permission set macro changes, plus more cab related work
This commit is contained in:
Chris PeBenito
parent
08eb9d1a33
commit
4bf4ed9e68
@ -10,12 +10,18 @@ allow $1 consoletype_exec_t:file { getattr read execute };
|
||||
allow $1 consoletype_t:process transition;
|
||||
type_transition $1 consoletype_exec_t:process consoletype_t;
|
||||
dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 consoletype_t:fd use;
|
||||
allow consoletype_t $1:fd use;
|
||||
allow consoletype_t $1:fifo_file rw_file_perms;
|
||||
allow consoletype_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`consoletype_transition_depend',`
|
||||
type consoletype_t, consoletype_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -20,12 +20,18 @@ allow $1 dmesg_exec_t:file { getattr read execute };
|
||||
allow $1 dmesg_t:process transition;
|
||||
type_transition $1 dmesg_exec_t:process dmesg_t;
|
||||
dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 dmesg_t:fd use;
|
||||
allow dmesg_t $1:fd use;
|
||||
allow dmesg_t $1:fifo_file rw_file_perms;
|
||||
allow dmesg_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`dmesg_transition_depend',`
|
||||
type dmesg_t, dmesg_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -10,12 +10,18 @@ allow $1 netutils_exec_t:file { getattr read execute };
|
||||
allow $1 netutils_t:process transition;
|
||||
type_transition $1 netutils_exec_t:process netutils_t;
|
||||
dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 netutils_t:fd use;
|
||||
allow netutils_t $1:fd use;
|
||||
allow netutils_t $1:fifo_file rw_file_perms;
|
||||
allow netutils_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`netutils_transition_depend',`
|
||||
type netutils_t, netutils_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -19,12 +19,18 @@ allow $1 rpm_exec_t:file { getattr read execute };
|
||||
allow $1 rpm_t:process transition;
|
||||
type_transition $1 rpm_exec_t:process rpm_t;
|
||||
dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 rpm_t:fd use;
|
||||
allow rpm_t $1:fd use;
|
||||
allow rpm_t $1:fifo_file rw_file_perms;
|
||||
allow rpm_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`rpm_transition_depend',`
|
||||
type rpm_t, rpm_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -47,6 +47,9 @@ role $1_r types $1_gpg_pinentry_t;
|
||||
allow $1_t $1_gpg_t:process transition;
|
||||
allow $1_t gpg_exec_t:file { getattr read execute };
|
||||
type_transition $1_t gpg_exec_t:process $1_gpg_t;
|
||||
allow $1_t $1_gpg_t:fd use;
|
||||
allow $1_gpg_t $1_t:fd use;
|
||||
allow $1_gpg_t $1_t:fifo_file rw_file_perms;
|
||||
|
||||
allow $1_gpg_t self:capability { ipc_lock setuid };
|
||||
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
||||
@ -156,6 +159,9 @@ dontaudit $1_gpg_t var_t:dir search;
|
||||
allow $1_gpg_t $1_gpg_helper_t:process transition;
|
||||
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
|
||||
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
|
||||
allow $1_gpg_t $1_gpg_helper_t:fd use;
|
||||
allow $1_gpg_helper_t $1_t:fd use;
|
||||
allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
|
||||
|
||||
allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
|
||||
@ -273,6 +279,9 @@ can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
|
||||
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
|
||||
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
|
||||
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
|
||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
|
||||
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
|
||||
|
||||
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
||||
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
|
||||
|
||||
@ -19,12 +19,18 @@ allow $1 bootloader_exec_t:file { getattr read execute };
|
||||
allow $1 bootloader_t:process transition;
|
||||
type_transition $1 bootloader_exec_t:process bootloader_t;
|
||||
dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 bootloader_t:fd use;
|
||||
allow bootloader_t $1:fd use;
|
||||
allow bootloader_t $1:fifo_file rw_file_perms;
|
||||
allow bootloader_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`bootloader_transition_depend',`
|
||||
type bootloader_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -50,13 +50,13 @@ class chr_file { getattr relabelfrom relabelto };
|
||||
#
|
||||
define(`devices_list_device_nodes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 device_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
define(`devices_list_device_nodes_depend',`
|
||||
type device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -66,12 +66,12 @@ class lnk_file { getattr read };
|
||||
#
|
||||
define(`devices_ignore_list_device_nodes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 device_t:dir { getattr read search };
|
||||
dontaudit $1 device_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
define(`devices_ignore_list_device_nodes_depend',`
|
||||
type device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -94,13 +94,13 @@ class fifo_file getattr;
|
||||
#
|
||||
define(`devices_get_generic_block_device_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr search read };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 device_t:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`devices_get_generic_block_device_attributes_depend',`
