users(passwd_t)
|
||||||
userdom_read_all_users_state(passwd_t)
|
userdom_read_all_users_state(passwd_t)
|
||||||
|
userdom_read_user_tmp_files(passwd_t)
|
||||||
# user generally runs this from their home directory, so do not audit a search
|
# user generally runs this from their home directory, so do not audit a search
|
||||||
# on user home dir
|
# on user home dir
|
||||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||||
|
@ -492,6 +495,12 @@ userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_se
|
||||||
|
|
||||||
mta_manage_spool(useradd_t)
|
mta_manage_spool(useradd_t)
|
||||||
|
|
||||||
|
ifdef(`distro_redhat',`
|
||||||
|
optional_policy(`
|
||||||
|
unconfined_domain(useradd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_manage_all_user_content(useradd_t)
|
apache_manage_all_user_content(useradd_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
# file contexts handled by userdomain and genhomedircon
|
|
@ -0,0 +1,50 @@
|
||||||
|
## <summary>Log administrator role</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change to the log administrator role.
|
||||||
|
## </summary>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`logadm_role_change',`
|
||||||
|
gen_require(`
|
||||||
|
role logadm_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 logadm_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change from the log administrator role.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Change from the log administrator role to
|
||||||
|
## the specified role.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## This is an interface to support third party modules
|
||||||
|
## and its use is not allowed in upstream reference
|
||||||
|
## policy.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`logadm_role_change_to',`
|
||||||
|
gen_require(`
|
||||||
|
role logadm_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow logadm_r $1;
|
||||||
|
')
|
|
@ -0,0 +1,20 @@
|
||||||
|
|
||||||
|
policy_module(logadm, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
role logadm_r;
|
||||||
|
|
||||||
|
userdom_base_user_template(logadm)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# logadmin local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
||||||
|
|
||||||
|
logging_admin(logadm_t, logadm_r)
|
|
@ -16,6 +16,7 @@
|
||||||
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
|
||||||
|
/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||||
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -83,12 +83,13 @@ template(`rpc_domain_template', `
|
||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
corenet_sendrecv_portmap_client_packets($1_t)
|
corenet_sendrecv_portmap_client_packets($1_t)
|
||||||
# do not log when it tries to bind to a port belonging to another domain
|
# do not log when it tries to bind to a port belonging to another domain
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_tcp_bind_all_ports($1_t)
|
||||||
corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
|
corenet_dontaudit_udp_bind_all_ports($1_t)
|
||||||
# bind to arbitary unused ports
|
# bind to arbitary unused ports
|
||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
corenet_udp_bind_reserved_port($1_t)
|
corenet_tcp_bind_all_rpc_ports($1_t)
|
||||||
|
corenet_udp_bind_all_rpc_ports($1_t)
|
||||||
corenet_sendrecv_generic_server_packets($1_t)
|
corenet_sendrecv_generic_server_packets($1_t)
|
||||||
|
|
||||||
fs_rw_rpc_named_pipes($1_t)
|
fs_rw_rpc_named_pipes($1_t)
|
||||||
|
@ -203,6 +204,25 @@ interface(`rpc_domtrans_nfsd',`
|
||||||
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
|
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute domain in nfsd domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`rpc_domtrans_rpcd',`
|
||||||
|
gen_require(`
|
||||||
|
type rpcd_t, rpcd_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, rpcd_exec_t, rpcd_t)
|
||||||
|
allow rpcd_t $1:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read NFS exported content.
|
## Read NFS exported content.
|
||||||
|
@ -335,3 +355,22 @@ interface(`rpc_read_nfs_state_data',`
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage NFS state data in /var/lib/nfs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`rpc_manage_nfs_state_data',`
|
||||||
|
gen_require(`
|
||||||
|
type var_lib_nfs_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||||
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(rpc, 1.10.3)
|
policy_module(rpc, 1.10.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -68,6 +68,7 @@ kernel_read_network_state(rpcd_t)
|
||||||
# for rpc.rquotad
|
# for rpc.rquotad
|
||||||
kernel_read_sysctl(rpcd_t)
|
kernel_read_sysctl(rpcd_t)
|
||||||
kernel_rw_fs_sysctls(rpcd_t)
|
kernel_rw_fs_sysctls(rpcd_t)
|
||||||
|
kernel_dontaudit_getattr_core_if(rpcd_t)
|
||||||
|
|
||||||
corecmd_exec_bin(rpcd_t)
|
corecmd_exec_bin(rpcd_t)
