rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

UPdate for f14 policy

This commit is contained in:
Dan Walsh 2010-08-26 09:41:21 -04:00
parent c62f1bef77
commit 3eaa993945
458 changed files with 21286 additions and 2643 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -244,7 +244,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)

4
man/man8/ftpd_selinux.8
View File

@ -15,7 +15,7 @@ Allow ftp servers to read the /var/ftp directory by adding the public_content_t
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
.TP
.B
restorecon -R -v /var/ftp
restorecon -F -R -v /var/ftp
.TP
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
.PP
@ -23,7 +23,7 @@ Allow ftp servers to read and write /var/tmp/incoming by adding the public_conte
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
.TP
.B
restorecon -R -v /var/ftp/incoming
restorecon -F -R -v /var/ftp/incoming
.SH BOOLEANS
.PP

109
man/man8/git_selinux.8 Normal file
View File

@ -0,0 +1,109 @@
.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
git_selinux \- Security Enhanced Linux Policy for the Git daemon.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Git server via flexible mandatory access
control.
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
.PP
The following file contexts types are by default defined for Git:
.EX
git_system_content_t
.EE
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
.EX
git_session_content_t
.EE
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
Allow the Git system daemon to read system shared repositories on NFS shares.
.EX
sudo setsebool -P git_system_use_nfs 1
.EE
.PP
Allow the Git system daemon to read system shared repositories on Samba shares.
.EX
sudo setsebool -P git_system_use_cifs 1
.EE
.PP
Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
.EX
sudo setsebool -P use_nfs_home_dirs 1
.EE
.PP
Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
.EX
sudo setsebool -P use_samba_home_dirs 1
.EE
.PP
To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
.EX
sudo setsebool -P git_session_bind_all_unreserved_ports 1
.EE
.SH GIT_SHELL
The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
.PP
To add a new Linux user and map him to this Git shell user domain automatically:
.EX
sudo useradd -Z git_shell_u joe
.EE
.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
.PP
To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
.EX
policy_module(project1, 1.0.0)
git_content_template(project1)
.EE
Next create a file named project1.fc and add a file context specification for the new repository type to it:
.EX
/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
.EE
Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
.EX
make -f /usr/share/selinux/devel/Makefile project.pp
sudo semodule -i project1.pp
sudo restorecon -R -v /srv/git/project1
.EE
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
.EX
policy_module(project1user, 1.0.0)
git_role_template(project1user)
git_content_delegation(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
.EE
Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
.EX
make -f /usr/share/selinux/devel/Makefile project1user.pp
sudo semodule -i project1user.pp
sudo useradd -Z project1user_u jane
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dominick Grift <domg472@gmail.com>.
.SH "SEE ALSO"
selinux(8), git(8), chcon(1), semodule(8), setsebool(8)

36
policy/constraints
View File

@ -1,4 +1,3 @@
#
# Define the constraints
#
@ -91,7 +90,7 @@ constrain process { transition noatsecure siginh rlimitinh }
(
u1 == u2
or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt )
);
@ -100,7 +99,7 @@ constrain process { transition noatsecure siginh rlimitinh }
(
r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
or ( t1 == process_uncond_exempt )
);
@ -173,7 +172,7 @@ exempted_ubac_constraint(ipc, ubacipc)
########################################
#
# SE-X Windows rules
# X Windows rules
#
exempted_ubac_constraint(x_drawable, ubacxwin)
@ -219,26 +218,21 @@ exempted_ubac_constraint(db_column, ubacdb)
exempted_ubac_constraint(db_tuple, ubacdb)
exempted_ubac_constraint(db_blob, ubacdb)
basic_ubac_constraint(association)
basic_ubac_constraint(peer)
# these classes have no UBAC restrictions
#class security
#class system
#class capability
#class memprotect
#class passwd # userspace
#class node
#class netif
#class packet
#class capability2
#class nscd # userspace
#class context # userspace
# These classes have no UBAC restrictions
# class security
# class system
# class capability
# class memprotect
# class passwd
# class node
# class netif
# class packet
# class capability2
# class nscd
# class context
undefine(`basic_ubac_constraint')
undefine(`basic_ubac_conditions')

24
policy/global_tunables
View File

@ -59,15 +59,6 @@ gen_tunable(allow_ypbind,false)
## </desc>
gen_tunable(global_ssp,false)
## <desc>
## <p>
## Allow email client to various content.
## nfs, samba, removable devices, and user temp
## files
## </p>
## </desc>
gen_tunable(mail_read_content,false)
## <desc>
## <p>
## Allow any files/directories to be exported read/write via NFS.
@ -104,3 +95,18 @@ gen_tunable(use_samba_home_dirs,false)
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
## <desc>
## <p>
## Allow direct login to the console device. Required for System 390
## </p>
## </desc>
gen_tunable(allow_console_login,false)
## <desc>
## <p>
## Allow certain domains to map low memory in the kernel
## </p>
## </desc>
gen_tunable(mmap_low_allowed, false)

4
policy/mcs
View File

@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
( h1 dom h2 );
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }

3
policy/modules/admin/accountsd.fc Normal file
View File

@ -0,0 +1,3 @@
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)

173
policy/modules/admin/accountsd.if Normal file
View File

@ -0,0 +1,173 @@
## <summary>Accountsservice D-Bus interfaces for querying and manipulating user account information.</summary>
########################################
## <summary>
## Execute a domain transition to
## run Account Service daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`accountsd_domtrans',`
gen_require(`
type accountsd_t, accountsd_exec_t;
')
domtrans_pattern($1, accountsd_exec_t, accountsd_t)
corecmd_search_bin($1)
files_search_usr($1)
')
########################################
## <summary>
## Search Accounts Service daemon
## lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_search_lib',`
gen_require(`
type accountsd_var_lib_t;
')
allow $1 accountsd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read Accounts Service daemon
## lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_read_lib_files',`
gen_require(`
type accountsd_var_lib_t;
')
read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage Account Service daemon
## lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_manage_lib_files',`
gen_require(`
type accountsd_var_lib_t;
')
manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage Account Service daemon
## lib content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_manage_var_lib',`
gen_require(`
type accountsd_var_lib_t;
')
manage_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
manage_lnk_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Send and receive messages from
## Account Service daemon over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_dbus_chat',`
gen_require(`
type accountsd_t;
class dbus send_msg;
')
allow $1 accountsd_t:dbus send_msg;
allow accountsd_t $1:dbus send_msg;
')
########################################
## <summary>
## Do not audit attempts to read and
## write Account Service daemon pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`accountsd_dontaudit_rw_fifo_file',`
gen_require(`
type accountsd_t;
')
dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an Account Service daemon environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`accountsd_admin',`
gen_require(`
type accountsd_t, accountsd_var_lib_t;
')
allow $1 accountsd_t:process { ptrace signal_perms };
read_files_pattern($1, accountsd_t, accountsd_t)
admin_pattern($1, accountsd_var_lib_t)
files_search_var_lib($1)
')

64
policy/modules/admin/accountsd.te Normal file
View File

@ -0,0 +1,64 @@
policy_module(accountsd, 1.0.0)
########################################
#
# Declarations
#
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
init_daemon_domain(accountsd_t, accountsd_exec_t)
role system_r types accountsd_t;
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
########################################
#
# accountsd local policy
#
allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
allow accountsd_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } )
kernel_read_kernel_sysctls(accountsd_t)
corecmd_exec_bin(accountsd_t)
files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_read_shadow(accountsd_t)
auth_use_nsswitch(accountsd_t)
miscfiles_read_localization(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
usermanage_domtrans_useradd(accountsd_t)
usermanage_domtrans_passwd(accountsd_t)
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
optional_policy(`
consolekit_read_log(accountsd_t)
')
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
optional_policy(`
xserver_dbus_chat_xdm(accountsd_t)
xserver_manage_xdm_etc_files(accountsd_t)
')

24
policy/modules/admin/alsa.fc
View File

@ -1,18 +1,20 @@
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
ifdef(`distro_debian', `
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
')
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)

42
policy/modules/admin/alsa.if
View File

@ -1,8 +1,9 @@
## <summary>Ainit ALSA configuration tool</summary>
## <summary>Advanced Linux Sound Architecture.</summary>
########################################
## <summary>
## Domain transition to alsa
## Execute a domain transition to
## run Alsa.
## </summary>
## <param name="domain">
## <summary>
@ -16,11 +17,12 @@ interface(`alsa_domtrans',`
')
domtrans_pattern($1, alsa_exec_t, alsa_t)
corecmd_search_bin($1)
')
########################################
## <summary>
## Allow read and write access to alsa semaphores.
## Read and write Alsa semaphores.
## </summary>
## <param name="domain">
## <summary>
@ -33,12 +35,12 @@ interface(`alsa_rw_semaphores',`
type alsa_t;
')
allow $1 alsa_t:sem { unix_read unix_write associate read write };
allow $1 alsa_t:sem rw_sem_perms;
')
########################################
## <summary>
## Allow read and write access to alsa shared memory.
## Read and write Alsa shared memory.
## </summary>
## <param name="domain">
## <summary>
@ -51,12 +53,12 @@ interface(`alsa_rw_shared_mem',`
type alsa_t;
')
allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
allow $1 alsa_t:shm rw_shm_perms;
')
########################################
## <summary>
## Read alsa writable config files.
## Read Alsa writable config files.
## </summary>
## <param name="domain">
## <summary>
@ -72,11 +74,12 @@ interface(`alsa_read_rw_config',`
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
files_search_etc($1)
')
########################################
## <summary>
## Manage alsa writable config files.
## Manage Alsa writable config files.
## </summary>
## <param name="domain">
## <summary>
@ -92,11 +95,12 @@ interface(`alsa_manage_rw_config',`
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
files_search_etc($1)
')
########################################
## <summary>
## Read alsa lib files.
## Read Alsa lib files.
## </summary>
## <param name="domain">
## <summary>
@ -110,4 +114,24 @@ interface(`alsa_read_lib',`
')
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Read Alsa home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_home_files',`
gen_require(`
type alsa_home_t;
')
allow $1 alsa_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
')

5
policy/modules/admin/alsa.te
View File

@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
########################################
#
# Local policy
@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
allow alsa_t alsa_home_t:file read_file_perms;
manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)

34
policy/modules/admin/amanda.if
View File

@ -1,8 +1,9 @@
## <summary>Automated backup program.</summary>
## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
## Execute amrecover in the amanda_recover domain.
## Execute a domain transition to
## run Amanda Recover.
## </summary>
## <param name="domain">
## <summary>
@ -16,12 +17,15 @@ interface(`amanda_domtrans_recover',`
')
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
corecmd_search_bin($1)
')
########################################
## <summary>
## Execute amrecover in the amanda_recover domain, and
## allow the specified role the amanda_recover domain.
## Execute a domain transition to
## run Amanda Recover and allow the
## specified role the Amanda Recover
## domain.
## </summary>
## <param name="domain">
## <summary>
@ -46,7 +50,7 @@ interface(`amanda_run_recover',`
########################################
## <summary>
## Search amanda library directories.
## Search Amanda lib directories.
## </summary>
## <param name="domain">
## <summary>
@ -61,11 +65,13 @@ interface(`amanda_search_lib',`
allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
libs_search_lib($1)
')
########################################
## <summary>
## Do not audit attempts to read /etc/dumpdates.
## Do not audit attempts to read
## dumpdates files.
## </summary>
## <param name="domain">
## <summary>
@ -78,12 +84,12 @@ interface(`amanda_dontaudit_read_dumpdates',`
type amanda_dumpdates_t;
')
dontaudit $1 amanda_dumpdates_t:file { getattr read };
dontaudit $1 amanda_dumpdates_t:file read_file_perms;
')
########################################
## <summary>
## Allow read/writing /etc/dumpdates.
## Read and write dumpdates files.
## </summary>
## <param name="domain">
## <summary>
@ -97,11 +103,12 @@ interface(`amanda_rw_dumpdates_files',`
')
allow $1 amanda_dumpdates_t:file rw_file_perms;
files_search_etc($1)
')
########################################
## <summary>
## Search amanda library directories.
## Search Amanda lib directories.
## </summary>
## <param name="domain">
## <summary>
@ -116,11 +123,12 @@ interface(`amanda_manage_lib',`
allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
libs_search_lib($1)
')
########################################
## <summary>
## Allow read/writing amanda logs
## Read and write Amanda logs.
## </summary>
## <param name="domain">
## <summary>
@ -134,11 +142,12 @@ interface(`amanda_append_log_files',`
')
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
logging_search_logs($1)
')
#######################################
## <summary>
## Search amanda var library directories.
## Search Amanda lib directories.
## </summary>
## <param name="domain">
## <summary>
@ -151,7 +160,6 @@ interface(`amanda_search_var_lib',`
type amanda_var_lib_t;
')
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')

3
policy/modules/admin/anaconda.te
View File

@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
seutil_domtrans_setsebool(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
@ -52,7 +53,7 @@ optional_policy(`
')
optional_policy(`
unconfined_domain(anaconda_t)
unconfined_domain_noaudit(anaconda_t)
')
optional_policy(`

19
policy/modules/admin/brctl.if
View File

@ -17,3 +17,22 @@ interface(`brctl_domtrans',`
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
#####################################
## <summary>
## Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`brctl_run',`
gen_require(`
type brctl_t, brctl_exec_t;
')
brctl_domtrans($1)
role $2 types brctl_t;
')

3
policy/modules/admin/certwatch.te
View File

@ -35,7 +35,7 @@ miscfiles_read_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
userdom_dontaudit_list_user_home_dirs(certwatch_t)
userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
apache_exec_modules(certwatch_t)
@ -47,6 +47,7 @@ optional_policy(`
')
optional_policy(`
pcscd_domtrans(certwatch_t)
pcscd_stream_connect(certwatch_t)
pcscd_read_pub_files(certwatch_t)
')

1
policy/modules/admin/consoletype.te
View File

@ -85,6 +85,7 @@ optional_policy(`
hal_dontaudit_rw_pipes(consoletype_t)
hal_dontaudit_rw_dgram_sockets(consoletype_t)
hal_dontaudit_write_log(consoletype_t)
hal_dontaudit_read_pid_files(consoletype_t)
')
optional_policy(`