|
||||
type device_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class blk_file getattr;
|
||||
')
|
||||
|
||||
@ -142,13 +142,13 @@ class capability mknod;
|
||||
#
|
||||
define(`devices_get_generic_character_device_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr search read };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`devices_get_generic_character_device_attributes_depend',`
|
||||
type device_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
@ -264,7 +264,7 @@ allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append
|
||||
|
||||
define(`devices_manage_generic_block_devices_depend',`
|
||||
type device_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
')
|
||||
|
||||
@ -280,7 +280,7 @@ allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append
|
||||
|
||||
define(`devices_manage_generic_character_devices_depend',`
|
||||
type device_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
')
|
||||
|
||||
@ -308,14 +308,14 @@ class dir { getattr search read write add_name remove_name };
|
||||
#
|
||||
define(`devices_get_all_block_device_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 device_node:blk_file getattr;
|
||||
')
|
||||
|
||||
define(`devices_get_all_block_device_attributes_depend',`
|
||||
attribute device_node;
|
||||
class blk_file getattr;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -338,14 +338,14 @@ class blk_file getattr;
|
||||
#
|
||||
define(`devices_get_all_character_device_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 device_node:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`devices_get_all_character_device_attributes_depend',`
|
||||
attribute device_node;
|
||||
class chr_file getattr;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -407,7 +407,7 @@ storage_write_scsi_generic($1)
|
||||
|
||||
define(`devices_manage_generic_block_devices_depend',`
|
||||
attribute device_node;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
')
|
||||
|
||||
@ -424,7 +424,7 @@ typeattribute $1 memory_raw_read, memory_raw_write;
|
||||
|
||||
define(`devices_manage_all_character_devices_depend',`
|
||||
attribute device_node, memory_raw_read, memory_raw_write;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
')
|
||||
|
||||
@ -435,7 +435,7 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
|
||||
define(`devices_raw_read_memory',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 memory_raw_read;
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 memory_device_t:chr_file { getattr read ioctl };
|
||||
allow $1 self:capability sys_rawio;
|
||||
')
|
||||
@ -443,7 +443,7 @@ allow $1 self:capability sys_rawio;
|
||||
define(`devices_raw_read_memory_depend',`
|
||||
type device_t, memory_device_t;
|
||||
attribute memory_raw_read;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
class capability sys_rawio;
|
||||
')
|
||||
@ -455,7 +455,7 @@ class capability sys_rawio;
|
||||
define(`devices_raw_write_memory',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 memory_raw_write;
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 memory_device_t:chr_file write;
|
||||
allow $1 self:capability sys_rawio;
|
||||
')
|
||||
@ -463,7 +463,7 @@ allow $1 self:capability sys_rawio;
|
||||
define(`devices_raw_write_memory_depend',`
|
||||
type device_t, memory_device_t;
|
||||
attribute memory_raw_write;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file write;
|
||||
class capability sys_rawio;
|
||||
')
|
||||
@ -504,13 +504,13 @@ class chr_file execute;
|
||||
#
|
||||
define(`devices_get_random_data',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 random_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_get_random_data_depend',`
|
||||
type device_t, random_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -520,13 +520,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_get_pseudorandom_data',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 urandom_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_get_pseudorandom_data_depend',`
|
||||
type device_t, urandom_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -536,13 +536,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_add_entropy',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 random_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_add_entropy_depend',`
|
||||
type device_t, random_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -552,13 +552,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_set_pseudorandom_seed',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 urandom_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_set_pseudorandom_seed_depend',`
|
||||
type device_t, urandom_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -568,14 +568,14 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_use_dev_null',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 null_device_t:chr_file { getattr read write append ioctl };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 null_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`devices_use_dev_null_depend',`
|
||||
type device_t, null_device_t;
|
||||
class device_t:dir { getattr read search };
|
||||
class chr_file { getattr read write append ioctl };
|
||||
class device_t:dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -584,14 +584,14 @@ class chr_file { getattr read write append ioctl };
