Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below. Tunable, optional and if(n)def blocks go below.
This commit is contained in:
Dominick Grift
parent
e2d9aa29c5
commit
4781493e45
@ -161,6 +161,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
|
||||
# Write access to public_content_t and public_content_rw_t
|
||||
tunable_policy(`allow_nfsd_anon_write',`
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
@ -173,7 +175,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
auth_manage_all_files_except_shadow(nfsd_t)
|
||||
')
|
||||
userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
dev_getattr_all_blk_files(nfsd_t)
|
||||
|
||||
@ -45,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
|
||||
type sshd_key_t;
|
||||
files_type(sshd_key_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
type ssh_t;
|
||||
type ssh_exec_t;
|
||||
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
|
||||
@ -83,6 +79,10 @@ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_ho
|
||||
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
|
||||
userdom_user_home_content(ssh_home_t)
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
|
||||
')
|
||||
|
||||
##############################
|
||||
#
|
||||
# SSH client local policy
|
||||
@ -296,15 +296,17 @@ term_use_ptmx(sshd_t)
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
tunable_policy(`sshd_forward_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
corenet_tcp_connect_all_ports(sshd_t)
|
||||
')
|
||||
|
||||
userdom_read_user_home_content_files(sshd_t)
|
||||
userdom_read_user_home_content_symlinks(sshd_t)
|
||||
userdom_search_admin_dir(sshd_t)
|
||||
userdom_manage_tmp_role(system_r, sshd_t)
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
tunable_policy(`sshd_forward_ports',`
|
||||
corenet_tcp_bind_all_unreserved_ports(sshd_t)
|
||||
corenet_tcp_connect_all_ports(sshd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
@ -314,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
userdom_signal_all_users(sshd_t)
|
||||
')
|
||||
|
||||
userdom_spec_domtrans_unpriv_users(sshd_t)
|
||||
userdom_signal_unpriv_users(sshd_t)
|
||||
|
||||
optional_policy(`
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@ -8,12 +8,6 @@ policy_module(stunnel, 1.9.1)
|
||||
type stunnel_t;
|
||||
type stunnel_exec_t;
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
init_daemon_domain(stunnel_t, stunnel_exec_t)
|
||||
',`
|
||||
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
|
||||
')
|
||||
|
||||
type stunnel_etc_t;
|
||||
files_config_file(stunnel_etc_t)
|
||||
|
||||
@ -23,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
|
||||
type stunnel_var_run_t;
|
||||
files_pid_file(stunnel_var_run_t)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
init_daemon_domain(stunnel_t, stunnel_exec_t)
|
||||
',`
|
||||
inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
|
||||
@ -83,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
|
||||
userdom_manage_user_tmp_files(telnetd_t)
|
||||
userdom_tmp_filetrans_user_tmp(telnetd_t, file)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(telnetd, telnetd_t)
|
||||
kerberos_manage_host_rcache(telnetd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_search_nfs(telnetd_t)
|
||||
')
|
||||
@ -95,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_search_cifs(telnetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_keytab_template(telnetd, telnetd_t)
|
||||
kerberos_manage_host_rcache(telnetd_t)
|
||||
')
|
||||
|
||||
|
||||
@ -358,6 +358,8 @@ userdom_use_user_terminals(xauth_t)
|
||||
userdom_read_user_tmp_files(xauth_t)
|
||||
userdom_read_all_users_state(xauth_t)
|
||||
|
||||
xserver_rw_xdm_tmp_files(xauth_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
fs_dontaudit_rw_anon_inodefs_files(xauth_t)
|
||||
fs_dontaudit_list_inotifyfs(xauth_t)
|
||||
@ -367,8 +369,6 @@ ifdef(`hide_broken_symptoms',`
|
||||
miscfiles_read_fonts(xauth_t)
|
||||
')
|
||||
|
||||
xserver_rw_xdm_tmp_files(xauth_t)
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_files(xauth_t)
|
||||
fs_read_nfs_symlinks(xauth_t)
|
||||
@ -651,6 +651,14 @@ application_signal(xdm_t)
|
||||
xserver_rw_session(xdm_t, xdm_tmpfs_t)
|
||||
xserver_unconfined(xdm_t)
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xdm_t)
|
||||
fs_manage_nfs_files(xdm_t)
|
||||
@ -815,14 +823,6 @@ optional_policy(`
|
||||
unconfined_signal(xdm_t)
|
||||
')
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
allow xdm_t self:process { execheap execmem };
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_dontaudit_search_config(xdm_t)
|
||||
')
|
||||
@ -1142,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
|
||||
|
||||
xserver_use_user_fonts(xserver_t)
|
||||
|
||||
optional_policy(`
|
||||
userhelper_search_config(xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
fs_manage_nfs_files(xserver_t)
|
||||
@ -1175,6 +1171,10 @@ optional_policy(`
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_search_config(xserver_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@ -1281,6 +1281,22 @@ allow x_domain xserver_t:x_screen getattr;
|
||||
# Rules for unconfined access to this module
|
||||
#
|
||||
|
||||
allow xserver_unconfined_type xserver_t:x_server *;
|
||||
allow xserver_unconfined_type xdrawable_type:x_drawable *;
|
||||
allow xserver_unconfined_type xserver_t:x_screen *;
|
||||
allow xserver_unconfined_type x_domain:x_gc *;
|
||||
allow xserver_unconfined_type xcolormap_type:x_colormap *;
|
||||
allow xserver_unconfined_type xproperty_type:x_property *;
|
||||
allow xserver_unconfined_type xselection_type:x_selection *;
|
||||
allow xserver_unconfined_type x_domain:x_cursor *;
|
||||
allow xserver_unconfined_type x_domain:x_client *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@ -1302,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
allow xserver_unconfined_type xserver_t:x_server *;
|
||||
allow xserver_unconfined_type xdrawable_type:x_drawable *;
|
||||
allow xserver_unconfined_type xserver_t:x_screen *;
|
||||
allow xserver_unconfined_type x_domain:x_gc *;
|
||||
allow xserver_unconfined_type xcolormap_type:x_colormap *;
|
||||
allow xserver_unconfined_type xproperty_type:x_property *;
|
||||
allow xserver_unconfined_type xselection_type:x_selection *;
|
||||
allow xserver_unconfined_type x_domain:x_cursor *;
|
||||
allow xserver_unconfined_type x_domain:x_client *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
|
||||
allow xserver_unconfined_type xextension_type:x_extension *;
|
||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||
|
||||
optional_policy(`
|
||||
unconfined_rw_shm(xserver_t)
|
||||
unconfined_execmem_rw_shm(xserver_t)
|
||||
|
||||
# xserver signals unconfined user on startx
|
||||
unconfined_signal(xserver_t)
|
||||
unconfined_getpgid(xserver_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_xserver_execmem',`
|
||||
allow xserver_t self:process { execheap execmem execstack };
|
||||
')
|
||||
@ -1347,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
|
||||
tunable_policy(`use_samba_home_dirs',`
|
||||
fs_append_cifs_files(xdmhomewriter)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_rw_shm(xserver_t)
|
||||
unconfined_execmem_rw_shm(xserver_t)
|
||||
|
||||
# xserver signals unconfined user on startx
|
||||
unconfined_signal(xserver_t)
|
||||
unconfined_getpgid(xserver_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user