6
policy/modules/admin/dmesg.te
View File

@ -49,6 +49,12 @@ miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
userdom_use_user_terminals(dmesg_t)
optional_policy(`
abrt_append_cache_files(dmesg_t)
abrt_rw_fifo_file(dmesg_t)
abrt_manage_pid_files(dmesg_t)
')
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
')

5
policy/modules/admin/firstboot.te
View File

@ -90,6 +90,10 @@ userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
consoletype_domtrans(firstboot_t)
')
optional_policy(`
dbus_system_bus_client(firstboot_t)
@ -121,6 +125,7 @@ optional_policy(`
')
optional_policy(`
gnome_admin_home_gconf_filetrans(firstboot_t, dir)
gnome_manage_config(firstboot_t)
')

3
policy/modules/admin/logrotate.te
View File

@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
userdom_dontaudit_list_admin_dir(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
@ -138,7 +139,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
abrt_cache_manage(logrotate_t)
abrt_manage_cache_files(logrotate_t)
')
optional_policy(`

4
policy/modules/admin/logwatch.fc
View File

@ -1,7 +1,11 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)

16
policy/modules/admin/logwatch.te
View File

@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
type logwatch_var_run_t;
files_pid_file(logwatch_var_run_t)
########################################
#
# Local policy
@ -39,6 +42,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
allow logwatch_t logwatch_var_run_t:file manage_file_perms;
files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
userdom_dontaudit_list_admin_dir(logwatch_t)
mta_send_mail(logwatch_t)
#mta_send_mail(logwatch_t)
mta_base_mail_template(logwatch)
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
role system_r types logwatch_mail_t;
logging_read_all_logs(logwatch_mail_t)
manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
allow logwatch_mail_t self:capability { dac_read_search dac_override };
mta_read_home(logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)

1
policy/modules/admin/mrtg.te
View File

@ -115,6 +115,7 @@ selinux_dontaudit_getattr_dir(mrtg_t)
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
userdom_dontaudit_list_admin_dir(mrtg_t)
netutils_domtrans_ping(mrtg_t)

2
policy/modules/admin/ncftool.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)

78
policy/modules/admin/ncftool.if Normal file
View File

@ -0,0 +1,78 @@
## <summary>policy for ncftool</summary>
########################################
## <summary>
## Execute a domain transition to run ncftool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ncftool_domtrans',`
gen_require(`
type ncftool_t, ncftool_exec_t;
')
domtrans_pattern($1, ncftool_exec_t, ncftool_t)
')
########################################
## <summary>
## Execute ncftool in the ncftool domain, and
## allow the specified role the ncftool domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the ncftool domain.
## </summary>
## </param>
#
interface(`ncftool_run',`
gen_require(`
type ncftool_t;
')
ncftool_domtrans($1)
role $2 types ncftool_t;
optional_policy(`
brctl_run(ncftool_t, $2)
')
')
########################################
## <summary>
## Role access for ncftool
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`ncftool_role',`
gen_require(`
type ncftool_t;
')
role $1 types ncftool_t;
ncftool_domtrans($2)
ps_process_pattern($2, ncftool_t)
allow $2 ncftool_t:process signal;
')

91
policy/modules/admin/ncftool.te Normal file
View File

@ -0,0 +1,91 @@
policy_module(ncftool, 1.0.0)
########################################
#
# Declarations
#
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
role system_r types ncftool_t;
permissive ncftool_t;
########################################
#
# ncftool local policy
#
allow ncftool_t self:capability { net_admin sys_ptrace };
allow ncftool_t self:process signal;
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(ncftool_t)
kernel_read_modprobe_sysctls(ncftool_t)
kernel_read_network_state(ncftool_t)
kernel_read_system_state(ncftool_t)
kernel_request_load_module(ncftool_t)
kernel_rw_net_sysctls(ncftool_t)
corecmd_exec_bin(ncftool_t)
corecmd_exec_shell(ncftool_t)
domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
files_manage_system_conf_files(ncftool_t)
files_relabelto_system_conf_files(ncftool_t)
files_read_etc_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
files_read_usr_files(ncftool_t)
term_use_all_terms(ncftool_t)
miscfiles_read_localization(ncftool_t)
modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
modutils_domtrans_insmod(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_domtrans_dhcpc(ncftool_t)
sysnet_domtrans_ifconfig(ncftool_t)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
sysnet_relabelfrom_net_conf(ncftool_t)
sysnet_relabelto_net_conf(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
optional_policy(`
consoletype_exec(ncftool_t)
')
optional_policy(`
dbus_system_bus_client(ncftool_t)
')
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
')
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
')
optional_policy(`
netutils_domtrans(ncftool_t)
')

35
policy/modules/admin/netutils.te
View File

@ -51,6 +51,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
kernel_read_network_state(netutils_t)
kernel_request_load_module(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
@ -67,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
dev_read_usbmon_dev(netutils_t)
dev_write_usbmon_dev(netutils_t)
dev_rw_generic_usb_dev(netutils_t)
fs_getattr_xattr_fs(netutils_t)
@ -137,8 +142,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
userdom_use_user_terminals(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@ -148,10 +151,24 @@ ifdef(`hide_broken_symptoms',`
')
')
term_use_all_terms(ping_t)
tunable_policy(`user_ping',`
term_use_all_ttys(ping_t)
term_use_all_ptys(ping_t)
',`
term_dontaudit_use_all_ttys(ping_t)
term_dontaudit_use_all_ptys(ping_t)
')
optional_policy(`
munin_append_log(ping_t)
')
optional_policy(`
nagios_rw_inerited_tmp_files(ping_t)
')
optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
@ -197,6 +214,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
files_read_usr_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@ -207,9 +225,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_user_terminals(traceroute_t)
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
term_use_all_terms(traceroute_t)
tunable_policy(`user_ping',`
term_use_all_ttys(traceroute_t)
term_use_all_ptys(traceroute_t)
',`
term_dontaudit_use_all_ttys(traceroute_t)
term_dontaudit_use_all_ptys(traceroute_t)
')

15
policy/modules/admin/prelink.te
View File

@ -59,6 +59,7 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
files_search_var_lib(prelink_t)
# prelink misc objects that are not system
# libraries or entrypoints
@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
dev_getattr_all_chr_files(prelink_t)
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
storage_getattr_fixed_disk_dev(prelink_t)
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
@ -99,6 +103,8 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
userdom_manage_user_home_content(prelink_t)
userdom_execmod_user_home_files(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
@ -108,6 +114,10 @@ optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
optional_policy(`
nsplugin_manage_rw_files(prelink_t)
')
optional_policy(`
rpm_manage_tmp_files(prelink_t)
')
@ -129,6 +139,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
@ -148,7 +159,7 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
@ -158,6 +169,8 @@ optional_policy(`
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')

2
policy/modules/admin/readahead.te
View File

@ -51,6 +51,7 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
@ -64,6 +65,7 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)

6
policy/modules/admin/rpm.fc
View File

@ -7,6 +7,7 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -25,6 +26,9 @@ ifdef(`distro_redhat', `
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@ -36,6 +40,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)

111
policy/modules/admin/rpm.if
View File

@ -13,11 +13,14 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
attribute rpm_transition_domain;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
typeattribute $1 rpm_transition_domain;
rpm_debuginfo_domtrans($1)
')
########################################
@ -87,6 +90,11 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
domain_system_change_exemption($1)
role_transition $2 rpm_exec_t system_r;
allow $2 system_r;
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
@ -183,6 +191,41 @@ interface(`rpm_rw_pipes',`
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dontaudit_leaks',`
gen_require(`
type rpm_t, rpm_var_cache_t;
type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_t:tcp_socket { read write };
dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Send and receive messages from
@ -338,7 +381,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
@ -378,7 +423,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
@ -461,6 +508,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
rpm_read_cache($1)
')
########################################
@ -577,3 +625,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_inherited_fifo',`
gen_require(`
attribute rpm_transition_domain;
')
allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Make rpm_exec_t an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_entry_type',`
gen_require(`
type rpm_exec_t;
')
domain_entry_file($1, rpm_exec_t)
')
########################################
## <summary>
## Allow application to transition to rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_transition_script',`
gen_require(`
type rpm_script_t;
attribute rpm_transition_domain;
')
typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
allow rpm_script_t $1:process sigchld;
')

28
policy/modules/admin/rpm.te
View File

@ -1,10 +1,11 @@
policy_module(rpm, 1.11.1)
attribute rpm_transition_domain;
########################################
#
# Declarations
#
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
@ -44,6 +45,7 @@ type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
@ -77,6 +79,8 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
@ -84,6 +88,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
can_exec(rpm_t, rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@ -91,6 +96,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_t, rpm_tmpfs_t)
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
@ -100,12 +106,14 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
files_pid_filetrans(rpm_t, rpm_var_run_t, file)
files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
kernel_read_network_state_symlinks(rpm_t)
corecmd_exec_all_executables(rpm_t)
@ -125,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
dev_read_raw_memory(rpm_t)
#devices_manage_all_device_types(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
@ -205,6 +215,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
')
optional_policy(`
@ -212,7 +223,7 @@ optional_policy(`
')
optional_policy(`
unconfined_domain(rpm_t)
unconfined_domain_noaudit(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
@ -242,6 +253,8 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@ -254,6 +267,7 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
@ -301,6 +315,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
can_exec(rpm_script_t, rpm_script_tmp_t)
can_exec(rpm_script_t, rpm_script_tmpfs_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
@ -331,12 +347,15 @@ modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
seutil_domtrans_setsebool(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
mta_system_content(rpm_var_run_t)
')
')
@ -366,8 +385,9 @@ optional_policy(`
')
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
unconfined_execmem_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)

1
policy/modules/admin/sectoolm.te
View File

@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
userdom_write_user_tmp_sockets(sectoolm_t)
optional_policy(`
mount_exec(sectoolm_t)

29
policy/modules/admin/shorewall.if
View File

@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
######################################
## <summary>
## Execute a domain transition to run shorewall.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`shorewall_domtrans_lib',`
gen_require(`
type shorewall_t, shorewall_var_lib_t;
')
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
')
#######################################
## <summary>
## Read shorewall etc configuration files.
@ -134,9 +152,10 @@ interface(`shorewall_rw_lib_files',`
#
interface(`shorewall_admin',`
gen_require(`
type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
type shorewall_t, shorewall_lock_t;
type shorewall_log_t;
type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t;
type shorewall_tmp_t, shorewall_etc_t;
')
allow $1 shorewall_t:process { ptrace signal_perms };
@ -153,12 +172,12 @@ interface(`shorewall_admin',`
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
files_search_pids($1)
admin_pattern($1, shorewall_var_run_t)
files_search_var_lib($1)
admin_pattern($1, shorewall_var_lib_t)
logging_search_logs($1)
admin_pattern($1, shorewall_log_t)
files_search_tmp($1)
admin_pattern($1, shorewall_tmp_t)
')

10
policy/modules/admin/shorewall.te
View File

@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
allow shorewall_t shorewall_var_lib_t:file entrypoint;
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
userdom_dontaudit_list_user_home_dirs(shorewall_t)
userdom_dontaudit_list_admin_dir(shorewall_t)
optional_policy(`
brctl_domtrans(shorewall_t)
')
optional_policy(`
hostname_exec(shorewall_t)

2
policy/modules/admin/shutdown.fc
View File

@ -3,3 +3,5 @@
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

70
policy/modules/admin/shutdown.if
View File

@ -19,10 +19,11 @@ interface(`shutdown_domtrans',`
ifdef(`hide_broken_symptoms', `
dontaudit shutdown_t $1:socket_class_set { read write };
dontaudit shutdown_t $1:fifo_file { read write };
dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
')
')
########################################
## <summary>
## Execute shutdown in the shutdown domain, and
@ -48,6 +49,73 @@ interface(`shutdown_run',`
role $2 types shutdown_t;
')
########################################
## <summary>
## Role access for shutdown
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`shutdown_role',`
gen_require(`
type shutdown_t;
')
role $1 types shutdown_t;
shutdown_domtrans($2)
ps_process_pattern($2, shutdown_t)
allow $2 shutdown_t:process signal;
')
########################################
## <summary>
## Recieve sigchld from shutdown
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`shutdown_send_sigchld',`
gen_require(`
type shutdown_t;
')
allow shutdown_t $1:process signal;
')
########################################
## <summary>
## Send and receive messages from
## shutdown over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shutdown_dbus_chat',`
gen_require(`
type shutdown_t;
class dbus send_msg;
')
allow $1 shutdown_t:dbus send_msg;
allow shutdown_t $1:dbus send_msg;
')
########################################
## <summary>
## Get attributes of shutdown executable.