|
||||
#
|
||||
define(`devices_use_dev_zero',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 zero_device_t:chr_file { getattr read write append ioctl };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 zero_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`devices_use_dev_zero_depend',`
|
||||
type device_t, zero_device_t;
|
||||
class device_t:dir { getattr read search };
|
||||
class chr_file { getattr read write append ioctl };
|
||||
class device_t:dir r_dir_perms;
|
||||
class chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -615,13 +615,13 @@ class chr_file execute;
|
||||
#
|
||||
define(`devices_read_realtime_clock',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 clock_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_read_realtime_clock_depend',`
|
||||
type device_t, clock_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -631,13 +631,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_write_realtime_clock',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
|
||||
')
|
||||
|
||||
define(`devices_write_realtime_clock_depend',`
|
||||
type device_t, clock_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { setattr lock write append ioctl };
|
||||
')
|
||||
|
||||
@ -656,13 +656,13 @@ devices_write_realtime_clock($1)
|
||||
#
|
||||
define(`devices_record_sound_input',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 sound_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_record_sound_input_depend',`
|
||||
type device_t, sound_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -672,13 +672,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_play_sound',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 sound_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_play_sound_depend',`
|
||||
type device_t, sound_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -688,13 +688,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_read_sound_mixer_levels',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 sound_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_read_sound_mixer_levels_depend',`
|
||||
type device_t, sound_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -704,13 +704,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_write_sound_mixer_levels',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 sound_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_write_sound_mixer_levels_depend',`
|
||||
type device_t, sound_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -720,13 +720,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_direct_agp_access',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 agp_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_direct_agp_access_depend',`
|
||||
type device_t, agp_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -736,13 +736,13 @@ class chr_file { getattr read write ioctl };
|
||||
#
|
||||
define(`devices_get_direct_rendering_interface_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 dri_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`devices_get_direct_rendering_interface_attributes_depend',`
|
||||
type device_t, dri_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
@ -752,13 +752,13 @@ class chr_file getattr;
|
||||
#
|
||||
define(`devices_use_direct_rendering_interface',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 dri_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_use_direct_rendering_interface_depend',`
|
||||
type device_t, dri_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -782,13 +782,13 @@ class chr_file { getattr read write ioctl };
|
||||
#
|
||||
define(`devices_read_mtrr',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 mtrr_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_read_mtrr_depend',`
|
||||
type device_t, mtrr_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -798,12 +798,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_write_mtrr',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_write_mtrr_depend',`
|
||||
type device_t, mtrr_device_t;
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -813,13 +814,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_read_framebuffer',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 framebuf_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_read_framebuffer_depend',`
|
||||
type framebuf_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -829,13 +830,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_write_framebuffer',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_write_framebuffer_depend',`
|
||||
type device_t, framebuf_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -845,13 +846,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_read_lvm_control_channel',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 lvm_control_t:chr_file { getattr read };
|
||||
')
|
||||
|
||||
define(`devices_read_lvm_control_channel_depend',`
|
||||
type lvm_control_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { ioctl read getattr lock write append };
|
||||
')
|
||||
|
||||
@ -861,13 +862,13 @@ class chr_file { ioctl read getattr lock write append };
|
||||
#
|
||||
define(`devices_use_lvm_control_channel',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr search read };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append };