|
||||||
|
|
||||||
|
@ -101,6 +102,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||||
# for /proc/fs/nfs/exports - should we have a new type?
|
# for /proc/fs/nfs/exports - should we have a new type?
|
||||||
kernel_read_system_state(nfsd_t)
|
kernel_read_system_state(nfsd_t)
|
||||||
kernel_read_network_state(nfsd_t)
|
kernel_read_network_state(nfsd_t)
|
||||||
|
kernel_dontaudit_getattr_core_if(nfsd_t)
|
||||||
|
|
||||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||||
|
@ -133,12 +135,23 @@ tunable_policy(`allow_nfsd_anon_write',`
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_rw',`
|
tunable_policy(`nfs_export_all_rw',`
|
||||||
|
dev_getattr_all_blk_files(nfsd_t)
|
||||||
|
dev_getattr_all_chr_files(nfsd_t)
|
||||||
|
|
||||||
fs_read_noxattr_fs_files(nfsd_t)
|
fs_read_noxattr_fs_files(nfsd_t)
|
||||||
auth_manage_all_files_except_shadow(nfsd_t)
|
auth_manage_all_files_except_shadow(nfsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`nfs_export_all_ro',`
|
tunable_policy(`nfs_export_all_ro',`
|
||||||
fs_read_noxattr_fs_files(nfsd_t)
|
dev_getattr_all_blk_files(nfsd_t)
|
||||||
|
dev_getattr_all_chr_files(nfsd_t)
|
||||||
|
|
||||||
|
files_getattr_all_pipes(nfsd_t)
|
||||||
|
files_getattr_all_sockets(nfsd_t)
|
||||||
|
|
||||||
|
fs_read_noxattr_fs_files(nfsd_t)
|
||||||
|
|
||||||
|
auth_read_all_dirs_except_shadow(nfsd_t)
|
||||||
auth_read_all_files_except_shadow(nfsd_t)
|
auth_read_all_files_except_shadow(nfsd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -180,8 +193,7 @@ tunable_policy(`allow_gssd_read_tmp',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(gssd_t)
|
kerberos_keytab_template(gssd, gssd_t)
|
||||||
kerberos_read_keytab(gssd_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
|
|
@ -0,0 +1,45 @@
|
||||||
|
## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run audispd-zos-remote.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`zosremote_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type zos_remote_t, type zos_remote_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow specified type and role to transition and
|
||||||
|
## run in the zos_remote_t domain. Allow specified type
|
||||||
|
## to use zos_remote_t terminal.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed the zos_remote domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`zosremote_run',`
|
||||||
|
gen_require(`
|
||||||
|
type zos_remote_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
zosremote_domtrans($1)
|
||||||
|
role $2 types zos_remote_t;
|
||||||
|
')
|
|
@ -0,0 +1,28 @@
|
||||||
|
policy_module(zosremote,1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type zos_remote_t;
|
||||||
|
type zos_remote_exec_t;
|
||||||
|
init_system_domain(zos_remote_t, zos_remote_exec_t)
|
||||||
|
logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# zos_remote local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow zos_remote_t self:process signal;
|
||||||
|
allow zos_remote_t self:fifo_file rw_file_perms;
|
||||||
|
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
files_read_etc_files(zos_remote_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(zos_remote_t);
|
||||||
|
|
||||||
|
miscfiles_read_localization(zos_remote_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(zos_remote_t)
|
|
@ -17,3 +17,5 @@
|
||||||
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
|
||||||
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
|
||||||
|
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
||||||
|
|
|
@ -94,6 +94,24 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
|
||||||
dontaudit $1 udev_t:unix_dgram_socket { read write };
|
dontaudit $1 udev_t:unix_dgram_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit search of udev database directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`udev_dontaudit_search_db',`
|
||||||
|
gen_require(`
|
||||||
|
type udev_tbl_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 udev_tbl_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow process to read list of devices.