7
policy/modules/admin/shutdown.te
View File

@ -36,6 +36,8 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
@ -54,6 +56,11 @@ optional_policy(`
dbus_connect_system_bus(shutdown_t)
')
optional_policy(`
oddjob_dontaudit_rw_fifo_file(shutdown_t)
oddjob_sigchld(shutdown_t)
')
optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
')

1
policy/modules/admin/smoltclient.te
View File

@ -42,6 +42,7 @@ dev_read_sysfs(smoltclient_t)
fs_getattr_all_fs(smoltclient_t)
fs_getattr_all_dirs(smoltclient_t)
fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)

3
policy/modules/admin/su.if
View File

@ -212,7 +212,7 @@ template(`su_role_template',`
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_use_pam($1_su_t)
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
@ -236,6 +236,7 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
userdom_search_admin_dir($1_su_t)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora

8
policy/modules/admin/sudo.if
View File

@ -76,6 +76,8 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
userdom_domtrans_user_home($1_sudo_t, $3)
userdom_domtrans_user_tmp($1_sudo_t, $3)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_file_perms;
allow $3 $1_sudo_t:process signal_perms;
@ -134,12 +136,16 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
userdom_search_user_home_content($1_sudo_t)
userdom_search_admin_dir($1_sudo_t)
userdom_manage_all_users_keys($1_sudo_t)
ifdef(`hide_broken_symptoms', `
dontaudit $1_sudo_t $3:socket_class_set { read write };
')
mta_role($2, $1_sudo_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')

13
policy/modules/admin/tmpreaper.te
View File

@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
files_delete_usr_dirs(tmpreaper_t)
files_delete_usr_files(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
files_setattr_usr_dirs(tmpreaper_t)
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
@ -52,7 +55,9 @@ optional_policy(`
')
optional_policy(`
apache_delete_sys_content_rw(tmpreaper_t)
apache_list_cache(tmpreaper_t)
apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
@ -65,6 +70,14 @@ optional_policy(`
lpd_manage_spool(tmpreaper_t)
')
optional_policy(`
sandbox_list(tmpreaper_t)
sandbox_delete_dirs(tmpreaper_t)
sandbox_delete_files(tmpreaper_t)
sandbox_delete_sock_files(tmpreaper_t)
sandbox_setattr_dirs(tmpreaper_t)
')
optional_policy(`
rpm_manage_cache(tmpreaper_t)
')

3
policy/modules/admin/usermanage.if
View File

@ -290,6 +290,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
# Add/remove user home directories
userdom_manage_home_role($2, useradd_t)
seutil_run_semanage(useradd_t, $2)
optional_policy(`

13
policy/modules/admin/usermanage.te
View File

@ -295,6 +295,7 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
term_use_generic_ptys(passwd_t)
auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
@ -304,6 +305,9 @@ auth_use_nsswitch(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
corecmd_exec_bin(passwd_t)
corenet_tcp_connect_kerberos_password_port(passwd_t)
domain_use_interactive_fds(passwd_t)
@ -334,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
userdom_stream_connect(passwd_t)
optional_policy(`
nscd_domtrans(passwd_t)
@ -428,7 +433,7 @@ optional_policy(`
# Useradd local policy
#
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@ -500,12 +505,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
userdom_manage_user_home_content_dirs(useradd_t)
userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
userdom_manage_home_role(system_r, useradd_t)
mta_manage_spool(useradd_t)

5
policy/modules/admin/vbetool.te
View File

@ -24,7 +24,10 @@ dev_rw_sysfs(vbetool_t)
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
domain_mmap_low(vbetool_t)
domain_mmap_low_type(vbetool_t)
tunable_policy(`mmap_low_allowed',`
allow vbetool_t self:memprotect mmap_zero;
')
mls_file_read_all_levels(vbetool_t)
mls_file_write_all_levels(vbetool_t)

1
policy/modules/admin/vpn.te
View File

@ -107,6 +107,7 @@ sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_user_home_content(vpnc_t)
userdom_read_home_certs(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)

1
policy/modules/apps/awstats.te
View File

@ -47,6 +47,7 @@ dev_read_urand(awstats_t)
files_read_etc_files(awstats_t)
# e.g. /usr/share/awstats/lang/awstats-en.txt
files_read_usr_files(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
fs_list_inotifyfs(awstats_t)

3
policy/modules/apps/chrome.fc Normal file
View File

@ -0,0 +1,3 @@
/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)

90
policy/modules/apps/chrome.if Normal file
View File

@ -0,0 +1,90 @@
## <summary>policy for chrome</summary>
########################################
## <summary>
## Execute a domain transition to run chrome_sandbox.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`chrome_domtrans_sandbox',`
gen_require(`
type chrome_sandbox_t, chrome_sandbox_exec_t;
')
domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
ps_process_pattern(chrome_sandbox_t, $1)
ifdef(`hide_broken_symptoms', `
dontaudit chrome_sandbox_t $1:socket_class_set { read write };
fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
')
')
########################################
## <summary>
## Execute chrome_sandbox in the chrome_sandbox domain, and
## allow the specified role the chrome_sandbox domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the chrome_sandbox domain.
## </summary>
## </param>
#
interface(`chrome_run_sandbox',`
gen_require(`
type chrome_sandbox_t;
')
chrome_domtrans_sandbox($1)
role $2 types chrome_sandbox_t;
')
########################################
## <summary>
## Role access for chrome sandbox
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`chrome_role',`
gen_require(`
type chrome_sandbox_t;
type chrome_sandbox_tmpfs_t;
')
role $1 types chrome_sandbox_t;
chrome_domtrans_sandbox($2)
ps_process_pattern($2, chrome_sandbox_t)
allow $2 chrome_sandbox_t:process signal_perms;
allow chrome_sandbox_t $2:unix_dgram_socket { read write };
allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
allow chrome_sandbox_t $2:unix_stream_socket { read write };
allow $2 chrome_sandbox_t:unix_stream_socket { read write };
allow $2 chrome_sandbox_t:shm rw_shm_perms;
allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
')

86
policy/modules/apps/chrome.te Normal file
View File

@ -0,0 +1,86 @@
policy_module(chrome,1.0.0)
########################################
#
# Declarations
#
type chrome_sandbox_t;
type chrome_sandbox_exec_t;
application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
role system_r types chrome_sandbox_t;
type chrome_sandbox_tmp_t;
files_tmp_file(chrome_sandbox_tmp_t)
type chrome_sandbox_tmpfs_t;
files_tmpfs_file(chrome_sandbox_tmpfs_t)
ubac_constrained(chrome_sandbox_tmpfs_t)
########################################
#
# chrome_sandbox local policy
#
allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:fifo_file manage_file_perms;
allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
allow chrome_sandbox_t self:shm create_shm_perms;
manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
kernel_read_system_state(chrome_sandbox_t)
kernel_read_kernel_sysctls(chrome_sandbox_t)
corecmd_exec_bin(chrome_sandbox_t)
domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
dev_read_urand(chrome_sandbox_t)
dev_read_sysfs(chrome_sandbox_t)
dev_rwx_zero(chrome_sandbox_t)
files_read_etc_files(chrome_sandbox_t)
files_read_usr_files(chrome_sandbox_t)
fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
userdom_rw_user_tmpfs_files(chrome_sandbox_t)
userdom_use_user_ptys(chrome_sandbox_t)
userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
miscfiles_read_localization(chrome_sandbox_t)
miscfiles_read_fonts(chrome_sandbox_t)
optional_policy(`
execmem_exec(chrome_sandbox_t)
')
optional_policy(`
gnome_rw_inherited_config(chrome_sandbox_t)
gnome_list_home_config(chrome_sandbox_t)
')
optional_policy(`
xserver_use_user_fonts(chrome_sandbox_t)
xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_append_nfs_files(chrome_sandbox_t)
fs_dontaudit_read_nfs_files(chrome_sandbox_t)
fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_append_cifs_files(chrome_sandbox_t)
fs_dontaudit_read_cifs_files(chrome_sandbox_t)
')

2
policy/modules/apps/cpufreqselector.te
View File

@ -27,7 +27,7 @@ dev_rw_sysfs(cpufreqselector_t)
miscfiles_read_localization(cpufreqselector_t)
userdom_read_all_users_state(cpufreqselector_t)
userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)

48
policy/modules/apps/execmem.fc Normal file
View File

@ -0,0 +1,48 @@
/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
ifdef(`distro_gentoo',`
/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
')
/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)

110
policy/modules/apps/execmem.if Normal file
View File

@ -0,0 +1,110 @@
## <summary>execmem domain</summary>
########################################
## <summary>
## Execute the execmem program in the execmem domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`execmem_exec',`
gen_require(`
type execmem_exec_t;
')
can_exec($1, execmem_exec_t)
')
#######################################
## <summary>
## The role template for the execmem module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for execmem applications.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`execmem_role_template',`
gen_require(`
type execmem_exec_t;
')
type $1_execmem_t;
domain_type($1_execmem_t)
domain_entry_file($1_execmem_t, execmem_exec_t)
role $2 types $1_execmem_t;
userdom_unpriv_usertype($1, $1_execmem_t)
userdom_manage_tmp_role($2, $1_execmem_t)
userdom_manage_tmpfs_role($2, $1_execmem_t)
allow $1_execmem_t self:process { execmem execstack };
allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
ifdef(`hide_broken_symptoms', `
dontaudit $1_execmem_t $3:socket_class_set { read write };
')
files_execmod_tmp($1_execmem_t)
optional_policy(`
chrome_role($2, $1_execmem_t)
')
optional_policy(`
mozilla_execmod_user_home_files($1_execmem_t)
')
optional_policy(`
nsplugin_rw_shm($1_execmem_t)
nsplugin_rw_semaphores($1_execmem_t)
')
optional_policy(`
xserver_role($2, $1_execmem_t)
')
')
########################################
## <summary>
## Execute a execmem_exec file
## in the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
interface(`execmem_domtrans',`
gen_require(`
type execmem_exec_t;
')
domtrans_pattern($1, execmem_exec_t, $2)
')

10
policy/modules/apps/execmem.te Normal file
View File

@ -0,0 +1,10 @@
policy_module(execmem, 1.0.0)
########################################
#
# Declarations
#
type execmem_exec_t alias unconfined_execmem_exec_t;
application_executable_file(execmem_exec_t)

3
policy/modules/apps/firewallgui.fc Normal file
View File

@ -0,0 +1,3 @@
/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)

23
policy/modules/apps/firewallgui.if Normal file
View File

@ -0,0 +1,23 @@
## <summary>policy for firewallgui</summary>
########################################
## <summary>
## Send and receive messages from
## firewallgui over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firewallgui_dbus_chat',`
gen_require(`
type firewallgui_t;
class dbus send_msg;
')
allow $1 firewallgui_t:dbus send_msg;
allow firewallgui_t $1:dbus send_msg;
')

66
policy/modules/apps/firewallgui.te Normal file
View File

@ -0,0 +1,66 @@
policy_module(firewallgui,1.0.0)
########################################
#
# Declarations
#
type firewallgui_t;
type firewallgui_exec_t;
dbus_system_domain(firewallgui_t, firewallgui_exec_t)
type firewallgui_tmp_t;
files_tmp_file(firewallgui_tmp_t)
########################################
#
# firewallgui local policy
#
allow firewallgui_t self:capability net_admin;
allow firewallgui_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
files_manage_system_conf_files(firewallgui_t)
files_etc_filetrans_system_conf(firewallgui_t)
corecmd_exec_shell(firewallgui_t)
corecmd_exec_bin(firewallgui_t)
consoletype_exec(firewallgui_t)
kernel_read_system_state(firewallgui_t)
kernel_read_network_state(firewallgui_t)
kernel_rw_net_sysctls(firewallgui_t)
kernel_rw_kernel_sysctl(firewallgui_t)
kernel_rw_vm_sysctls(firewallgui_t)
files_read_etc_files(firewallgui_t)
files_read_usr_files(firewallgui_t)
files_search_kernel_modules(firewallgui_t)
files_list_kernel_modules(firewallgui_t)
modutils_getattr_module_deps(firewallgui_t)
dev_read_urand(firewallgui_t)
dev_read_sysfs(firewallgui_t)
nscd_dontaudit_search_pid(firewallgui_t)
nscd_socket_use(firewallgui_t)
miscfiles_read_localization(firewallgui_t)
iptables_domtrans(firewallgui_t)
iptables_initrc_domtrans(firewallgui_t)
optional_policy(`
gnome_read_gconf_home_files(firewallgui_t)
')
optional_policy(`
policykit_dbus_chat(firewallgui_t)
')

25
policy/modules/apps/gnome.fc
View File

@ -1,9 +1,30 @@
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
# Don't use because toolchain is broken
#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)

442
policy/modules/apps/gnome.if
View File

@ -130,6 +130,420 @@ interface(`gnome_domtrans_gconfd',`
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
########################################
## <summary>
## Read gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_read_config',`
gen_require(`
attribute gnome_home_type;
')
list_dirs_pattern($1, gnome_home_type, gnome_home_type)
read_files_pattern($1, gnome_home_type, gnome_home_type)
read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
')
########################################
## <summary>
## Send general signals to all gconf domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_signal_all',`
gen_require(`
attribute gnomedomain;
')
allow $1 gnomedomain:process signal;
')
########################################
## <summary>
## Create objects in a Gnome cache home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_cache_filetrans',`
gen_require(`
type cache_home_t;
')
filetrans_pattern($1, cache_home_t, $2, $3)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_generic_cache_files',`
gen_require(`
type cache_home_t;
')
read_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Set attributes of cache home dir (.cache)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_setattr_cache_home_dir',`
gen_require(`
type cache_home_t;
')
setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## write to generic cache home files (.cache)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_write_generic_cache_files',`
gen_require(`
type cache_home_t;
')
write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in a Gnome gconf home directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_data_filetrans',`
gen_require(`
type data_home_t;
')
filetrans_pattern($1, data_home_t, $2, $3)
gnome_search_gconf($1)
')
########################################
## <summary>
## Create gconf_home_t objects in the /root directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
#
interface(`gnome_admin_home_gconf_filetrans',`
gen_require(`
type gconf_home_t;
')
userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
')
########################################
## <summary>
## read gconf config files
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
')
#######################################
## <summary>
## Manage gconf config files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_gconf_config',`
gen_require(`
type gconf_etc_t;
')
allow $1 gconf_etc_t:dir list_dir_perms;
manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
')
########################################
## <summary>
## Execute gconf programs in
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_exec_gconf',`
gen_require(`
type gconfd_exec_t;
')
can_exec($1, gconfd_exec_t)
')
########################################
## <summary>
## Read gconf home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_read_gconf_home_files',`
gen_require(`
type gconf_home_t;
type data_home_t;
')
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 data_home_t:dir list_dir_perms;
read_files_pattern($1, gconf_home_t, gconf_home_t)
read_files_pattern($1, data_home_t, data_home_t)
')
########################################
## <summary>
## search gconf homedir (.local)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the domain.
## </summary>
## </param>
#
interface(`gnome_search_gconf',`
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Append gconf home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_append_gconf_home_files',`
gen_require(`
type gconf_home_t;
')
append_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
## manage gconf home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_manage_gconf_home_files',`
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir list_dir_perms;
manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
## Connect to gnome over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`gnome_stream_connect',`
gen_require(`
attribute gnome_home_type;
')
# Connect to pulseaudit server
stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
')
########################################
## <summary>
## read gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`gnome_list_home_config',`
gen_require(`
type config_home_t;
')
allow $1 config_home_t:dir list_dir_perms;
')
########################################
## <summary>
## Read/Write all inherited gnome home config
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_rw_inherited_config',`
gen_require(`
attribute gnome_home_type;
')
allow $1 gnome_home_type:file rw_inherited_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## gconf system service over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_dbus_chat_gconfdefault',`
gen_require(`
type gconfdefaultsm_t;
class dbus send_msg;
')
allow $1 gconfdefaultsm_t:dbus send_msg;
allow gconfdefaultsm_t $1:dbus send_msg;
')
########################################
## <summary>
## Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`gnome_dontaudit_search_config',`
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
## <summary>
## Set attributes of Gnome config dirs.
@ -149,26 +563,6 @@ interface(`gnome_setattr_config_dirs',`
files_search_home($1)
')
########################################
## <summary>
## Read gnome homedir content (.config)
## </summary>
## <param name="user_domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
template(`gnome_read_config',`
gen_require(`
type gnome_home_t;
')
list_dirs_pattern($1, gnome_home_t, gnome_home_t)
read_files_pattern($1, gnome_home_t, gnome_home_t)
read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
## manage gnome homedir content (.config)
@ -181,10 +575,12 @@ template(`gnome_read_config',`
#
interface(`gnome_manage_config',`
gen_require(`
type gnome_home_t;
attribute gnome_home_type;
')
allow $1 gnome_home_t:dir manage_dir_perms;
allow $1 gnome_home_t:file manage_file_perms;
allow $1 gnome_home_type:dir manage_dir_perms;
allow $1 gnome_home_type:file manage_file_perms;
allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
userdom_search_user_home_dirs($1)
')