|
||||
')
|
||||
|
||||
define(`devices_use_lvm_control_channel_depend',`
|
||||
type lvm_control_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { ioctl read getattr lock write append };
|
||||
')
|
||||
|
||||
@ -893,13 +894,13 @@ class chr_file unlink;
|
||||
#
|
||||
define(`devices_read_misc',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 misc_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_read_misc_depend',`
|
||||
type device_t, misc_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -909,13 +910,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_write_misc',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 misc_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_write_misc_depend',`
|
||||
type device_t, misc_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr write ioctl };
|
||||
')
|
||||
|
||||
@ -925,13 +926,13 @@ class chr_file { getattr write ioctl };
|
||||
#
|
||||
define(`devices_get_mouse_input',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 mouse_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_get_mouse_input_depend',`
|
||||
type device_t, mouse_device_t;
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -941,13 +942,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_get_input_event',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 event_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_get_input_event_depend',`
|
||||
type device_t, event_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -957,13 +958,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_get_cpuid',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 cpu_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
define(`devices_get_cpuid_depend',`
|
||||
type device_t, cpu_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read ioctl };
|
||||
')
|
||||
|
||||
@ -973,13 +974,13 @@ class chr_file { getattr read ioctl };
|
||||
#
|
||||
define(`devices_load_cpu_microcode',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 cpu_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_load_cpu_microcode_depend',`
|
||||
type device_t, cpu_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -989,13 +990,13 @@ class chr_file { getattr read write ioctl };
|
||||
#
|
||||
define(`devices_use_scanner',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 scanner_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_use_scanner_depend',`
|
||||
type device_t, scanner_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -1005,12 +1006,12 @@ class chr_file { getattr read write ioctl };
|
||||
#
|
||||
define(`devices_control_system_powermanagement',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:dir r_dir_perms;
|
||||
allow $1 power_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`devices_control_system_powermanagement_depend',`
|
||||
type device_t, power_device_t;
|
||||
class dir { getattr read search };
|
||||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
@ -11,12 +11,18 @@ allow kernel_t $1:process transition;
|
||||
allow $1 kernel_t:fd use;
|
||||
type_transition kernel_t $2:process $1;
|
||||
dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
|
||||
allow $1 kernel_t:fd use;
|
||||
allow kernel_t $1:fd use;
|
||||
allow kernel_t $1:fifo_file rw_file_perms;
|
||||
allow kernel_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`kernel_make_userland_entrypoint_depend',`
|
||||
type kernel_t;
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class file { getattr read execute };
|
||||
class fifo_file rw_file_perms;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -418,15 +424,16 @@ class file { getattr read };
|
||||
#
|
||||
define(`kernel_read_system_state',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir { getattr search read };
|
||||
allow $1 proc_t:{ lnk_file file } { getattr read ioctl };
|
||||
allow $1 proc_t:dir r_dir_perms;
|
||||
allow $1 proc_t:lnk_file { getattr read };
|
||||
allow $1 proc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`kernel_read_system_state_depend',`
|
||||
type proc_t;
|
||||
class dir { search getattr read };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read ioctl };
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
## <module name="terminal" layer="kernel">
|
||||
## <summary>Policy for terminals.</summary>
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -278,13 +280,13 @@ define(`terminal_use_all_private_pseudoterminals',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr read search };
|
||||
allow $1 ptynode:chr_file { read write };
|
||||
allow $1 ptynode:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`terminal_use_all_private_pseudoterminals_depend',`
|
||||
attribute ptynode;
|
||||
class dir { getattr search read };
|
||||
class chr_file { read write };
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -331,6 +333,21 @@ type tty_device_t;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_relabel_general_physical_terminal(domain)
|
||||
#
|
||||
define(`terminal_relabel_general_physical_terminal',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
define(`terminal_relabel_general_physical_terminal_depend',`
|
||||
type tty_device_t;
|
||||
class chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_reset_physical_terminal_labels(domain)
