more fixing
This commit is contained in:
Chris PeBenito
parent
f13da83f99
commit
4614e83fbb
@ -135,6 +135,10 @@ gen_tunable(ssh_sysadm_login,false)
|
||||
## dir and read files (such as ~/.bashrc)
|
||||
gen_tunable(staff_read_sysadm_file,false)
|
||||
|
||||
## Configure stunnel to be a standalone daemon or
|
||||
## inetd service.
|
||||
gen_tunable(stunnel_is_daemon,false)
|
||||
|
||||
## Support NFS home directories
|
||||
gen_tunable(use_nfs_home_dirs,false)
|
||||
|
||||
|
||||
@ -45,7 +45,7 @@ type amanda_script_exec_t;
|
||||
files_type(amanda_script_exec_t)
|
||||
|
||||
# temp:
|
||||
typeattribute amanda_user_exec_t entry_type;
|
||||
typeattribute amanda_script_exec_t entry_type;
|
||||
|
||||
# type for the shell configuration files
|
||||
type amanda_shellconfig_t;
|
||||
|
||||
@ -304,6 +304,9 @@ selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
term_use_all_user_ttys(passwd_t)
|
||||
term_use_all_user_ptys(passwd_t)
|
||||
|
||||
auth_manage_shadow(passwd_t)
|
||||
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
|
||||
@ -166,6 +166,7 @@ allow kernel_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow kernel_t self:unix_dgram_socket sendto;
|
||||
allow kernel_t self:unix_stream_socket connectto;
|
||||
allow kernel_t self:fifo_file rw_file_perms;
|
||||
allow kernel_t self:sock_file r_file_perms;
|
||||
allow kernel_t self:fd use;
|
||||
|
||||
# old general_proc_read_access():
|
||||
|
||||
@ -178,6 +178,13 @@ template(`apache_content_template',`
|
||||
libs_read_lib(httpd_$1_script_t)
|
||||
|
||||
miscfiles_read_localization(httpd_$1_script_t)
|
||||
|
||||
# added back to make sediff nicer
|
||||
dev_rw_null_dev(httpd_$1_script_t)
|
||||
term_use_controlling_term(httpd_$1_script_t)
|
||||
allow httpd_$1_script_t self:dir r_dir_perms;
|
||||
allow httpd_$1_script_t self:file r_file_perms;
|
||||
allow httpd_$1_script_t self:lnk_file read;
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
|
||||
@ -289,6 +289,10 @@ ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(httpd_t)
|
||||
term_dontaudit_use_generic_pty(httpd_t)
|
||||
files_dontaudit_read_root_file(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`allow_httpd_anon_write',`
|
||||
@ -335,6 +339,9 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
allow httpd_t httpdcontent:dir create_dir_perms;
|
||||
allow httpd_t httpdcontent:file create_file_perms;
|
||||
allow httpd_t httpdcontent:lnk_file create_lnk_perms;
|
||||
|
||||
# make sediff easier
|
||||
allow httpd_sys_script_t httpdcontent:file { rx_file_perms entrypoint };
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@ -407,17 +414,6 @@ optional_policy(`rhgb.te',`
|
||||
|
||||
can_tcp_connect(web_client_domain, httpd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_sys_script_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
if (httpd_enable_homedirs) {
|
||||
allow httpd_suexec_t user_home_dir_t:dir { getattr search };
|
||||
}
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
@ -495,12 +491,17 @@ allow httpd_suexec_t self:capability { setuid setgid };
|
||||
allow httpd_suexec_t self:process signal_perms;
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
# cjp: need transitionbool
|
||||
ifdef(`targeted_policy',`
|
||||
gen_tunable(httpd_suexec_disable_trans,false)
|
||||
|
||||
tunable_policy(`httpd_suexec_disable_trans',`',`
|
||||
domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||
allow httpd_t httpd_suexec_t:fd use;
|
||||
allow httpd_suexec_t httpd_t:fd use;
|
||||
allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
|
||||
allow httpd_suexec_t httpd_t:process sigchld;
|
||||
')
|
||||
')
|
||||
|
||||
allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
|
||||
allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
|
||||
@ -534,6 +535,12 @@ logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_suexec_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_suexec_t self:udp_socket create_socket_perms;
|
||||