113
policy/modules/apps/gnome.te
View File

@ -6,11 +6,24 @@ policy_module(gnome, 2.0.1)
#
attribute gnomedomain;
attribute gnome_home_type;
type gconf_etc_t;
files_config_file(gconf_etc_t)
type gconf_home_t;
type data_home_t, gnome_home_type;
userdom_user_home_content(data_home_t)
type config_home_t, gnome_home_type;
userdom_user_home_content(config_home_t)
type cache_home_t, gnome_home_type;
userdom_user_home_content(cache_home_t)
type gstreamer_home_t, gnome_home_type;
userdom_user_home_content(gstreamer_home_t)
type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
@ -30,12 +43,20 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
type gnome_home_t;
type gnome_home_t, gnome_home_type;
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
typealias gnome_home_t alias unconfined_gnome_home_t;
userdom_user_home_content(gnome_home_t)
type gconfdefaultsm_t;
type gconfdefaultsm_exec_t;
dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
type gnomesystemmm_t;
type gnomesystemmm_exec_t;
dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
##############################
#
# Local Policy
@ -75,3 +96,91 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gconfdefaultsm_t)
fs_manage_nfs_files(gconfdefaultsm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gconfdefaultsm_t)
fs_manage_cifs_files(gconfdefaultsm_t)
')
#######################################
#
# gconf-defaults-mechanisms local policy
#
allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
allow gconfdefaultsm_t self:process getsched;
allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
corecmd_search_bin(gconfdefaultsm_t)
files_read_etc_files(gconfdefaultsm_t)
files_read_usr_files(gconfdefaultsm_t)
miscfiles_read_localization(gconfdefaultsm_t)
gnome_manage_gconf_home_files(gconfdefaultsm_t)
gnome_manage_gconf_config(gconfdefaultsm_t)
userdom_read_all_users_state(gconfdefaultsm_t)
userdom_search_user_home_dirs(gconfdefaultsm_t)
userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
optional_policy(`
consolekit_dbus_chat(gconfdefaultsm_t)
')
optional_policy(`
nscd_dontaudit_search_pid(gconfdefaultsm_t)
')
optional_policy(`
policykit_domtrans_auth(gconfdefaultsm_t)
policykit_dbus_chat(gconfdefaultsm_t)
policykit_read_lib(gconfdefaultsm_t)
policykit_read_reload(gconfdefaultsm_t)
')
#######################################
#
# gnome-system-monitor-mechanisms local policy
#
allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
corecmd_search_bin(gnomesystemmm_t)
domain_kill_all_domains(gnomesystemmm_t)
domain_search_all_domains_state(gnomesystemmm_t)
domain_setpriority_all_domains(gnomesystemmm_t)
domain_signal_all_domains(gnomesystemmm_t)
domain_sigstop_all_domains(gnomesystemmm_t)
files_read_etc_files(gnomesystemmm_t)
files_read_usr_files(gnomesystemmm_t)
miscfiles_read_localization(gnomesystemmm_t)
userdom_read_all_users_state(gnomesystemmm_t)
userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
optional_policy(`
consolekit_dbus_chat(gnomesystemmm_t)
')
optional_policy(`
nscd_dontaudit_search_pid(gnomesystemmm_t)
')
optional_policy(`
policykit_dbus_chat(gnomesystemmm_t)
policykit_domtrans_auth(gnomesystemmm_t)
policykit_read_lib(gnomesystemmm_t)
policykit_read_reload(gnomesystemmm_t)
')

1
policy/modules/apps/gpg.fc
View File

@ -1,4 +1,5 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)

37
policy/modules/apps/gpg.if
View File

@ -85,6 +85,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
######################################
## <summary>
## Transition to a gpg web domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gpg_domtrans_web',`
gen_require(`
type gpg_web_t, gpg_exec_t;
')
domtrans_pattern($1, gpg_exec_t, gpg_web_t)
')
######################################
## <summary>
## Make gpg an entrypoint for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which cifs_t is an entrypoint.
## </summary>
## </param>
#
interface(`gpg_entry_type',`
gen_require(`
type gpg_exec_t;
')
domain_entry_file($1, gpg_exec_t)
')
########################################
## <summary>
## Send generic signals to user gpg processes.

75
policy/modules/apps/gpg.te
View File

@ -4,6 +4,7 @@ policy_module(gpg, 2.3.1)
#
# Declarations
#
attribute gpgdomain;
## <desc>
## <p>
@ -13,7 +14,15 @@ policy_module(gpg, 2.3.1)
## </desc>
gen_tunable(gpg_agent_env_file, false)
type gpg_t;
## <desc>
## <p>
## Allow gpg web domain to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(gpg_web_anon_write, false)
type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@ -62,17 +71,23 @@ type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
ubac_constrained(gpg_pinentry_tmpfs_t)
type gpg_web_t;
domain_type(gpg_web_t)
gpg_entry_type(gpg_web_t)
role system_r types gpg_web_t;
########################################
#
# GPG local policy
#
allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
allow gpgdomain self:capability { ipc_lock setuid };
allow gpgdomain self:process { getsched setsched };
#at setrlimit is for ulimit -c 0
allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;
allow gpgdomain self:fifo_file rw_fifo_file_perms;
allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
@ -128,6 +143,7 @@ userdom_use_user_terminals(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_stream_connect(gpg_t)
mta_write_config(gpg_t)
@ -141,6 +157,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(gpg_t)
')
optional_policy(`
gnome_read_config(gpg_t)
')
optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
@ -151,10 +171,10 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
optional_policy(`
cron_system_entry(gpg_t, gpg_exec_t)
cron_read_system_job_tmp_files(gpg_t)
')
#optional_policy(`
# cron_system_entry(gpg_t, gpg_exec_t)
# cron_read_system_job_tmp_files(gpg_t)
#')
########################################
#
@ -205,6 +225,7 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
@ -245,6 +266,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')
tunable_policy(`gpg_agent_env_file',`
@ -332,6 +354,9 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
# Bug: user pulseaudio files need open,read and unlink:
allow gpg_pinentry_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
@ -346,6 +371,12 @@ optional_policy(`
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
gnome_write_generic_cache_files(gpg_pinentry_t)
gnome_read_generic_cache_files(gpg_pinentry_t)
gnome_read_gconf_home_files(gpg_pinentry_t)
')
optional_policy(`
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
@ -356,4 +387,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
#############################
#
# gpg web local policy
#
allow gpg_web_t self:process setrlimit;
dev_read_rand(gpg_web_t)
dev_read_urand(gpg_web_t)
can_exec(gpg_web_t, gpg_exec_t)
files_read_usr_files(gpg_web_t)
miscfiles_read_localization(gpg_web_t)
apache_dontaudit_rw_tmp_files(gpg_web_t)
apache_manage_sys_content_rw(gpg_web_t)
tunable_policy(`gpg_web_anon_write',`
miscfiles_manage_public_files(gpg_web_t)
')

4
policy/modules/apps/irc.fc
View File

@ -2,10 +2,14 @@
# /home
#
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
#
# /usr
#
/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)

15
policy/modules/apps/irc.if
View File

@ -18,9 +18,11 @@
interface(`irc_role',`
gen_require(`
type irc_t, irc_exec_t;
type irssi_t, irssi_exec_t, irssi_home_t;
')
role $1 types irc_t;
role $1 types irssi_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, irc_t)
@ -28,4 +30,17 @@ interface(`irc_role',`
# allow ps to show irc
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal;
domtrans_pattern($2, irssi_exec_t, irssi_t)
allow $2 irssi_t:process { ptrace signal_perms };
ps_process_pattern($2, irssi_t)
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
manage_files_pattern($2, irssi_home_t, irssi_home_t)
manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
relabel_files_pattern($2, irssi_home_t, irssi_home_t)
relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')

104
policy/modules/apps/irc.te
View File

@ -22,6 +22,30 @@ typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
userdom_user_home_content(irc_tmp_t)
########################################
#
# Irssi personal declarations.
#
## <desc>
## <p>
## Allow the Irssi IRC Client to connect to any port,
## and to bind to any unreserved port.
## </p>
## </desc>
gen_tunable(irssi_use_full_network, false)
type irssi_t;
type irssi_exec_t;
application_domain(irssi_t, irssi_exec_t)
ubac_constrained(irssi_t)
type irssi_etc_t;
files_config_file(irssi_etc_t)
type irssi_home_t;
userdom_user_home_content(irssi_home_t)
########################################
#
# Local policy
@ -101,3 +125,83 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
nis_use_ypbind(irc_t)
')
########################################
#
# Irssi personal declarations.
#
allow irssi_t self:process { signal sigkill };
allow irssi_t self:fifo_file rw_fifo_file_perms;
allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
allow irssi_t self:tcp_socket create_stream_socket_perms;
allow irssi_t self:udp_socket create_socket_perms;
read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
userdom_search_user_home_dirs(irssi_t)
corecmd_search_bin(irssi_t)
corecmd_read_bin_symlinks(irssi_t)
corenet_tcp_connect_ircd_port(irssi_t)
corenet_sendrecv_ircd_client_packets(irssi_t)
# Privoxy
corenet_tcp_connect_http_cache_port(irssi_t)
corenet_sendrecv_http_cache_client_packets(irssi_t)
corenet_all_recvfrom_netlabel(irssi_t)
corenet_all_recvfrom_unlabeled(irssi_t)
corenet_tcp_sendrecv_generic_if(irssi_t)
corenet_tcp_sendrecv_generic_node(irssi_t)
corenet_tcp_sendrecv_generic_port(irssi_t)
corenet_tcp_bind_generic_node(irssi_t)
corenet_udp_bind_generic_node(irssi_t)
dev_read_urand(irssi_t)
# irssi-otr genkey.
dev_read_rand(irssi_t)
files_read_etc_files(irssi_t)
files_read_usr_files(irssi_t)
fs_search_auto_mountpoints(irssi_t)
miscfiles_read_localization(irssi_t)
sysnet_read_config(irssi_t)
userdom_use_user_terminals(irssi_t)
tunable_policy(`irssi_use_full_network', `
corenet_tcp_bind_all_unreserved_ports(irssi_t)
corenet_tcp_connect_all_ports(irssi_t)
corenet_sendrecv_generic_server_packets(irssi_t)
corenet_sendrecv_all_client_packets(irssi_t)
')
tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(irssi_t)
fs_manage_nfs_files(irssi_t)
fs_manage_nfs_symlinks(irssi_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(irssi_t)
fs_manage_cifs_files(irssi_t)
fs_manage_cifs_symlinks(irssi_t)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(irssi_t)
')
optional_policy(`
nis_use_ypbind(irssi_t)
')

4
policy/modules/apps/java.fc
View File

@ -9,6 +9,7 @@
#
# /usr
#
/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
@ -33,6 +34,9 @@
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
ifdef(`distro_redhat',`
/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
')

6
policy/modules/apps/java.if
View File

@ -72,7 +72,8 @@ template(`java_role_template',`
domain_interactive_fd($1_java_t)
userdom_manage_user_tmpfs_files($1_java_t)
userdom_unpriv_usertype($1, $1_java_t)
userdom_manage_tmpfs_role($2, $1_java_t)
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
@ -82,7 +83,7 @@ template(`java_role_template',`
domtrans_pattern($3, java_exec_t, $1_java_t)
corecmd_bin_domtrans($1_java_t, $3)
corecmd_bin_domtrans($1_java_t, $1_t)
dev_dontaudit_append_rand($1_java_t)
@ -179,6 +180,7 @@ interface(`java_run_unconfined',`
java_domtrans_unconfined($1)
role $2 types unconfined_java_t;
nsplugin_role_notrans($2, unconfined_java_t)
')
########################################

5
policy/modules/apps/java.te
View File

@ -82,12 +82,12 @@ dev_read_urand(java_t)
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
files_read_etc_files(java_t)
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
files_read_etc_runtime_files(java_t)
# Read global fonts and font config
files_read_etc_files(java_t)
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
@ -143,12 +143,15 @@ optional_policy(`
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
init_dbus_chat_script(unconfined_java_t)
files_execmod_all_files(unconfined_java_t)
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
userdom_unpriv_usertype(unconfined, unconfined_java_t)
optional_policy(`
rpm_domtrans(unconfined_java_t)

2
policy/modules/apps/kdumpgui.if
View File

@ -1,2 +1,2 @@
## <summary>system-config-kdump GUI</summary>
## <summary>system-config-kdump GUI</summary>

42
policy/modules/apps/kdumpgui.te
View File

@ -1,4 +1,4 @@
policy_module(kdumpgui, 1.0.0)
policy_module(kdumpgui,1.0.0)
########################################
#
@ -7,6 +7,7 @@ policy_module(kdumpgui, 1.0.0)
type kdumpgui_t;
type kdumpgui_exec_t;
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
######################################
@ -14,46 +15,55 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
# system-config-kdump local policy
#
allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
consoletype_exec(kdumpgui_t)
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
dev_read_sysfs(kdumpgui_t)
# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
# Needed for running chkconfig
files_manage_etc_symlinks(kdumpgui_t)
# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
files_read_usr_files(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
consoletype_exec(kdumpgui_t)
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
logging_send_syslog_msg(kdumpgui_t)
miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
userdom_dontaudit_search_admin_dir(kdumpgui_t)
optional_policy(`
dev_rw_lvm_control(kdumpgui_t)
dev_rw_lvm_control(kdumpgui_t)
')
optional_policy(`
policykit_dbus_chat(kdumpgui_t)
gnome_dontaudit_search_config(kdumpgui_t)
')
optional_policy(`
policykit_dbus_chat(kdumpgui_t)
')