|
||||
@ -346,7 +363,6 @@ define(`terminal_reset_physical_terminal_labels_depend',`
|
||||
attribute ttynode;
|
||||
type tty_device_t;
|
||||
class chr_file { relabelfrom relabelto };
|
||||
devices_list_device_nodes_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -379,12 +395,12 @@ class chr_file { read write };
|
||||
define(`terminal_use_general_physical_terminal',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { read write };
|
||||
allow $1 tty_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`terminal_use_general_physical_terminal_depend',`
|
||||
type tty_device_t;
|
||||
class chr_file { read write };
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -416,6 +432,21 @@ attribute ttynode;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_set_all_private_physical_terminal_attributes(domain)
|
||||
#
|
||||
define(`terminal_set_all_private_physical_terminal_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file setattr;
|
||||
')
|
||||
|
||||
define(`terminal_set_all_private_physical_terminal_attributes_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_get_all_private_physical_terminal_attributes(domain)
|
||||
@ -430,6 +461,21 @@ attribute ttynode;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_relabel_all_private_physical_terminals(domain)
|
||||
#
|
||||
define(`terminal_relabel_all_private_physical_terminals',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
define(`terminal_relabel_all_private_physical_terminals_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="terminal_write_all_private_physical_terminals">
|
||||
## <description>
|
||||
@ -460,12 +506,12 @@ class chr_file { getattr write };
|
||||
define(`terminal_use_all_private_physical_terminals',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file { read write };
|
||||
allow $1 ttynode:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`terminal_use_all_private_physical_terminals_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file { read write };
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -481,3 +527,5 @@ define(`terminal_ignore_use_all_private_physical_terminals_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
## <module name="mta" layer="keyservices">
|
||||
## <summary>Policy common to all email tranfer agents.</summary>
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -36,6 +38,10 @@ allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
|
||||
allow $1_t sendmail_exec_t:lnk_file { getattr read };
|
||||
allow $1_t $1_mail_t:process transition;
|
||||
type_transition $1_t sendmail_exec_t:process $1_mail_t;
|
||||
allow $1_t $1_mail_t:fd use;
|
||||
allow $1_mail_t $1_t:fd use;
|
||||
allow $1_mail_t $1_t:fifo_file rw_file_perms;
|
||||
allow $1_mail_t $1_t:process sigchld;
|
||||
|
||||
kernel_read_kernel_sysctl($1_mail_t)
|
||||
|
||||
@ -174,11 +180,10 @@ allow $1 sendmail_exec_t:file { getattr read execute };
|
||||
allow $1 system_mail_t:process transition;
|
||||
type_transition $1 sendmail_exec_t:process system_mail_t;
|
||||
dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow $1 system_mail_t:fd use;
|
||||
allow system_mail_t $1:process sigchld;
|
||||
allow system_mail_t $1:fd use;
|
||||
allow system_mail_t $1:fifo_file { ioctl read getattr lock write append };
|
||||
allow system_mail_t $1:fifo_file rw_file_perms;
|
||||
allow system_mail_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`mta_send_mail_depend',`
|
||||
@ -239,12 +244,32 @@ type etc_aliases_t;
|
||||
class file { getattr read write append setattr };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_get_mail_spool_attributes(domain)
|
||||
#
|
||||
define(`mta_get_mail_spool_attributes',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_spool_directory($1)
|
||||
allow $1 mail_spool_t:dir r_dir_perms;
|
||||
allow $1 mail_spool_t:lnk_file read;
|
||||
allow $1 mail_spool_t:file getattr;
|
||||
')
|
||||
|
||||
define(`mta_get_mail_spool_attributes_depend',`
|
||||
type mail_spool_t;
|
||||
class dir r_dir_perms;
|
||||
class file getattr;
|
||||
class lnk_file read;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# mta_modify_mail_spool(domain)
|
||||
#
|
||||
define(`mta_modify_mail_spool',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_spool_directory($1)
|
||||
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1 mail_spool_t:file { getattr read write append setattr };
|
||||
')
|
||||
@ -261,6 +286,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
|
||||
#
|
||||
define(`mta_manage_mail_spool',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_spool_directory($1)
|
||||
allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
')
|
||||
@ -286,3 +312,5 @@ type mqueue_spool_t;
|
||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||
class file { create ioctl read getattr lock write setattr append link unlink rename }
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -51,6 +51,10 @@ selinux_read_config($1_chkpwd_t)
|
||||
allow $1_t chkpwd_exec_t:file { getattr read execute };
|
||||
allow $1_t $1_chkpwd_t:process transition;
|
||||
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
|
||||
allow $1_chkpwd_t $1_t:fd use;
|
||||
allow $1_t $1_chkpwd_t:fd use;
|
||||
allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
|
||||
allow $1_chkpwd_t $1_t:process sigchld;