@ -555,6 +562,13 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
|
||||
tunable_policy(`httpd_enable_cgi',`
|
||||
domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||
allow httpd_suexec_t httpd_unconfined_script_t:fd use;
|
||||
allow httpd_unconfined_script_t httpd_suexec_t:fd use;
|
||||
allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
|
||||
allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
|
||||
|
||||
# make sediff happy
|
||||
allow httpd_unconfined_script_t httpd_unconfined_script_exec_t:file { ioctl read getattr lock execute entrypoint };
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
@ -619,6 +633,12 @@ ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file { getattr append };
|
||||
')
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
userdom_search_generic_user_home_dir(httpd_sys_script_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`mysql.te',`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_socket(httpd_sys_script_t)
|
||||
|
||||
@ -598,8 +598,8 @@ ifdef(`targeted_policy', `
|
||||
files_dontaudit_read_root_file(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(cupsd_config_t)
|
||||
optional_policy(`hal.te',`
|
||||
hal_domtrans(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
@ -610,6 +610,10 @@ optional_policy(`logrotate.te',`
|
||||
logrotate_use_fd(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(cupsd_config_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(cupsd_config_t)
|
||||
')
|
||||
|
||||
@ -1 +1,22 @@
|
||||
## <summary>Hardware abstraction layer</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute hal in the hal domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`hal_domtrans',`
|
||||
gen_require(`
|
||||
type hald_t, hald_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,hald_exec_t,hald_t)
|
||||
|
||||
allow $1 hald_t:fd use;
|
||||
allow hald_t $1:fd use;
|
||||
allow hald_t $1:fifo_file rw_file_perms;
|
||||
allow hald_t $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -39,6 +39,7 @@ allow hald_t hald_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(hald_t, hald_tmp_t, { file dir })
|
||||
|
||||
allow hald_t hald_var_run_t:file create_file_perms;
|
||||
allow hald_t hald_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(hald_t,hald_var_run_t)
|
||||
|
||||
kernel_read_system_state(hald_t)
|
||||
|
||||
@ -32,15 +32,18 @@ interface(`inetd_core_service_domain',`
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
allow inetd_t $1:process sigkill;
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# this regex is a hack, since it assumes there is a
|
||||
# _t at the end of the domain type. If there is no _t
|
||||
# at the end of the type, it returns empty!
|
||||
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
|
||||
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
|
||||
can_exec(inetd_t,$2)
|
||||
# can_exec(inetd_t,$2)
|
||||
# cjp: this must be wrong
|
||||
gen_require(`
|
||||
type initrc_t, unconfined_t;
|
||||
')
|
||||
can_exec({ unconfined_t initrc_t },$2)
|
||||
} else {
|
||||
domain_auto_trans(inetd_t,$2,$1)
|
||||
allow inetd_t $1:fd use;
|
||||
@ -49,6 +52,8 @@ interface(`inetd_core_service_domain',`
|
||||
allow $1 inetd_t:process sigchld;
|
||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow inetd_t $1:process sigkill;
|
||||
|
||||
# make sediff happy
|
||||
allow $1 $2:file { rx_file_perms entrypoint };
|
||||
}
|
||||
@ -60,6 +65,8 @@ interface(`inetd_core_service_domain',`
|
||||
allow $1 inetd_t:process sigchld;
|
||||
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow inetd_t $1:process sigkill;
|
||||
|
||||
# make sediff happy
|
||||
allow $1 $2:file { rx_file_perms entrypoint };
|
||||
')
|
||||
|
||||
@ -38,7 +38,10 @@ type postfix_map_tmp_t;
|
||||
files_tmp_file(postfix_map_tmp_t)
|
||||
|
||||
postfix_domain_template(master)
|
||||
mta_mailserver(postfix_master_t,postfix_master_exec_t)
|
||||
typealias postfix_master_t alias postfix_t;
|
||||
# alias is a hack to make the disable trans bool
|