22
policy/modules/apps/livecd.if
View File

@ -41,12 +41,32 @@ interface(`livecd_run',`
livecd_domtrans($1)
role $2 types livecd_t;
seutil_run_setfiles_mac(livecd_t, $2)
optional_policy(`
mount_run(livecd_t, $2)
')
')
########################################
## <summary>
## Dontaudit read/write to a livecd leaks
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`livecd_dontaudit_leaks',`
gen_require(`
type livecd_t;
')
dontaudit $1 livecd_t:unix_dgram_socket { read write };
')
########################################
## <summary>
## Read livecd temporary files.
@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',`
')
files_search_tmp($1)
allow $1 livecd_tmp_t:file rw_file_perms;
rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
')
########################################

6
policy/modules/apps/livecd.te
View File

@ -20,16 +20,14 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
unconfined_domain_noaudit(livecd_t)
domain_ptrace_all_domains(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
optional_policy(`
unconfined_domain(livecd_t)
')
optional_policy(`
hal_dbus_chat(livecd_t)
')

9
policy/modules/apps/mono.if
View File

@ -41,15 +41,18 @@ template(`mono_role_template',`
application_type($1_mono_t)
allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
userdom_unpriv_usertype($1, $1_mono_t)
userdom_manage_tmpfs_role($2, $1_mono_t)
domtrans_pattern($3, mono_exec_t, $1_mono_t)
fs_dontaudit_rw_tmpfs_files($1_mono_t)
corecmd_bin_domtrans($1_mono_t, $1_t)
userdom_manage_user_tmpfs_files($1_mono_t)
ifdef(`hide_broken_symptoms', `
dontaudit $1_t $1_mono_t:socket_class_set { read write };
')
optional_policy(`
xserver_role($1_r, $1_mono_t)

2
policy/modules/apps/mozilla.fc
View File

@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@ -27,3 +28,4 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

54
policy/modules/apps/mozilla.if
View File

@ -29,6 +29,8 @@ interface(`mozilla_role',`
allow mozilla_t $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
mozilla_plugin_run(mozilla_t, $2)
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
allow $2 mozilla_t:process signal_perms;
@ -48,6 +50,12 @@ interface(`mozilla_role',`
mozilla_dbus_chat($2)
userdom_manage_tmp_role($1, mozilla_t)
optional_policy(`
nsplugin_role($1, mozilla_t)
')
optional_policy(`
pulseaudio_role($1, mozilla_t)
')
@ -108,7 +116,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
dontaudit $1 mozilla_home_t:file rw_file_perms;
dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
')
########################################
@ -166,6 +174,50 @@ interface(`mozilla_domtrans',`
domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
## <summary>
## Execute a domain transition to run mozilla_plugin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
')
########################################
## <summary>
## Execute mozilla_plugin in the mozilla_plugin domain, and
## allow the specified role the mozilla_plugin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the mozilla_plugin domain.
## </summary>
## </param>
#
interface(`mozilla_run_plugin',`
gen_require(`
type mozilla_plugin_t;
')
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
')
########################################
## <summary>
## Send and receive messages from

61
policy/modules/apps/mozilla.te
View File

@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
@ -33,6 +34,13 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
permissive mozilla_plugin_t;
########################################
#
# Local policy
@ -89,16 +97,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_squid_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
@ -238,6 +250,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
gnome_manage_gconf_home_files(mozilla_t)
')
optional_policy(`
@ -257,6 +270,11 @@ optional_policy(`
nscd_socket_use(mozilla_t)
')
optional_policy(`
nsplugin_manage_rw(mozilla_t)
nsplugin_manage_home_files(mozilla_t)
')
optional_policy(`
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
@ -266,3 +284,46 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
########################################
#
# mozilla_plugin local policy
#
allow mozilla_plugin_t self:process setsched;
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
optional_policy(`
nsplugin_domtrans(mozilla_plugin_t)
nsplugin_rw_exec(mozilla_plugin_t)
')
optional_policy(`
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
')

36
policy/modules/apps/mplayer.if
View File

@ -102,3 +102,39 @@ interface(`mplayer_read_user_home_files',`
read_files_pattern($1, mplayer_home_t, mplayer_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Execute mplayer_exec_t
## in the specified domain.
## </summary>
## <desc>
## <p>
## Execute a mplayer_exec_t
## in the specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
interface(`mplayer_exec_domtrans',`
gen_require(`
type mplayer_exec_t;
')
allow $2 mplayer_exec_t:file entrypoint;
domtrans_pattern($1, mplayer_exec_t, $2)
')

8
policy/modules/apps/mplayer.te
View File

@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
type mplayer_home_t;
typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
files_poly_member(mplayer_home_t)
userdom_user_home_content(mplayer_home_t)
type mplayer_tmpfs_t;
@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
userdom_search_user_home_dirs(mplayer_t)
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
@ -222,6 +224,8 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
logging_send_syslog_msg(mplayer_t)
miscfiles_read_localization(mplayer_t)
miscfiles_read_fonts(mplayer_t)
@ -301,6 +305,10 @@ optional_policy(`
alsa_read_rw_config(mplayer_t)
')
optional_policy(`
gnome_setattr_config_dirs(mplayer_t)
')
optional_policy(`
nscd_socket_use(mplayer_t)
')

10
policy/modules/apps/nsplugin.fc Normal file
View File

@ -0,0 +1,10 @@
HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)

391
policy/modules/apps/nsplugin.if Normal file
View File

@ -0,0 +1,391 @@
## <summary>policy for nsplugin</summary>
########################################
## <summary>
## Create, read, write, and delete
## nsplugin rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_manage_rw_files',`
gen_require(`
type nsplugin_rw_t;
')
allow $1 nsplugin_rw_t:file manage_file_perms;
allow $1 nsplugin_rw_t:dir rw_dir_perms;
')
########################################
## <summary>
## Manage nsplugin rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_manage_rw',`
gen_require(`
type nsplugin_rw_t;
')
manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
')
#######################################
## <summary>
## The per role template for the nsplugin module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for nsplugin web browser.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
interface(`nsplugin_role_notrans',`
gen_require(`
type nsplugin_rw_t;
type nsplugin_home_t;
type nsplugin_exec_t;
type nsplugin_config_exec_t;
type nsplugin_t;
type nsplugin_config_t;
class x_drawable all_x_drawable_perms;
class x_resource all_x_resource_perms;
class dbus send_msg;
')
role $1 types nsplugin_t;
role $1 types nsplugin_config_t;
allow nsplugin_t $2:process signull;
allow nsplugin_t $2:dbus send_msg;
allow $2 nsplugin_t:dbus send_msg;
list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
can_exec($2, nsplugin_rw_t)
#Leaked File Descriptors
ifdef(`hide_broken_symptoms', `
dontaudit nsplugin_t $2:socket_class_set { read write };
dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
dontaudit nsplugin_config_t $2:socket_class_set { read write };
dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
')
allow nsplugin_t $2:unix_stream_socket connectto;
dontaudit nsplugin_t $2:process ptrace;
allow nsplugin_t $2:sem rw_sem_perms;
allow nsplugin_t $2:shm rw_shm_perms;
dontaudit nsplugin_t $2:shm destroy;
allow $2 nsplugin_t:sem rw_sem_perms;
allow $2 nsplugin_t:process { getattr ptrace signal_perms };
allow $2 nsplugin_t:unix_stream_socket connectto;
# Connect to pulseaudit server
stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
gnome_stream_connect(nsplugin_t, $2)
userdom_use_user_terminals(nsplugin_t)
userdom_use_user_terminals(nsplugin_config_t)
userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
userdom_manage_tmpfs_role($1, nsplugin_t)
optional_policy(`
pulseaudio_role($1, nsplugin_t)
')
')
#######################################
## <summary>
## Role access for nsplugin
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`nsplugin_role',`
gen_require(`
type nsplugin_exec_t;
type nsplugin_config_exec_t;
type nsplugin_t;
type nsplugin_config_t;
')
nsplugin_role_notrans($1, $2)
domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
')
#######################################
## <summary>
## The per role template for the nsplugin module.
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`nsplugin_domtrans',`
gen_require(`
type nsplugin_exec_t;
type nsplugin_t;
')
domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
allow $1 nsplugin_t:unix_stream_socket connectto;
allow nsplugin_t $1:process signal;
')
#######################################
## <summary>
## The per role template for the nsplugin module.
## </summary>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`nsplugin_domtrans_config',`
gen_require(`
type nsplugin_config_exec_t;
type nsplugin_config_t;
')
domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
')
########################################
## <summary>
## Search nsplugin rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_search_rw_dir',`
gen_require(`
type nsplugin_rw_t;
')
allow $1 nsplugin_rw_t:dir search_dir_perms;
')
########################################
## <summary>
## Read nsplugin rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_read_rw_files',`
gen_require(`
type nsplugin_rw_t;
')
list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
')
########################################
## <summary>
## Read nsplugin home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_read_home',`
gen_require(`
type nsplugin_home_t;
')
list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
')
########################################
## <summary>
## Exec nsplugin rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_rw_exec',`
gen_require(`
type nsplugin_rw_t;
')
can_exec($1, nsplugin_rw_t)
')
########################################
## <summary>
## Create, read, write, and delete
## nsplugin home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_manage_home_files',`
gen_require(`
type nsplugin_home_t;
')
manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
')
########################################
## <summary>
## Allow attempts to read and write to
## nsplugin named pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`nsplugin_rw_pipes',`
gen_require(`
type nsplugin_home_t;
')
allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Read and write to nsplugin shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_rw_shm',`
gen_require(`
type nsplugin_t;
')
allow $1 nsplugin_t:shm rw_shm_perms;
')
#####################################
## <summary>
## Allow read and write access to nsplugin semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nsplugin_rw_semaphores',`
gen_require(`
type nsplugin_t;
')
allow $1 nsplugin_t:sem rw_sem_perms;
')
########################################
## <summary>
## Execute nsplugin_exec_t
## in the specified domain.
## </summary>
## <desc>
## <p>
## Execute a nsplugin_exec_t
## in the specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
interface(`nsplugin_exec_domtrans',`
gen_require(`
type nsplugin_exec_t;
')
allow $2 nsplugin_exec_t:file entrypoint;
domtrans_pattern($1, nsplugin_exec_t, $2)
')