|
||||
|
||||
# Write to the user domain tty.
|
||||
#userdomain_use_$1_terminal($1_chkpwd_t)
|
||||
@ -80,10 +84,12 @@ define(`authlogin_per_userdomain_template_depend',`
|
||||
attribute can_read_shadow_passwords;
|
||||
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
||||
class file { getattr read execute };
|
||||
class process { getattr transition };
|
||||
class process { getattr transition sigchld };
|
||||
class capability setuid;
|
||||
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -121,12 +127,18 @@ allow $1 login_exec_t:file { getattr read execute };
|
||||
allow $1 $2:process transition;
|
||||
type_transition $1 login_exec_t:process $2;
|
||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||
allow $1 $2:fd use;
|
||||
allow $2 $1:fd use;
|
||||
allow $2 $1:fifo_file rw_file_perms;
|
||||
allow $2 $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`authlogin_login_program_transition_depend',`
|
||||
type login_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -138,6 +150,10 @@ requires_block_template(`$0'_depend)
|
||||
allow $1 chkpwd_exec_t:file { getattr read execute };
|
||||
allow $1 system_chkpwd_t:process transition;
|
||||
type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
|
||||
allow $1 system_chkpwd_t:fd use;
|
||||
allow system_chkpwd_t $1:fd use;
|
||||
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
||||
allow system_chkpwd_t $1:process sigchld;
|
||||
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
#allow $1_t sbin_t:dir search;
|
||||
@ -161,8 +177,10 @@ sysnetwork_read_network_config($1)
|
||||
define(`authlogin_check_password_transition_depend',`
|
||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
class file { getattr read execute };
|
||||
class process transition;
|
||||
class process { transition sigchld };
|
||||
class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -265,6 +283,21 @@ type shadow_t;
|
||||
class file relabelto;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_modify_login_failure_records(domain)
|
||||
#
|
||||
define(`authlogin_modify_login_failure_records',`
|
||||
requires_block_template(`$0'_depend)
|
||||
logging_search_system_log_directory($1)
|
||||
allow $1 faillog_t:file { read write append };
|
||||
')
|
||||
|
||||
define(`authlogin_modify_login_failure_records_depend',`
|
||||
type faillog_t;
|
||||
class file { read write append };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_modify_last_login_log(domain)
|
||||
@ -297,12 +330,18 @@ allow $1 pam_exec_t:file { getattr read execute };
|
||||
allow $1 pam_t:process transition;
|
||||
type_transition $1 pam_exec_t:process pam_t;
|
||||
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 pam_t:fd use;
|
||||
allow pam_t $1:fd use;
|
||||
allow pam_t $1:fifo_file rw_file_perms;
|
||||
allow pam_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`authlogin_pam_transition_depend',`
|
||||
type pam_t, pam_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -394,12 +433,18 @@ allow $1 pam_console_exec_t:file { getattr read execute };
|
||||
allow $1 pam_console_t:process transition;
|
||||
type_transition $1 pam_console_exec_t:process pam_console_t;
|
||||
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 pam_console_t:fd use;
|
||||
allow pam_console_t $1:fd use;
|
||||
allow pam_console_t $1:fifo_file rw_file_perms;
|
||||
allow pam_console_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`authlogin_pam_console_transition_depend',`
|
||||
type pam_console_t, pam_console_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -525,12 +570,18 @@ allow $1 utempter_exec_t:file { getattr read execute };
|
||||
allow $1 utempter_t:process transition;
|
||||
type_transition $1 utempter_exec_t:process utempter_t;
|
||||
dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 utempter_t:fd use;
|
||||
allow utempter_t $1:fd use;
|
||||
allow utempter_t $1:fifo_file rw_file_perms;
|
||||
allow utempter_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`authlogin_utempter_transition_depend',`
|
||||
type utempter_t, utempter_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -17,12 +17,18 @@ allow $1 hwclock_exec_t:file { getattr read execute };
|
||||
allow $1 hwclock_t:process transition;
|
||||
type_transition $1 hwclock_exec_t:process hwclock_t;
|
||||
dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 hwclock_t:fd use;
|
||||
allow hwclock_t $1:fd use;
|
||||
allow hwclock_t $1:fifo_file rw_file_perms;
|
||||
allow hwclock_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`clock_transition_depend',`
|
||||
type hwclock_t, hwclock_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -54,14 +54,14 @@ define(`corecommands_execute_general_programs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 bin_t:file { getattr read ioctl execute execute_no_trans };
|
||||
allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`corecommands_execute_general_programs_depend',`
|
||||
type bin_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read ioctl execute execute_no_trans };
|
||||
class file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -84,12 +84,12 @@ class dir search;
|
||||
#
|
||||
define(`corecommands_read_system_programs_directory',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 sbin_t:dir { getattr search read };
|
||||
allow $1 sbin_t:dir r_dir_perms;
|
||||
')
|
||||
|
||||
define(`corecommands_read_system_programs_directory_depend',`
|
||||
type sbin_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -114,14 +114,14 @@ define(`corecommands_execute_system_programs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 sbin_t:dir { getattr search read };
|
||||
allow $1 sbin_t:lnk_file { getattr read };
|
||||
allow $1 sbin_t:file { getattr read ioctl execute execute_no_trans };
|
||||
allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`corecommands_execute_system_programs_depend',`
|
||||
type sbin_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read ioctl execute execute_no_trans };
|
||||
class file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -130,16 +130,16 @@ class file { getattr read ioctl execute execute_no_trans };
|
||||
#
|
||||
define(`corecommands_execute_shell',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 shell_exec_t:file { getattr read execute execute_no_trans };
|
||||
allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`corecommands_execute_shell_depend',`
|
||||
type bin_t, shell_exec_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute execute_no_trans };
|
||||
class file { getattr read lock ioctl execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -148,16 +148,55 @@ class file { getattr read execute execute_no_trans };
|
||||
#
|
||||
define(`corecommands_execute_ls',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:dir r_dir_perms;
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 ls_exec_t:file { getattr read execute execute_no_trans };
|
||||
allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`corecommands_execute_shell_depend',`
|
||||
type bin_t, ls_exec_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read lock ioctl execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corecommands_shell_explicit_transition">
|
||||
## <description>
|
||||
## Execute a shell in the target domain. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <parameter name="target_domain">
