trunk: 11 patches from dan.
This commit is contained in:
parent
bd973e3e68
commit
495df41602
@ -1,4 +1,8 @@
|
||||
|
||||
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||
/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
||||
|
||||
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
|
||||
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(alsa,1.2.0)
|
||||
policy_module(alsa,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,7 +19,7 @@ files_type(alsa_etc_rw_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow alsa_t self:capability { setgid setuid ipc_owner };
|
||||
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
|
||||
dontaudit alsa_t self:capability sys_admin;
|
||||
allow alsa_t self:sem create_sem_perms;
|
||||
allow alsa_t self:shm create_shm_perms;
|
||||
@ -28,12 +28,16 @@ allow alsa_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
|
||||
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
|
||||
|
||||
kernel_read_system_state(alsa_t)
|
||||
|
||||
dev_read_sound(alsa_t)
|
||||
dev_write_sound(alsa_t)
|
||||
|
||||
files_search_home(alsa_t)
|
||||
files_read_etc_files(alsa_t)
|
||||
|
||||
term_use_generic_ptys(alsa_t)
|
||||
term_dontaudit_use_unallocated_ttys(alsa_t)
|
||||
|
||||
libs_use_ld_so(alsa_t)
|
||||
libs_use_shared_libs(alsa_t)
|
||||
|
||||
@ -43,7 +47,13 @@ miscfiles_read_localization(alsa_t)
|
||||
|
||||
userdom_manage_unpriv_user_semaphores(alsa_t)
|
||||
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
||||
userdom_search_generic_user_home_dirs(alsa_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(alsa_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_use_fds(alsa_t)
|
||||
hal_write_log(alsa_t)
|
||||
')
|
||||
|
@ -36,6 +36,11 @@ ifdef(`distro_redhat',`
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -164,6 +169,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
@ -187,6 +193,10 @@ ifdef(`distro_gentoo', `
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.8.2)
|
||||
policy_module(corecommands,1.8.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -867,9 +867,11 @@ interface(`corenet_udp_sendrecv_generic_port',`
|
||||
interface(`corenet_tcp_bind_generic_port',`
|
||||
gen_require(`
|
||||
type port_t;
|
||||
attribute port_type;
|
||||
')
|
||||
|
||||
allow $1 port_t:tcp_socket name_bind;
|
||||
dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -903,9 +905,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
|
||||
interface(`corenet_udp_bind_generic_port',`
|
||||
gen_require(`
|
||||
type port_t;
|
||||
attribute port_type;
|
||||
')
|
||||
|
||||
allow $1 port_t:udp_socket name_bind;
|
||||
dontaudit $1 { port_type -port_t }:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1447,6 +1451,43 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
|
||||
dontaudit $1 reserved_port_type:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect TCP sockets to rpc ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_tcp_connect_all_rpc_ports',`
|
||||
gen_require(`
|
||||
attribute rpc_port_type;
|
||||
')
|
||||
|
||||
allow $1 rpc_port_type:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to connect TCP sockets
|
||||
## all rpc ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
||||
gen_require(`
|
||||
attribute rpc_port_type;
|
||||
')
|
||||
|
||||
dontaudit $1 rpc_port_type:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the TUN/TAP virtual network device.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.2.12)
|
||||
policy_module(corenetwork,1.2.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,6 +54,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
|
||||
#
|
||||
# hi_reserved_port_t is the type of INET port numbers between 600-1023.
|
||||
#
|
||||
type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
|
||||
|
||||
#
|
||||
# server_packet_t is the default type of IPv4 and IPv6 server packets.
|
||||
#
|
||||
@ -67,7 +72,7 @@ network_port(afs_vl, udp,7003,s0)
|
||||
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||
network_port(amavisd_recv, tcp,10024,s0)
|
||||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(aol, tcp,5190,s0, udp,5190,s0)
|
||||
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
|
||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
@ -94,12 +99,13 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||
network_port(i18n_input, tcp,9010,s0)
|
||||
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
||||
network_port(innd, tcp,119,s0)
|
||||
network_port(ipp, tcp,631,s0, udp,631,s0)
|
||||
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
|
||||
network_port(ircd, tcp,6667,s0)
|
||||
network_port(isakmp, udp,500,s0)
|
||||
network_port(iscsi, tcp,3260,s0)
|
||||
@ -109,14 +115,15 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
|
||||
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
||||
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
||||
network_port(mail, tcp,2000,s0)
|
||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(monopd, tcp,1234,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||
@ -149,7 +156,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(spamd, tcp,783,s0)
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
||||
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
|
||||
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
||||
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
||||
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
|
||||
@ -163,16 +170,21 @@ network_port(transproxy, tcp,8081,s0)
|
||||
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
||||
network_port(uucpd, tcp,540,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(wccp, udp,2048,s0)
|
||||
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xfs, tcp,7100,s0)
|
||||
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
|
||||
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
|
||||
network_port(zope, tcp,8021,s0)
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
|
||||
portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -98,6 +98,7 @@ ifdef(`distro_suse', `
|
||||
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
|
||||
|
||||
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
|
||||
|
||||
|
@ -161,6 +161,7 @@ interface(`dev_create_generic_dirs',`
|
||||
type device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir list_dir_perms;
|
||||
create_dirs_pattern($1,device_t,device_t)
|
||||
')
|
||||
|
||||
@ -1303,6 +1304,44 @@ interface(`dev_manage_dri_dev',`
|
||||
filetrans_pattern($1,device_t,dri_device_t,chr_file)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the event devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_getattr_input_dev',`
|
||||
gen_require(`
|
||||
type device_t, event_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir list_dir_perms;
|
||||
allow $1 event_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of the event devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_setattr_input_dev',`
|
||||
gen_require(`
|
||||
type device_t, event_device_t;
|
||||
')
|
||||
|
||||
allow $1 device_t:dir list_dir_perms;
|
||||
allow $1 event_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read input event devices (/dev/input).