306
policy/modules/apps/nsplugin.te Normal file
View File

@ -0,0 +1,306 @@
policy_module(nsplugin, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow nsplugin code to execmem/execstack
## </p>
## </desc>
gen_tunable(allow_nsplugin_execmem, false)
## <desc>
## <p>
## Allow nsplugin code to connect to unreserved ports
## </p>
## </desc>
gen_tunable(nsplugin_can_network, true)
type nsplugin_exec_t;
application_executable_file(nsplugin_exec_t)
type nsplugin_config_exec_t;
application_executable_file(nsplugin_config_exec_t)
type nsplugin_rw_t;
files_poly_member(nsplugin_rw_t)
files_type(nsplugin_rw_t)
type nsplugin_tmp_t;
files_tmp_file(nsplugin_tmp_t)
type nsplugin_home_t;
files_poly_member(nsplugin_home_t)
userdom_user_home_content(nsplugin_home_t)
typealias nsplugin_home_t alias user_nsplugin_home_t;
type nsplugin_t;
domain_type(nsplugin_t)
domain_entry_file(nsplugin_t, nsplugin_exec_t)
type nsplugin_config_t;
domain_type(nsplugin_config_t)
domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
application_executable_file(nsplugin_exec_t)
application_executable_file(nsplugin_config_exec_t)
########################################
#
# nsplugin local policy
#
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
allow nsplugin_t self:fifo_file rw_file_perms;
allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
allow nsplugin_t self:sem create_sem_perms;
allow nsplugin_t self:shm create_shm_perms;
allow nsplugin_t self:msgq create_msgq_perms;
allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow nsplugin_t self:unix_dgram_socket create_socket_perms;
allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
tunable_policy(`allow_nsplugin_execmem',`
allow nsplugin_t self:process { execstack execmem };
allow nsplugin_config_t self:process { execstack execmem };
')
tunable_policy(`nsplugin_can_network',`
corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
')
manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
userdom_dontaudit_getattr_user_home_content(nsplugin_t)
userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
userdom_dontaudit_write_user_home_content_files(nsplugin_t)
userdom_dontaudit_search_admin_dir(nsplugin_t)
corecmd_exec_bin(nsplugin_t)
corecmd_exec_shell(nsplugin_t)
corenet_all_recvfrom_unlabeled(nsplugin_t)
corenet_all_recvfrom_netlabel(nsplugin_t)
corenet_tcp_connect_flash_port(nsplugin_t)
corenet_tcp_connect_streaming_port(nsplugin_t)
corenet_tcp_connect_pulseaudio_port(nsplugin_t)
corenet_tcp_connect_http_port(nsplugin_t)
corenet_tcp_connect_http_cache_port(nsplugin_t)
corenet_tcp_connect_squid_port(nsplugin_t)
corenet_tcp_sendrecv_generic_if(nsplugin_t)
corenet_tcp_sendrecv_generic_node(nsplugin_t)
corenet_tcp_connect_ipp_port(nsplugin_t)
corenet_tcp_connect_speech_port(nsplugin_t)
domain_dontaudit_read_all_domains_state(nsplugin_t)
dev_read_rand(nsplugin_t)
dev_read_sound(nsplugin_t)
dev_write_sound(nsplugin_t)
dev_read_video_dev(nsplugin_t)
dev_write_video_dev(nsplugin_t)
dev_getattr_dri_dev(nsplugin_t)
dev_rwx_zero(nsplugin_t)
dev_search_sysfs(nsplugin_t)
kernel_read_kernel_sysctls(nsplugin_t)
kernel_read_system_state(nsplugin_t)
files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
files_dontaudit_list_home(nsplugin_t)
files_read_etc_files(nsplugin_t)
files_read_usr_files(nsplugin_t)
files_read_config_files(nsplugin_t)
fs_getattr_tmpfs(nsplugin_t)
fs_getattr_xattr_fs(nsplugin_t)
fs_search_auto_mountpoints(nsplugin_t)
fs_rw_anon_inodefs_files(nsplugin_t)
fs_list_inotifyfs(nsplugin_t)
storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
term_dontaudit_getattr_all_ptys(nsplugin_t)
term_dontaudit_getattr_all_ttys(nsplugin_t)
auth_use_nsswitch(nsplugin_t)
libs_exec_ld_so(nsplugin_t)
miscfiles_read_localization(nsplugin_t)
miscfiles_read_fonts(nsplugin_t)
miscfiles_dontaudit_write_fonts(nsplugin_t)
miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
userdom_manage_user_tmp_dirs(nsplugin_t)
userdom_manage_user_tmp_files(nsplugin_t)
userdom_manage_user_tmp_sockets(nsplugin_t)
userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
userdom_rw_semaphores(nsplugin_t)
userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
userdom_read_user_home_content_symlinks(nsplugin_t)
userdom_read_user_home_content_files(nsplugin_t)
userdom_read_user_tmp_files(nsplugin_t)
userdom_write_user_tmp_sockets(nsplugin_t)
userdom_dontaudit_append_user_home_content_files(nsplugin_t)
optional_policy(`
alsa_read_rw_config(nsplugin_t)
alsa_read_home_files(nsplugin_t)
')
optional_policy(`
cups_stream_connect(nsplugin_t)
')
optional_policy(`
dbus_session_bus_client(nsplugin_t)
dbus_connect_session_bus(nsplugin_t)
dbus_system_bus_client(nsplugin_t)
')
optional_policy(`
gnome_exec_gconf(nsplugin_t)
gnome_manage_config(nsplugin_t)
gnome_read_gconf_home_files(nsplugin_t)
')
optional_policy(`
mozilla_read_user_home_files(nsplugin_t)
mozilla_write_user_home_files(nsplugin_t)
')
optional_policy(`
mplayer_exec(nsplugin_t)
mplayer_read_user_home_files(nsplugin_t)
')
optional_policy(`
unconfined_execmem_signull(nsplugin_t)
')
optional_policy(`
sandbox_read_tmpfs_files(nsplugin_t)
')
optional_policy(`
gen_require(`
type user_tmpfs_t;
')
xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
xserver_rw_shm(nsplugin_t)
xserver_read_xdm_pid(nsplugin_t)
xserver_read_xdm_tmp_files(nsplugin_t)
xserver_read_user_xauth(nsplugin_t)
xserver_read_user_iceauth(nsplugin_t)
xserver_use_user_fonts(nsplugin_t)
xserver_rw_inherited_user_fonts(nsplugin_t)
')
########################################
#
# nsplugin_config local policy
#
allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
#execing pulseaudio
dontaudit nsplugin_t self:process { getcap setcap };
allow nsplugin_config_t self:fifo_file rw_file_perms;
allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
dev_dontaudit_read_rand(nsplugin_config_t)
fs_search_auto_mountpoints(nsplugin_config_t)
fs_list_inotifyfs(nsplugin_config_t)
can_exec(nsplugin_config_t, nsplugin_rw_t)
manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
corecmd_exec_bin(nsplugin_config_t)
corecmd_exec_shell(nsplugin_config_t)
kernel_read_system_state(nsplugin_config_t)
files_read_etc_files(nsplugin_config_t)
files_read_usr_files(nsplugin_config_t)
files_dontaudit_search_home(nsplugin_config_t)
files_list_tmp(nsplugin_config_t)
auth_use_nsswitch(nsplugin_config_t)
miscfiles_read_localization(nsplugin_config_t)
miscfiles_read_fonts(nsplugin_config_t)
userdom_search_user_home_content(nsplugin_config_t)
userdom_read_user_home_content_symlinks(nsplugin_config_t)
userdom_read_user_home_content_files(nsplugin_config_t)
userdom_dontaudit_search_admin_dir(nsplugin_config_t)
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(nsplugin_t)
fs_manage_nfs_dirs(nsplugin_t)
fs_manage_nfs_files(nsplugin_t)
fs_read_nfs_symlinks(nsplugin_t)
fs_manage_nfs_named_pipes(nsplugin_t)
fs_manage_nfs_dirs(nsplugin_config_t)
fs_manage_nfs_files(nsplugin_config_t)
fs_manage_nfs_named_pipes(nsplugin_config_t)
fs_read_nfs_symlinks(nsplugin_config_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_getattr_cifs(nsplugin_t)
fs_manage_cifs_dirs(nsplugin_t)
fs_manage_cifs_files(nsplugin_t)
fs_read_cifs_symlinks(nsplugin_t)
fs_manage_cifs_named_pipes(nsplugin_t)
fs_manage_cifs_dirs(nsplugin_config_t)
fs_manage_cifs_files(nsplugin_config_t)
fs_manage_cifs_named_pipes(nsplugin_config_t)
fs_read_cifs_symlinks(nsplugin_config_t)
')
domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
optional_policy(`
xserver_use_user_fonts(nsplugin_config_t)
')
optional_policy(`
mozilla_read_user_home_files(nsplugin_config_t)
mozilla_write_user_home_files(nsplugin_config_t)
')
application_signull(nsplugin_t)
optional_policy(`
pulseaudio_exec(nsplugin_t)
pulseaudio_stream_connect(nsplugin_t)
pulseaudio_manage_home_files(nsplugin_t)
pulseaudio_setattr_home_dir(nsplugin_t)
')
optional_policy(`
unconfined_execmem_exec(nsplugin_t)
')

4
policy/modules/apps/openoffice.fc Normal file
View File

@ -0,0 +1,4 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)

129
policy/modules/apps/openoffice.if Normal file
View File

@ -0,0 +1,129 @@
## <summary>Openoffice</summary>
#######################################
## <summary>
## The per role template for the openoffice module.
## </summary>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`openoffice_plugin_role',`
gen_require(`
type openoffice_exec_t;
type openoffice_t;
')
########################################
#
# Local policy
#
domtrans_pattern($1, openoffice_exec_t, openoffice_t)
allow $1 openoffice_t:process { signal sigkill };
')
#######################################
## <summary>
## role for openoffice
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for java applications.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`openoffice_role_template',`
gen_require(`
type openoffice_exec_t;
')
role $2 types $1_openoffice_t;
type $1_openoffice_t;
domain_type($1_openoffice_t)
domain_entry_file($1_openoffice_t, openoffice_exec_t)
domain_interactive_fd($1_openoffice_t)
userdom_unpriv_usertype($1, $1_openoffice_t)
userdom_exec_user_home_content_files($1_openoffice_t)
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
allow $1_openoffice_t $3:tcp_socket { read write };
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
dev_read_urand($1_openoffice_t)
dev_read_rand($1_openoffice_t)
fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
allow $3 $1_openoffice_t:process { signal sigkill };
allow $1_openoffice_t $3:unix_stream_socket connectto;
optional_policy(`
xserver_role($2, $1_openoffice_t)
')
')
########################################
## <summary>
## Execute openoffice_exec_t
## in the specified domain.
## </summary>
## <desc>
## <p>
## Execute a openoffice_exec_t
## in the specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
interface(`openoffice_exec_domtrans',`
gen_require(`
type openoffice_exec_t;
')
allow $2 openoffice_exec_t:file entrypoint;
domtrans_pattern($1, openoffice_exec_t, $2)
')

16
policy/modules/apps/openoffice.te Normal file
View File

@ -0,0 +1,16 @@
policy_module(openoffice, 1.0.0)
########################################
#
# Declarations
#
type openoffice_t;
type openoffice_exec_t;
application_domain(openoffice_t, openoffice_exec_t)
########################################
#
# Unconfined java local policy
#

3
policy/modules/apps/podsleuth.te
View File

@ -27,7 +27,7 @@ ubac_constrained(podsleuth_tmpfs_t)
# podsleuth local policy
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
@ -73,6 +73,7 @@ miscfiles_read_localization(podsleuth_t)
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
userdom_signull_unpriv_users(podsleuth_t)
userdom_read_user_tmpfs_files(podsleuth_t)
optional_policy(`

4
policy/modules/apps/pulseaudio.if
View File

@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
userdom_manage_home_role($1, pulseaudio_t)
userdom_manage_tmp_role($1, pulseaudio_t)
userdom_manage_tmpfs_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')

16
policy/modules/apps/pulseaudio.te
View File

@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_search_admin_dir(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
@ -94,11 +95,6 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
# cjp: this seems excessive. need to confirm
userdom_manage_user_home_content_files(pulseaudio_t)
userdom_manage_user_tmp_files(pulseaudio_t)
userdom_manage_user_tmpfs_files(pulseaudio_t)
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
')
@ -130,6 +126,10 @@ optional_policy(`
rtkit_scheduled(pulseaudio_t)
')
optional_policy(`
mpd_read_tmpfs_files(pulseaudio_t)
')
optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
@ -148,3 +148,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
optional_policy(`
sandbox_manage_tmpfs_files(pulseaudio_t)
')

82
policy/modules/apps/qemu.if
View File

@ -273,6 +273,67 @@ interface(`qemu_domtrans_unconfined',`
domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
')
########################################
## <summary>
## Execute qemu_exec_t
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
## </summary>
## <desc>
## <p>
## Execute qemu_exec_t
## in the specified domain. This allows
## the specified domain to qemu programs
## on these filesystems in the specified
## domain.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## The type of the new process.
## </summary>
## </param>
#
interface(`qemu_spec_domtrans',`
gen_require(`
type qemu_exec_t;
')
read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
domain_transition_pattern($1, qemu_exec_t, $2)
domain_entry_file($2,qemu_exec_t)
can_exec($1,qemu_exec_t)
allow $2 $1:fd use;
allow $2 $1:fifo_file rw_fifo_file_perms;
allow $2 $1:process sigchld;
')
########################################
## <summary>
## Execute qemu unconfined programs in the role.
## </summary>
## <param name="role">
## <summary>
## The role to allow the PAM domain.
## </summary>
## </param>
#
interface(`qemu_unconfined_role',`
gen_require(`
type unconfined_qemu_t;
type qemu_t;
')
role $1 types unconfined_qemu_t;
role $1 types qemu_t;
')
########################################
## <summary>
## Manage qemu temporary dirs.
@ -308,3 +369,24 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
########################################
## <summary>
## Make qemu_exec_t an entrypoint for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which qemu_exec_t is an entrypoint.
## </summary>
## </param>
#
interface(`qemu_entry_type',`
gen_require(`
type qemu_exec_t;
')
domain_entry_file($1, qemu_exec_t)
')

6
policy/modules/apps/qemu.te
View File

@ -102,6 +102,10 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
optional_policy(`
xen_rw_image_files(qemu_t)
')
########################################
#
# Unconfined qemu local policy
@ -112,6 +116,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
allow unconfined_qemu_t self:process { execstack execmem };
allow unconfined_qemu_t qemu_exec_t:file execmod;

1
policy/modules/apps/sambagui.if
View File

@ -1,2 +1,3 @@
## <summary>system-config-samba dbus service policy</summary>

55
policy/modules/apps/sambagui.te
View File

@ -1,4 +1,4 @@
policy_module(sambagui, 1.0.0)
policy_module(sambagui,1.0.0)
########################################
#
@ -14,31 +14,10 @@ dbus_system_domain(sambagui_t, sambagui_exec_t)
# system-config-samba local policy
#
allow sambagui_t self:capability dac_override;
allow sambagui_t self:capability dac_override;
allow sambagui_t self:fifo_file rw_fifo_file_perms;
allow sambagui_t self:unix_dgram_socket create_socket_perms;
# read meminfo
kernel_read_system_state(sambagui_t)
# execut apps of system-config-samba
corecmd_exec_shell(sambagui_t)
corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_search_usr(sambagui_t)
auth_use_nsswitch(sambagui_t)
logging_send_syslog_msg(sambagui_t)
miscfiles_read_localization(sambagui_t)
nscd_dontaudit_search_pid(sambagui_t)
# handling with samba conf files
samba_append_log(sambagui_t)
samba_manage_config(sambagui_t)
@ -48,10 +27,40 @@ samba_initrc_domtrans(sambagui_t)
samba_domtrans_smbd(sambagui_t)
samba_domtrans_nmbd(sambagui_t)
# execut apps of system-config-samba
corecmd_exec_shell(sambagui_t)
corecmd_exec_bin(sambagui_t)
files_read_etc_files(sambagui_t)
files_read_usr_files(sambagui_t)
files_search_var_lib(sambagui_t)
# reading shadow by pdbedit
#auth_read_shadow(sambagui_t)
auth_use_nsswitch(sambagui_t)
logging_send_syslog_msg(sambagui_t)
miscfiles_read_localization(sambagui_t)
# read meminfo
kernel_read_system_state(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
nscd_dontaudit_search_pid(sambagui_t)
userdom_dontaudit_search_admin_dir(sambagui_t)
optional_policy(`
consoletype_exec(sambagui_t)
')
optional_policy(`
gnome_dontaudit_search_config(sambagui_t)
')
optional_policy(`
policykit_dbus_chat(sambagui_t)
')