|
||||
## The type of the shell process.
|
||||
## </parameter>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`corecommands_shell_explicit_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 shell_exec_t:file { getattr read execute };
|
||||
allow $1 $2:process transition;
|
||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||
allow $1 $2:fd use;
|
||||
allow $2 $1:fd use;
|
||||
allow $2 $1:fifo_file rw_file_perms;
|
||||
allow $2 $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`corecommands_shell_explicit_transition_depend',`
|
||||
type bin_t, shell_exec_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute execute_no_trans };
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -176,20 +215,12 @@ class file { getattr read execute execute_no_trans };
|
||||
#
|
||||
define(`corecommands_shell_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 shell_exec_t:file { getattr read execute };
|
||||
allow $1 $2:process transition;
|
||||
corecommands_shell_explicit_transition($1,$2)
|
||||
type_transition $1 shell_exec_t:process $2;
|
||||
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`corecommands_shell_transition_depend',`
|
||||
type bin_t, shell_exec_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
type shell_exec_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -278,12 +278,12 @@ class process { getattr ptrace };
|
||||
#
|
||||
define(`domain_ignore_read_all_domains_process_dirs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 domain:dir { getattr search read };
|
||||
dontaudit $1 domain:dir r_dir_perms;
|
||||
')
|
||||
|
||||
define(`domain_ignore_read_all_domains_process_dirs_depend',`
|
||||
attribute domain;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
|
||||
@ -402,12 +402,12 @@ class fifo_file getattr;
|
||||
#
|
||||
define(`domain_execute_all_entrypoint_programs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 entry_type:file { getattr read ioctl execute execute_no_trans };
|
||||
allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`domain_execute_all_entrypoint_programs_depend',`
|
||||
attribute entry_type;
|
||||
class file { getattr read ioctl execute execute_no_trans };
|
||||
class file { getattr read ioctl lock execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -416,12 +416,14 @@ class file { getattr read ioctl execute execute_no_trans };
|
||||
#
|
||||
define(`domain_read_all_entrypoint_programs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 entry_type:{ file lnk_file } { getattr read };
|
||||
allow $1 entry_type:lnk_file { getattr read };
|
||||
allow $1 entry_type:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`domain_read_all_entrypoint_programs_depend',`
|
||||
attribute entry_type;
|
||||
class file { getattr read };
|
||||
class file r_file_perms;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -136,7 +136,7 @@ class sock_file getattr;
|
||||
#
|
||||
define(`files_relabel_all_files',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
|
||||
allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
|
||||
allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
|
||||
allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
|
||||
allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
|
||||
@ -149,7 +149,7 @@ selinux_relabelto_binary_policy($1)
|
||||
|
||||
define(`files_relabel_all_files_depend',`
|
||||
attribute file_type;
|
||||
class dir { getattr search read relabelfrom relabelto };
|
||||
class dir { r_dir_perms relabelfrom relabelto };
|
||||
class file { relabelfrom relabelto };
|
||||
class lnk_file { relabelfrom relabelto };
|
||||
class fifo_file { relabelfrom relabelto };
|
||||
@ -215,12 +215,12 @@ class dir search;
|
||||
#
|
||||
define(`files_read_all_directories',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir { getattr search read };
|
||||
allow $1 file_type:dir r_dir_perms;
|
||||
')
|
||||
|
||||
define(`files_read_all_directories_depend',`
|
||||
attribute file_type;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -237,20 +237,6 @@ attribute file_type;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_all_directories(domain)
|
||||
#
|
||||
define(`files_read_all_directories',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`files_read_all_directories_depend',`