||||
# generation macro work
|
||||
mta_mailserver(postfix_t,postfix_master_exec_t)
|
||||
|
||||
postfix_public_domain_template(pickup)
|
||||
|
||||
|
||||
@ -70,6 +70,10 @@ allow pppd_t self:udp_socket { connect connected_socket_perms };
|
||||
allow pppd_t self:packet_socket create_socket_perms;
|
||||
|
||||
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
|
||||
allow pppd_t pptp_t:fd use;
|
||||
allow pptp_t pppd_t:fd use;
|
||||
allow pptp_t pppd_t:fifo_file rw_file_perms;
|
||||
allow pptp_t pppd_t:process sigchld;
|
||||
|
||||
allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
|
||||
|
||||
@ -179,10 +183,10 @@ ifdef(`targeted_policy', `
|
||||
|
||||
optional_policy(`postfix.te',`
|
||||
gen_require(`
|
||||
bool postfix_master_disable_transgre;
|
||||
bool postfix_disable_trans;
|
||||
')
|
||||
|
||||
if(!postfix_master_disable_trans) {
|
||||
if(!postfix_disable_trans) {
|
||||
postfix_domtrans_master(pppd_t)
|
||||
}
|
||||
')
|
||||
|
||||
@ -30,6 +30,7 @@ allow privoxy_t privoxy_log_t:dir rw_dir_perms;
|
||||
logging_create_log(privoxy_t,privoxy_log_t)
|
||||
|
||||
allow privoxy_t privoxy_var_run_t:file create_file_perms;
|
||||
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(privoxy_t,privoxy_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(privoxy_t)
|
||||
|
||||
@ -37,6 +37,7 @@ allow stunnel_t self:capability { setgid setuid sys_chroot };
|
||||
allow stunnel_t self:process signal_perms;
|
||||
allow stunnel_t self:fifo_file rw_file_perms;
|
||||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||
allow stunnel_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow stunnel_t stunnel_etc_t:dir { getattr read search };
|
||||
allow stunnel_t stunnel_etc_t:file { read getattr };
|
||||
@ -138,3 +139,14 @@ ifdef(`distro_gentoo', `
|
||||
nscd_use_socket(stunnel_t)
|
||||
')
|
||||
')
|
||||
|
||||
tunable_policy(`stunnel_is_daemon',`
|
||||
allow stunnel_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# hack since this port has no interfaces since it doesnt
|
||||
# have net_contexts
|
||||
gen_require(`
|
||||
type stunnel_port_t;
|
||||
')
|
||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
@ -187,7 +187,8 @@ rhgb_domain(auditd_t)
|
||||
#
|
||||
|
||||
allow klogd_t klogd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(klogd_t,klogd_tmp_t)
|
||||
allow klogd_t klogd_tmp_t:dir create_dir_perms;
|
||||
files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir })
|
||||
|
||||
allow klogd_t klogd_var_run_t:file create_file_perms;
|
||||
|
||||
@ -209,6 +210,8 @@ dev_read_sysfs(klogd_t)
|
||||
fs_getattr_all_fs(klogd_t)
|
||||
fs_search_auto_mountpoints(klogd_t)
|
||||
|
||||
term_dontaudit_use_console(klogd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(klogd_t)
|
||||
|
||||
files_create_pid(klogd_t,klogd_var_run_t)
|
||||
|
||||
@ -50,6 +50,10 @@ allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
|
||||
|
||||
can_exec(insmod_t, insmod_exec_t)
|
||||
|
||||
# make sediff happy (no effect)
|
||||
dontaudit insmod_t self:process { noatsecure rlimitinh siginh };
|
||||
type_transition insmod_t insmod_exec_t:process insmod_t;
|
||||
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
|
||||
@ -273,6 +273,8 @@ dontaudit ifconfig_t self:capability sys_module;
|
||||
|
||||
allow ifconfig_t self:fd use;
|
||||
allow ifconfig_t self:fifo_file rw_file_perms;
|
||||
allow ifconfig_t self:sock_file r_file_perms;
|
||||
allow ifconfig_t self:socket create_socket_perms;
|
||||
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ifconfig_t self:unix_dgram_socket sendto;
|
||||
|
||||
@ -2126,6 +2126,22 @@ interface(`userdom_create_generic_user_home_dir',`
|
||||
files_create_home_dirs($1,user_home_dir_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search generic user home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_generic_user_home_dir',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
|
||||
Loading…
Reference in New Issue
Block a user