1
policy/modules/apps/sandbox.fc Normal file
View File

@ -0,0 +1 @@
# No types are sandbox_exec_t

334
policy/modules/apps/sandbox.if Normal file
View File

@ -0,0 +1,334 @@
## <summary>policy for sandbox</summary>
########################################
## <summary>
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the sandbox domain.
## </summary>
## </param>
#
interface(`sandbox_transition',`
gen_require(`
type sandbox_xserver_t;
attribute sandbox_domain;
attribute sandbox_x_domain;
attribute sandbox_file_type;
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_domain:process transition;
dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
role $2 types sandbox_domain;
allow sandbox_domain $1:process { sigchld signull };
allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
allow $1 sandbox_x_domain:process { signal_perms transition };
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
allow sandbox_x_domain $1:process { sigchld signull };
dontaudit sandbox_domain $1:process signal;
role $2 types sandbox_x_domain;
role $2 types sandbox_xserver_t;
allow $1 sandbox_xserver_t:process signal_perms;
dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
allow sandbox_x_domain sandbox_x_domain:process signal;
# Dontaudit leaked file descriptors
dontaudit sandbox_x_domain $1:fifo_file { read write };
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
allow $1 sandbox_tmpfs_type:file manage_file_perms;
dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
')
########################################
## <summary>
## Creates types and rules for a basic
## qemu process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`sandbox_domain_template',`
gen_require(`
attribute sandbox_domain;
attribute sandbox_file_type;
attribute sandbox_x_type;
')
type $1_t, sandbox_domain, sandbox_x_type;
application_type($1_t)
mls_rangetrans_target($1_t)
type $1_file_t, sandbox_file_type;
files_type($1_file_t)
can_exec($1_t, $1_file_t)
manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
manage_files_pattern($1_t, $1_file_t, $1_file_t)
manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
')
########################################
## <summary>
## Creates types and rules for a basic
## qemu process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`sandbox_x_domain_template',`
gen_require(`
type xserver_exec_t, sandbox_devpts_t;
type sandbox_xserver_t;
attribute sandbox_domain, sandbox_x_domain;
attribute sandbox_file_type, sandbox_tmpfs_type;
')
type $1_t, sandbox_x_domain;
application_type($1_t)
type $1_file_t, sandbox_file_type;
files_type($1_file_t)
can_exec($1_t, $1_file_t)
manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
manage_files_pattern($1_t, $1_file_t, $1_file_t)
manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
type $1_devpts_t;
term_pty($1_devpts_t)
term_create_pty($1_t, $1_devpts_t)
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
# window manager
miscfiles_setattr_fonts_cache_dirs($1_t)
allow $1_t self:capability setuid;
type $1_client_t, sandbox_x_domain;
application_type($1_client_t)
type $1_client_tmpfs_t, sandbox_tmpfs_type;
files_tmpfs_file($1_client_tmpfs_t)
term_search_ptys($1_t)
allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
term_create_pty($1_client_t,sandbox_devpts_t)
manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
# Pulseaudio tmpfs files with different MCS labels
dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
allow $1_t sandbox_xserver_t:process signal_perms;
domtrans_pattern($1_t, $1_file_t, $1_client_t)
domain_entry_file($1_client_t, $1_file_t)
# Random tmpfs_t that gets created when you run X.
fs_rw_tmpfs_files($1_t)
manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
ps_process_pattern(sandbox_xserver_t, $1_client_t)
ps_process_pattern(sandbox_xserver_t, $1_t)
allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
allow sandbox_xserver_t $1_t:shm rw_shm_perms;
allow $1_client_t $1_t:unix_stream_socket connectto;
allow $1_t $1_client_t:unix_stream_socket connectto;
can_exec($1_client_t, $1_file_t)
manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
')
########################################
## <summary>
## allow domain to read,
## write sandbox_xserver tmp files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_rw_xserver_tmpfs_files',`
gen_require(`
type sandbox_xserver_tmpfs_t;
')
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
########################################
## <summary>
## allow domain to read
## sandbox tmpfs files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_read_tmpfs_files',`
gen_require(`
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
## allow domain to manage
## sandbox tmpfs files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_manage_tmpfs_files',`
gen_require(`
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_tmpfs_type:file manage_file_perms;
')
########################################
## <summary>
## Delete sandbox files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_delete_files',`
gen_require(`
attribute sandbox_file_type;
')
delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
')
########################################
## <summary>
## Delete sandbox sock files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_delete_sock_files',`
gen_require(`
attribute sandbox_file_type;
')
delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
')
########################################
## <summary>
## Allow domain to set the attributes
## of the sandbox directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_setattr_dirs',`
gen_require(`
attribute sandbox_file_type;
')
allow $1 sandbox_file_type:dir setattr;
')
########################################
## <summary>
## allow domain to delete sandbox files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_delete_dirs',`
gen_require(`
attribute sandbox_file_type;
')
delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
')
########################################
## <summary>
## allow domain to list sandbox dirs
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`sandbox_list',`
gen_require(`
attribute sandbox_file_type;
')
allow $1 sandbox_file_type:dir list_dir_perms;
')

401
policy/modules/apps/sandbox.te Normal file
View File

@ -0,0 +1,401 @@
policy_module(sandbox,1.0.0)
dbus_stub()
attribute sandbox_domain;
attribute sandbox_x_domain;
attribute sandbox_file_type;
attribute sandbox_web_type;
attribute sandbox_tmpfs_type;
attribute sandbox_x_type;
########################################
#
# Declarations
#
sandbox_domain_template(sandbox)
sandbox_x_domain_template(sandbox_min)
sandbox_x_domain_template(sandbox_x)
sandbox_x_domain_template(sandbox_web)
sandbox_x_domain_template(sandbox_net)
type sandbox_xserver_t;
domain_type(sandbox_xserver_t)
xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
type sandbox_xserver_tmpfs_t;
files_tmpfs_file(sandbox_xserver_tmpfs_t)
type sandbox_devpts_t;
term_pty(sandbox_devpts_t)
files_type(sandbox_devpts_t)
########################################
#
# sandbox xserver policy
#
allow sandbox_xserver_t self:process { execmem execstack };
allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
allow sandbox_xserver_t self:shm create_shm_perms;
allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
corecmd_exec_bin(sandbox_xserver_t)
corecmd_exec_shell(sandbox_xserver_t)
corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
corenet_all_recvfrom_netlabel(sandbox_xserver_t)
corenet_tcp_sendrecv_all_if(sandbox_xserver_t)
corenet_udp_sendrecv_all_if(sandbox_xserver_t)
corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t)
corenet_udp_sendrecv_all_nodes(sandbox_xserver_t)
corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
corenet_tcp_bind_all_nodes(sandbox_xserver_t)
corenet_tcp_bind_xserver_port(sandbox_xserver_t)
corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
corenet_sendrecv_all_client_packets(sandbox_xserver_t)
dev_rwx_zero(sandbox_xserver_t)
files_read_config_files(sandbox_xserver_t)
files_read_usr_files(sandbox_xserver_t)
files_search_home(sandbox_xserver_t)
fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
fs_list_inotifyfs(sandbox_xserver_t)
miscfiles_read_fonts(sandbox_xserver_t)
miscfiles_read_localization(sandbox_xserver_t)
kernel_read_system_state(sandbox_xserver_t)
selinux_validate_context(sandbox_xserver_t)
selinux_compute_access_vector(sandbox_xserver_t)
selinux_compute_create_context(sandbox_xserver_t)
auth_use_nsswitch(sandbox_xserver_t)
logging_send_syslog_msg(sandbox_xserver_t)
logging_send_audit_msgs(sandbox_xserver_t)
userdom_use_user_terminals(sandbox_xserver_t)
userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
xserver_entry_type(sandbox_xserver_t)
optional_policy(`
dbus_system_bus_client(sandbox_xserver_t)
optional_policy(`
hal_dbus_chat(sandbox_xserver_t)
')
')
########################################
#
# sandbox local policy
#
## internal communication is often done using fifo and unix sockets.
allow sandbox_domain self:fifo_file manage_file_perms;
allow sandbox_domain self:sem create_sem_perms;
allow sandbox_domain self:shm create_shm_perms;
allow sandbox_domain self:msgq create_msgq_perms;
allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dev_rw_all_inherited_chr_files(sandbox_domain)
dev_rw_all_inherited_blk_files(sandbox_domain)
gen_require(`
type usr_t, lib_t, locale_t;
type var_t, var_run_t, rpm_log_t, locale_t;
attribute exec_type, configfile;
')
files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
files_entrypoint_all_files(sandbox_domain)
files_read_config_files(sandbox_domain)
files_read_usr_files(sandbox_domain)
files_read_var_files(sandbox_domain)
files_dontaudit_search_all_dirs(sandbox_domain)
miscfiles_read_localization(sandbox_domain)
kernel_dontaudit_read_system_state(sandbox_domain)
corecmd_exec_all_executables(sandbox_domain)
userdom_dontaudit_use_user_terminals(sandbox_domain)
mta_dontaudit_read_spool_symlinks(sandbox_domain)
########################################
#
# sandbox_x_domain local policy
#
allow sandbox_x_domain self:fifo_file manage_file_perms;
allow sandbox_x_domain self:sem create_sem_perms;
allow sandbox_x_domain self:shm create_shm_perms;
allow sandbox_x_domain self:msgq create_msgq_perms;
allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
allow sandbox_x_domain self:shm create_shm_perms;
allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
domain_dontaudit_read_all_domains_state(sandbox_x_domain)
files_search_home(sandbox_x_domain)
files_dontaudit_list_tmp(sandbox_x_domain)
kernel_getattr_proc(sandbox_x_domain)
kernel_read_network_state(sandbox_x_domain)
kernel_read_system_state(sandbox_x_domain)
corecmd_exec_all_executables(sandbox_x_domain)
dev_read_urand(sandbox_x_domain)
dev_dontaudit_read_rand(sandbox_x_domain)
dev_read_sysfs(sandbox_x_domain)
files_entrypoint_all_files(sandbox_x_domain)
files_read_config_files(sandbox_x_domain)
files_read_usr_files(sandbox_x_domain)
files_read_usr_symlinks(sandbox_x_domain)
fs_getattr_tmpfs(sandbox_x_domain)
fs_getattr_xattr_fs(sandbox_x_domain)
fs_list_inotifyfs(sandbox_x_domain)
auth_dontaudit_read_login_records(sandbox_x_domain)
auth_dontaudit_write_login_records(sandbox_x_domain)
auth_use_nsswitch(sandbox_x_domain)
auth_search_pam_console_data(sandbox_x_domain)
init_read_utmp(sandbox_x_domain)
init_dontaudit_write_utmp(sandbox_x_domain)
miscfiles_read_localization(sandbox_x_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
term_getattr_pty_fs(sandbox_x_domain)
term_use_ptmx(sandbox_x_domain)
logging_send_syslog_msg(sandbox_x_domain)
logging_dontaudit_search_logs(sandbox_x_domain)
miscfiles_read_fonts(sandbox_x_domain)
storage_dontaudit_rw_fuse(sandbox_x_domain)
optional_policy(`
cups_stream_connect(sandbox_x_domain)
cups_read_rw_config(sandbox_x_domain)
')
optional_policy(`
dbus_system_bus_client(sandbox_x_domain)
')
optional_policy(`
gnome_read_gconf_config(sandbox_x_domain)
')
optional_policy(`
nscd_dontaudit_search_pid(sandbox_x_domain)
')
optional_policy(`
sssd_dontaudit_search_lib(sandbox_x_domain)
')
optional_policy(`
udev_read_db(sandbox_x_domain)
')
userdom_dontaudit_use_user_terminals(sandbox_x_domain)
userdom_read_user_home_content_symlinks(sandbox_x_domain)
userdom_search_user_home_content(sandbox_x_domain)
#============= sandbox_x_t ==============
files_search_home(sandbox_x_t)
userdom_use_user_ptys(sandbox_x_t)
########################################
#
# sandbox_x_client_t local policy
#
allow sandbox_x_client_t self:tcp_socket create_socket_perms;
allow sandbox_x_client_t self:udp_socket create_socket_perms;
allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
dev_read_rand(sandbox_x_client_t)
corenet_tcp_connect_ipp_port(sandbox_x_client_t)
auth_use_nsswitch(sandbox_x_client_t)
selinux_get_fs_mount(sandbox_x_client_t)
selinux_validate_context(sandbox_x_client_t)
selinux_compute_access_vector(sandbox_x_client_t)
selinux_compute_create_context(sandbox_x_client_t)
selinux_compute_relabel_context(sandbox_x_client_t)
selinux_compute_user_contexts(sandbox_x_client_t)
seutil_read_default_contexts(sandbox_x_client_t)
optional_policy(`
hal_dbus_chat(sandbox_x_client_t)
')
########################################
#
# sandbox_web_client_t local policy
#
typeattribute sandbox_web_client_t sandbox_web_type;
allow sandbox_web_type self:capability { setuid setgid };
allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
allow sandbox_web_type self:process setsched;
dontaudit sandbox_web_type self:process setrlimit;
allow sandbox_web_type self:tcp_socket create_socket_perms;
allow sandbox_web_type self:udp_socket create_socket_perms;
allow sandbox_web_type self:dbus { acquire_svc send_msg };
allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
kernel_request_load_module(sandbox_web_type)
dev_read_rand(sandbox_web_type)
dev_write_sound(sandbox_web_type)
dev_read_sound(sandbox_web_type)
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled(sandbox_web_type)
corenet_all_recvfrom_netlabel(sandbox_web_type)
corenet_tcp_sendrecv_all_if(sandbox_web_type)
corenet_raw_sendrecv_all_if(sandbox_web_type)
corenet_tcp_sendrecv_all_nodes(sandbox_web_type)
corenet_raw_sendrecv_all_nodes(sandbox_web_type)
corenet_tcp_sendrecv_http_port(sandbox_web_type)
corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
corenet_tcp_sendrecv_squid_port(sandbox_web_type)
corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
corenet_tcp_connect_http_port(sandbox_web_type)
corenet_tcp_connect_http_cache_port(sandbox_web_type)
corenet_tcp_connect_squid_port(sandbox_web_type)
corenet_tcp_connect_flash_port(sandbox_web_type)
corenet_tcp_connect_ftp_port(sandbox_web_type)
corenet_tcp_connect_ipp_port(sandbox_web_type)
corenet_tcp_connect_streaming_port(sandbox_web_type)
corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
corenet_tcp_connect_speech_port(sandbox_web_type)
corenet_tcp_connect_generic_port(sandbox_web_type)
corenet_tcp_connect_soundd_port(sandbox_web_type)
corenet_tcp_connect_speech_port(sandbox_web_type)
corenet_sendrecv_http_client_packets(sandbox_web_type)
corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
corenet_sendrecv_squid_client_packets(sandbox_web_type)
corenet_sendrecv_ftp_client_packets(sandbox_web_type)
corenet_sendrecv_ipp_client_packets(sandbox_web_type)
corenet_sendrecv_generic_client_packets(sandbox_web_type)
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
files_dontaudit_getattr_all_dirs(sandbox_web_type)
files_dontaudit_list_mnt(sandbox_web_type)
fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
fs_dontaudit_getattr_all_fs(sandbox_web_type)
storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
auth_use_nsswitch(sandbox_web_type)
dbus_system_bus_client(sandbox_web_type)
dbus_read_config(sandbox_web_type)
selinux_get_fs_mount(sandbox_web_type)
selinux_validate_context(sandbox_web_type)
selinux_compute_access_vector(sandbox_web_type)
selinux_compute_create_context(sandbox_web_type)
selinux_compute_relabel_context(sandbox_web_type)
selinux_compute_user_contexts(sandbox_web_type)
seutil_read_default_contexts(sandbox_web_type)
userdom_rw_user_tmpfs_files(sandbox_web_type)
userdom_delete_user_tmpfs_files(sandbox_web_type)
optional_policy(`
bluetooth_dontaudit_dbus_chat(sandbox_web_type)
')
optional_policy(`
consolekit_dbus_chat(sandbox_web_type)
')
optional_policy(`
hal_dbus_chat(sandbox_web_type)
')
optional_policy(`
nsplugin_read_rw_files(sandbox_web_type)
nsplugin_rw_exec(sandbox_web_type)
nsplugin_manage_rw(sandbox_web_type)
')
optional_policy(`
pulseaudio_stream_connect(sandbox_web_type)
allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
')
optional_policy(`
rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
')
optional_policy(`
networkmanager_dontaudit_dbus_chat(sandbox_web_type)
')
optional_policy(`
udev_read_state(sandbox_web_type)
')
########################################
#
# sandbox_net_client_t local policy
#
typeattribute sandbox_net_client_t sandbox_web_type;
corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
corenet_all_recvfrom_netlabel(sandbox_net_client_t)
corenet_tcp_sendrecv_all_if(sandbox_net_client_t)
corenet_udp_sendrecv_all_if(sandbox_net_client_t)
corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t)
corenet_udp_sendrecv_all_nodes(sandbox_net_client_t)
corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
optional_policy(`
mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
')