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.6.0)
|
||||
policy_module(devices,1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -45,6 +45,12 @@ interface(`domain_type',`
|
||||
# start with basic domain
|
||||
domain_base_type($1)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
unconfined_use_fds($1)
|
||||
')
|
||||
')
|
||||
|
||||
# send init a sigchld and signull
|
||||
optional_policy(`
|
||||
init_sigchld($1)
|
||||
@ -59,6 +65,7 @@ interface(`domain_type',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
selinux_dontaudit_getattr_fs($1)
|
||||
selinux_dontaudit_read_fs($1)
|
||||
')
|
||||
|
||||
@ -1270,3 +1277,21 @@ interface(`domain_mmap_low',`
|
||||
|
||||
typeattribute $1 mmap_low_domain_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified type to associate ipsec packets from any domain
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type of subject to be allowed this.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_ipsec_labels',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
allow $1 domain:association { sendto recvfrom };
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(domain,1.4.1)
|
||||
policy_module(domain,1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -80,6 +80,11 @@ allow domain self:dir list_dir_perms;
|
||||
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
|
||||
allow domain self:file rw_file_perms;
|
||||
kernel_read_proc_symlinks(domain)
|
||||
# Every domain gets the key ring, so we should default
|
||||
# to no one allowed to look at it; afs kernel support creates
|
||||
# a keyring
|
||||
kernel_dontaudit_search_key(domain)
|
||||
kernel_dontaudit_link_key(domain)
|
||||
|
||||
# create child processes in the domain
|
||||
allow domain self:process { fork sigchld };
|
||||
@ -104,6 +109,12 @@ optional_policy(`
|
||||
setrans_translate_context(domain)
|
||||
')
|
||||
|
||||
# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
|
||||
optional_policy(`
|
||||
xserver_dontaudit_use_xdm_fds(domain)
|
||||
xserver_dontaudit_rw_xdm_pipes(domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
|
@ -209,7 +209,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/usr/lost\+found/.* <<none>>
|
||||
|
||||
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
||||
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
|
@ -1104,6 +1104,24 @@ interface(`files_getattr_all_mountpoints',`
|
||||
allow $1 mountpoint:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search all mount points.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_all_mountpoints',`
|
||||
gen_require(`
|
||||
attribute mountpoint;
|
||||
')
|
||||
|
||||
allow $1 mountpoint:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of the root directory.
|
||||
@ -1123,6 +1141,25 @@ interface(`files_list_root',`
|
||||
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write
|
||||
## files in the root directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_rw_root_dir',`
|
||||
gen_require(`
|
||||
type root_t;
|
||||
')
|
||||
|
||||
dontaudit $1 root_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in the root directory, with a private
|
||||
@ -3105,6 +3142,24 @@ interface(`files_read_generic_tmp_files',`
|
||||
read_files_pattern($1,tmp_t,tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage temporary directories in /tmp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_generic_tmp_dirs',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1,tmp_t,tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage temporary files and directories in /tmp.
|
||||
@ -3196,6 +3251,44 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
|
||||
dontaudit $1 tmpfile:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow attempts to get the attributes
|
||||
## of all tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_tmp_files',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
')
|
||||
|
||||
allow $1 tmpfile:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all tmp sock_file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_tmp_sockets',`
|
||||
gen_require(`
|
||||
attribute tmpfile;
|
||||
')
|
||||
|
||||
dontaudit $1 tmpfile:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all tmp files.
|
||||
@ -3321,6 +3414,24 @@ interface(`files_rw_usr_dirs',`
|
||||
allow $1 usr_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Add and remove entries from /usr directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_rw_usr_dirs',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
dontaudit $1 usr_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in /usr.