|
## Allow process to read list of devices.
|
||||||
|
@ -106,11 +124,13 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
|
||||||
#
|
#
|
||||||
interface(`udev_read_db',`
|
interface(`udev_read_db',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type udev_tdb_t;
|
type udev_tbl_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 udev_tdb_t:file read_file_perms;
|
allow $1 udev_tbl_t:dir list_dir_perms;
|
||||||
|
read_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||||
|
read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -125,9 +145,9 @@ interface(`udev_read_db',`
|
||||||
#
|
#
|
||||||
interface(`udev_rw_db',`
|
interface(`udev_rw_db',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type udev_tdb_t;
|
type udev_tbl_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_list_all_dev_nodes($1)
|
dev_list_all_dev_nodes($1)
|
||||||
allow $1 udev_tdb_t:file rw_file_perms;
|
allow $1 udev_tbl_t:file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(udev, 1.10.1)
|
policy_module(udev, 1.10.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -55,6 +55,7 @@ allow udev_t udev_exec_t:file write;
|
||||||
can_exec(udev_t, udev_exec_t)
|
can_exec(udev_t, udev_exec_t)
|
||||||
|
|
||||||
allow udev_t udev_helper_exec_t:dir list_dir_perms;
|
allow udev_t udev_helper_exec_t:dir list_dir_perms;
|
||||||
|
can_exec(udev_t, udev_helper_exec_t)
|
||||||
|
|
||||||
# read udev config
|
# read udev config
|
||||||
allow udev_t udev_etc_t:file read_file_perms;
|
allow udev_t udev_etc_t:file read_file_perms;
|
||||||
|
@ -78,10 +79,12 @@ kernel_rw_hotplug_sysctls(udev_t)
|
||||||
kernel_rw_unix_dgram_sockets(udev_t)
|
kernel_rw_unix_dgram_sockets(udev_t)
|
||||||
kernel_dgram_send(udev_t)
|
kernel_dgram_send(udev_t)
|
||||||
kernel_signal(udev_t)
|
kernel_signal(udev_t)
|
||||||
|
kernel_search_debugfs(udev_t)
|
||||||
|
|
||||||
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
|
||||||
kernel_rw_net_sysctls(udev_t)
|
kernel_rw_net_sysctls(udev_t)
|
||||||
kernel_read_network_state(udev_t)
|
kernel_read_network_state(udev_t)
|
||||||
|
kernel_read_software_raid_state(udev_t)
|
||||||
|
|
||||||
corecmd_exec_all_executables(udev_t)
|
corecmd_exec_all_executables(udev_t)
|
||||||
|
|
||||||
|
@ -134,6 +137,7 @@ init_getattr_initctl(udev_t)
|
||||||
|
|
||||||
logging_search_logs(udev_t)
|
logging_search_logs(udev_t)
|
||||||
logging_send_syslog_msg(udev_t)
|
logging_send_syslog_msg(udev_t)
|
||||||
|
logging_send_audit_msgs(udev_t)
|
||||||
|
|
||||||
miscfiles_read_localization(udev_t)
|
miscfiles_read_localization(udev_t)
|
||||||
|
|
||||||
|
@ -181,6 +185,7 @@ ifdef(`distro_redhat',`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
alsa_domtrans(udev_t)
|
alsa_domtrans(udev_t)
|
||||||
|
alsa_read_lib(udev_t)
|
||||||
alsa_read_rw_config(udev_t)
|
alsa_read_rw_config(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -188,6 +193,10 @@ optional_policy(`
|
||||||
brctl_domtrans(udev_t)
|
brctl_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
clock_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consoletype_exec(udev_t)
|
consoletype_exec(udev_t)
|
||||||
')
|
')
|
||||||
|
@ -196,6 +205,10 @@ optional_policy(`
|
||||||
dbus_system_bus_client(udev_t)
|
dbus_system_bus_client(udev_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
lvm_domtrans(udev_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
fstools_domtrans(udev_t)
|
fstools_domtrans(udev_t)
|
||||||
')
|
')
|
||||||
|
|
Loading…
Reference in New Issue