33
policy/modules/apps/seunshare.if
View File

@ -53,8 +53,14 @@ interface(`seunshare_run',`
########################################
## <summary>
## Role access for seunshare
## The role template for the seunshare module.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
@ -66,15 +72,28 @@ interface(`seunshare_run',`
## </summary>
## </param>
#
interface(`seunshare_role',`
interface(`seunshare_role_template',`
gen_require(`
type seunshare_t;
attribute seunshare_domain;
type seunshare_exec_t;
')
role $2 types seunshare_t;
type $1_seunshare_t, seunshare_domain;
application_domain($1_seunshare_t, seunshare_exec_t)
role $2 types $1_seunshare_t;
seunshare_domtrans($1)
mls_process_set_level($1_seunshare_t)
ps_process_pattern($2, seunshare_t)
allow $2 seunshare_t:process signal;
domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
sandbox_transition($1_seunshare_t, $2)
ps_process_pattern($3, $1_seunshare_t)
allow $3 $1_seunshare_t:process signal_perms;
allow $1_seunshare_t $3:process transition;
dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
ifdef(`hide_broken_symptoms', `
dontaudit $1_seunshare_t $3:socket_class_set { read write };
')
')

39
policy/modules/apps/seunshare.te
View File

@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
type seunshare_t;
attribute seunshare_domain;
type seunshare_exec_t;
application_domain(seunshare_t, seunshare_exec_t)
role system_r types seunshare_t;
########################################
#
# seunshare local policy
#
allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
allow seunshare_t self:process { setexec signal getcap setcap };
allow seunshare_domain self:fifo_file rw_file_perms;
allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
allow seunshare_t self:fifo_file rw_file_perms;
allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(seunshare_domain)
corecmd_exec_shell(seunshare_t)
corecmd_exec_bin(seunshare_t)
corecmd_exec_shell(seunshare_domain)
corecmd_exec_bin(seunshare_domain)
files_read_etc_files(seunshare_t)
files_mounton_all_poly_members(seunshare_t)
files_search_all(seunshare_domain)
files_read_etc_files(seunshare_domain)
files_mounton_all_poly_members(seunshare_domain)
auth_use_nsswitch(seunshare_t)
fs_manage_cgroup_dirs(seunshare_domain)
fs_manage_cgroup_files(seunshare_domain)
logging_send_syslog_msg(seunshare_t)
auth_use_nsswitch(seunshare_domain)
miscfiles_read_localization(seunshare_t)
logging_send_syslog_msg(seunshare_domain)
userdom_use_user_terminals(seunshare_t)
miscfiles_read_localization(seunshare_domain)
userdom_use_user_terminals(seunshare_domain)
ifdef(`hide_broken_symptoms', `
fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
fs_dontaudit_list_inotifyfs(seunshare_domain)
optional_policy(`
mozilla_dontaudit_manage_user_home_files(seunshare_t)
mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')

14
policy/modules/apps/telepathy.fc Normal file
View File

@ -0,0 +1,14 @@
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)

188
policy/modules/apps/telepathy.if Normal file
View File

@ -0,0 +1,188 @@
## <summary>Telepathy framework.</summary>
#######################################
## <summary>
## Creates basic types for telepathy
## domain
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
#
template(`telepathy_domain_template',`
gen_require(`
attribute telepathy_domain;
attribute telepathy_executable;
')
type telepathy_$1_t, telepathy_domain;
type telepathy_$1_exec_t, telepathy_executable;
application_domain(telepathy_$1_t, telepathy_$1_exec_t)
ubac_constrained(telepathy_$1_t)
type telepathy_$1_tmp_t;
files_tmp_file(telepathy_$1_tmp_t)
ubac_constrained(telepathy_$1_tmp_t)
dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
')
#######################################
## <summary>
## Role access for telepathy domains
### that executes via dbus-session
## </summary>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`telepathy_dbus_session_role', `
gen_require(`
attribute telepathy_domain;
')
role $1 types telepathy_domain;
allow $2 telepathy_domain:process { ptrace signal_perms };
ps_process_pattern($2, telepathy_domain)
optional_policy(`
telepathy_dbus_chat($2)
')
telepathy_gabble_stream_connect($2)
telepathy_msn_stream_connect($2)
telepathy_salut_stream_connect($2)
')
########################################
## <summary>
## Send DBus messages to and from
## all Telepathy domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_dbus_chat', `
gen_require(`
attribute telepathy_domain;
class dbus send_msg;
')
allow $1 telepathy_domain:dbus send_msg;
allow telepathy_domain $1:dbus send_msg;
')
########################################
## <summary>
## Send DBus messages to and from
## Telepathy Gabble.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_gabble_dbus_chat', `
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
')
allow $1 telepathy_gabble_t:dbus send_msg;
allow telepathy_gabble_t $1:dbus send_msg;
')
########################################
## <summary>
## Read and write Telepathy Butterfly
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_butterfly_rw_tmp_files', `
gen_require(`
type telepathy_butterfly_tmp_t;
')
allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
########################################
## <summary>
## Stream connect to Telepathy Gabble
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_gabble_stream_connect', `
gen_require(`
type telepathy_gabble_t, telepathy_gabble_tmp_t;
')
stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
files_search_tmp($1)
')
#######################################
## <summary>
## Stream connect to telepathy MSN managers
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_msn_stream_connect', `
gen_require(`
type telepathy_msn_t, telepathy_msn_tmp_t;
')
stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
files_search_tmp($1)
')
########################################
## <summary>
## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`telepathy_salut_stream_connect', `
gen_require(`
type telepathy_salut_t, telepathy_salut_tmp_t;
')
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')

313
policy/modules/apps/telepathy.te Normal file
View File

@ -0,0 +1,313 @@
policy_module(telepathy, 1.0.0)
########################################
#
# Declarations.
#
## <desc>
## <p>
## Allow the Telepathy connection managers
## to connect to any generic TCP port.
## </p>
## </desc>
gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
attribute telepathy_domain;
attribute telepathy_executable;
telepathy_domain_template(gabble)
type telepathy_gabble_cache_home_t;
userdom_user_home_content(telepathy_gabble_cache_home_t)
telepathy_domain_template(idle)
telepathy_domain_template(mission_control)
type telepathy_mission_control_home_t;
userdom_user_home_content(telepathy_mission_control_home_t)
type telepathy_mission_control_cache_home_t;
userdom_user_home_content(telepathy_mission_control_cache_home_t)
telepathy_domain_template(msn)
telepathy_domain_template(salut)
telepathy_domain_template(sofiasip)
telepathy_domain_template(stream_engine)
telepathy_domain_template(sunshine)
#######################################
#
# Telepathy Butterfly and Haze local policy.
#
allow telepathy_msn_t self:process setsched;
allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms;
allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
corenet_sendrecv_http_client_packets(telepathy_msn_t)
corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
corenet_tcp_connect_http_port(telepathy_msn_t)
corenet_tcp_connect_msnp_port(telepathy_msn_t)
corecmd_exec_bin(telepathy_msn_t)
corecmd_exec_shell(telepathy_msn_t)
corecmd_read_bin_symlinks(telepathy_msn_t)
dev_read_urand(telepathy_msn_t)
files_read_etc_files(telepathy_msn_t)
files_read_usr_files(telepathy_msn_t)
kernel_read_system_state(telepathy_msn_t)
auth_use_nsswitch(telepathy_msn_t)
logging_send_syslog_msg(telepathy_msn_t)
miscfiles_read_certs(telepathy_msn_t)
sysnet_read_config(telepathy_msn_t)
optional_policy(`
dbus_system_bus_client(telepathy_msn_t)
')
optional_policy(`
gnome_read_gconf_home_files(telepathy_msn_t)
')
#######################################
#
# Telepathy Gabble local policy.
#
allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms;
allow telepathy_gabble_t self:tcp_socket { listen accept };
allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
# ~/.cache/gabble/caps-cache.db-journal
optional_policy(`
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
')
corenet_sendrecv_commplex_client_packets(telepathy_gabble_t)
corenet_sendrecv_http_client_packets(telepathy_gabble_t)
corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
corenet_tcp_connect_commplex_port(telepathy_gabble_t)
corenet_tcp_connect_http_port(telepathy_gabble_t)
corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
corenet_tcp_connect_vnc_port(telepathy_gabble_t)
dev_read_rand(telepathy_gabble_t)
dev_read_urand(telepathy_gabble_t)
files_read_etc_files(telepathy_gabble_t)
files_read_usr_files(telepathy_gabble_t)
miscfiles_read_certs(telepathy_gabble_t)
sysnet_read_config(telepathy_gabble_t)
optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(telepathy_gabble_t)
fs_manage_nfs_files(telepathy_gabble_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(telepathy_gabble_t)
fs_manage_cifs_files(telepathy_gabble_t)
')
#######################################
#
# Telepathy Idle local policy.
#
allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
corenet_tcp_connect_ircd_port(telepathy_idle_t)
files_read_etc_files(telepathy_idle_t)
sysnet_read_config(telepathy_idle_t)
#######################################
#
# Telepathy Mission-Control local policy.
#
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
userdom_search_user_home_dirs(telepathy_mission_control_t)
dev_read_rand(telepathy_mission_control_t)
files_read_etc_files(telepathy_mission_control_t)
files_read_usr_files(telepathy_mission_control_t)
tunable_policy(`use_nfs_home_dirs', `
fs_manage_nfs_dirs(telepathy_mission_control_t)
fs_manage_nfs_files(telepathy_mission_control_t)
')
tunable_policy(`use_samba_home_dirs', `
fs_manage_cifs_dirs(telepathy_mission_control_t)
fs_manage_cifs_files(telepathy_mission_control_t)
')
auth_use_nsswitch(telepathy_mission_control_t)
# ~/.cache/.mc_connections.
optional_policy(`
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
')
optional_policy(`
gnome_read_gconf_home_files(telepathy_mission_control_t)
gnome_setattr_cache_home_dir(telepathy_mission_control_t)
gnome_read_generic_cache_files(telepathy_mission_control_t)
')
#######################################
#
# Telepathy Salut local policy.
#
allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms;
allow telepathy_salut_t self:tcp_socket { accept listen };
manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
corenet_sendrecv_presence_server_packets(telepathy_salut_t)
corenet_tcp_bind_presence_port(telepathy_salut_t)
corenet_tcp_connect_presence_port(telepathy_salut_t)
dev_read_urand(telepathy_salut_t)
files_read_etc_files(telepathy_salut_t)
sysnet_read_config(telepathy_salut_t)
optional_policy(`
dbus_system_bus_client(telepathy_salut_t)
optional_policy(`
avahi_dbus_chat(telepathy_salut_t)
')
')
#######################################
#
# Telepathy Sofiasip local policy.
#
allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
allow telepathy_sofiasip_t self:tcp_socket { listen };
corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
dev_read_urand(telepathy_sofiasip_t)
kernel_request_load_module(telepathy_sofiasip_t)
sysnet_read_config(telepathy_sofiasip_t)
#######################################
#
# Telepathy Sunshine local policy.
#
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
corecmd_list_bin(telepathy_sunshine_t)
dev_read_urand(telepathy_sunshine_t)
files_read_etc_files(telepathy_sunshine_t)
files_read_usr_files(telepathy_sunshine_t)
kernel_read_system_state(telepathy_sunshine_t)
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
')
#######################################
#
# telepathy domains common policy
#
allow telepathy_domain self:process { getsched signal };
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
corenet_all_recvfrom_netlabel(telepathy_domain)
corenet_all_recvfrom_unlabeled(telepathy_domain)
corenet_raw_bind_generic_node(telepathy_domain)
corenet_raw_sendrecv_generic_if(telepathy_domain)
corenet_raw_sendrecv_generic_node(telepathy_domain)
corenet_tcp_bind_generic_node(telepathy_domain)
corenet_tcp_sendrecv_generic_if(telepathy_domain)
corenet_tcp_sendrecv_generic_node(telepathy_domain)
corenet_udp_bind_generic_node(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
miscfiles_read_localization(telepathy_domain)
# This interface does not facilitate files_search_tmp which appears to be a bug.
userdom_stream_connect(telepathy_domain)
userdom_use_user_terminals(telepathy_domain)
tunable_policy(`telepathy_tcp_connect_generic_network_ports', `
corenet_tcp_connect_generic_port(telepathy_domain)
corenet_sendrecv_generic_client_packets(telepathy_domain)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
')
optional_policy(`
nis_use_ypbind(telepathy_domain)
')
optional_policy(`
telepathy_dbus_chat(telepathy_domain)
')
optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')

Some files were not shown because too many files have changed in this diff Show More