|
||||
@ -3415,6 +3526,24 @@ interface(`files_relabelto_usr_files',`
|
||||
relabelto_files_pattern($1,usr_t,usr_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel a file from the type used in /usr.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabelfrom_usr_files',`
|
||||
gen_require(`
|
||||
type usr_t;
|
||||
')
|
||||
|
||||
relabelfrom_files_pattern($1,usr_t,usr_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links in /usr.
|
||||
@ -4582,6 +4711,15 @@ interface(`files_polyinstantiate_all',`
|
||||
# Default type for mountpoints
|
||||
allow $1 poly_t:dir { create mounton };
|
||||
fs_unmount_xattr_fs($1)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# namespace.init
|
||||
files_search_home($1)
|
||||
corecmd_exec_bin($1)
|
||||
seutil_domtrans_setfiles($1)
|
||||
fs_mount_tmpfs($1)
|
||||
fs_unmount_tmpfs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(files,1.7.2)
|
||||
policy_module(files,1.7.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -188,6 +188,7 @@ allow file_type self:filesystem associate;
|
||||
fs_associate(file_type)
|
||||
fs_associate_noxattr(file_type)
|
||||
fs_associate_tmpfs(file_type)
|
||||
fs_associate_ramfs(file_type)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(filesystem,1.8.1)
|
||||
policy_module(filesystem,1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -21,6 +21,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
|
||||
|
||||
# Use xattrs for the following filesystem types.
|
||||
# Requires that a security xattr handler exist for the filesystem.
|
||||
fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
||||
@ -28,6 +29,7 @@ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||||
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||||
|
||||
# Use the allocating task SID to label inodes in the following filesystem
|
||||
@ -110,6 +112,7 @@ genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
|
||||
|
||||
type ramfs_t;
|
||||
fs_type(ramfs_t)
|
||||
files_mountpoint(ramfs_t)
|
||||
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
|
||||
|
||||
type romfs_t;
|
||||
@ -127,6 +130,11 @@ fs_type(spufs_t)
|
||||
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||||
files_mountpoint(spufs_t)
|
||||
|
||||
type squash_t;
|
||||
fs_type(squash_t)
|
||||
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
|
||||
files_mountpoint(squash_t)
|
||||
|
||||
type vxfs_t;
|
||||
fs_noxattr_type(vxfs_t)
|
||||
files_mountpoint(vxfs_t)
|
||||
|
@ -350,6 +350,24 @@ interface(`kernel_search_key',`
|
||||
allow $1 kernel_t:key search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit search the kernel key ring.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_search_key',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
dontaudit $1 kernel_t:key search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow link to the kernel key ring.
|
||||
@ -368,6 +386,24 @@ interface(`kernel_link_key',`
|
||||
allow $1 kernel_t:key link;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit link to the kernel key ring.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_link_key',`
|
||||
gen_require(`
|
||||
type kernel_t;
|
||||
')
|
||||
|
||||
dontaudit $1 kernel_t:key link;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to read the ring buffer.
|
||||
@ -1865,6 +1901,27 @@ interface(`kernel_list_unlabeled',`
|
||||
allow $1 unlabeled_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of all unlabeled_t.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_read_unlabeled_state',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:dir list_dir_perms;
|
||||
read_files_pattern($1,unlabeled_t,unlabeled_t)
|
||||
read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list unlabeled directories.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.8.1)
|
||||
policy_module(kernel,1.8.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -8,6 +8,7 @@
|
||||
/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
|
||||
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
@ -52,7 +53,7 @@ ifdef(`distro_redhat', `
|
||||
|
||||
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
||||
/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
|
||||
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
||||
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
|
@ -267,6 +267,63 @@ interface(`storage_swapon_fixed_disk',`
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes
|
||||
## of device nodes of fuse devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_fuse_dev',`
|
||||
gen_require(`
|
||||
type fuse_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fuse_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## read or write fuse device interfaces.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_rw_fuse',`
|
||||
gen_require(`
|
||||
type fuse_device_t;
|
||||
')
|
||||
|
||||
allow $1 fuse_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read or write
|
||||
## fuse device interfaces.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_rw_fuse',`
|
||||
gen_require(`
|
||||
type fuse_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fuse_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the caller to get the attributes of
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(storage,1.4.0)
|
||||
policy_module(storage,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,6 +22,12 @@ dev_node(fixed_disk_device_t)
|
||||
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
|
||||
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
|
||||
|
||||
#
|
||||
# fuse_device_t is the type of /dev/fuse
|
||||
#
|
||||
type fuse_device_t;
|
||||
dev_node(fuse_device_t)
|
||||
|
||||
#
|
||||
# scsi_generic_device_t is the type of /dev/sg*
|
||||
# it gives access to ALL SCSI devices (both fixed and removable)
|
||||
|
@ -8,6 +8,7 @@
|
||||
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(terminal,1.6.1)
|
||||
policy_module(terminal,1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user