|
||||
attribute file_type;
|
||||
class dir { getattr search read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# files_relabelto_all_file_type_filesystems(domain)
|
||||
@ -313,13 +299,13 @@ class dir { getattr search mounton };
|
||||
#
|
||||
define(`files_read_root_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read };
|
||||
allow $1 root_t:dir r_dir_perms;
|
||||
allow $1 root_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
define(`files_read_root_dir_depend',`
|
||||
type root_t;
|
||||
class dir { getattr search read };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -329,12 +315,12 @@ class lnk_file { getattr read };
|
||||
#
|
||||
define(`files_create_root_dir_entry',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read write add_name };
|
||||
allow $1 root_t:dir ra_dir_perms;
|
||||
')
|
||||
|
||||
define(`files_create_root_dir_entry_depend',`
|
||||
type root_t;
|
||||
class dir { getattr search read write add_name };
|
||||
class dir ra_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -10,12 +10,18 @@ allow $1 getty_exec_t:file { getattr read execute };
|
||||
allow $1 getty_t:process transition;
|
||||
type_transition $1 getty_exec_t:process getty_t;
|
||||
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 getty_t:fd use;
|
||||
allow getty_t $1:fd use;
|
||||
allow getty_t $1:fifo_file rw_file_perms;
|
||||
allow getty_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`getty_transition_depend',`
|
||||
type getty_t, getty_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -2,6 +2,11 @@
|
||||
|
||||
policy_module(getty,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type getty_t;
|
||||
type getty_exec_t;
|
||||
init_make_init_domain(getty_t,getty_exec_t)
|
||||
@ -30,9 +35,12 @@ allow getty_t self:process { getpgid getsession };
|
||||
|
||||
allow getty_t getty_etc_t:dir { getattr search read };
|
||||
allow getty_t getty_etc_t:file { getattr read };
|
||||
files_create_private_config(getty_t,getty_etc_t,{ file dir })
|
||||
|
||||
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
|
||||
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
|
||||
files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
|
||||
|
||||
allow getty_t getty_log_t:file { getattr append setattr };
|
||||
|
||||
kernel_read_hardware_state(getty_t)
|
||||
@ -48,8 +56,6 @@ init_script_modify_runtime_data(getty_t)
|
||||
init_script_use_pseudoterminal(getty_t)
|
||||
|
||||
files_modify_system_runtime_data(getty_t)
|
||||
files_create_private_config(getty_t,getty_etc_t,{ file dir })
|
||||
files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
|
||||
files_manage_system_lock_files(getty_t)
|
||||
files_read_runtime_system_config(getty_t)
|
||||
files_read_general_system_config(getty_t)
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </parameter>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
@ -19,12 +20,18 @@ allow $1 hostname_exec_t:file { getattr read execute };
|
||||
allow $1 hostname_t:process transition;
|
||||
type_transition $1 hostname_exec_t:process hostname_t;
|
||||
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 hostname_t:fd use;
|
||||
allow hostname_t $1:fd use;
|
||||
allow hostname_t $1:fifo_file rw_file_perms;
|
||||
allow hostname_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`hostname_transition_depend',`
|
||||
type hostname_t, hostname_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -32,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
|
||||
## <description>
|
||||
## Execute hostname in the hostname domain, and
|
||||
## allow the specified role the hostname domain.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
|
||||
@ -1,4 +1,9 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
## <module name="hotplug" layer="system">
|
||||
## <summary>
|
||||
## Policy for hotplug system, for supporting the
|
||||
## connection and disconnection of devices at runtime.
|
||||
## </summary>
|
||||
|
||||
#######################################
|
||||
#
|
||||
@ -10,12 +15,18 @@ allow $1 hotplug_exec_t:file { getattr read execute };
|
||||
allow $1 hotplug_t:process transition;
|
||||
type_transition $1 hotplug_exec_t:process hotplug_t;
|
||||
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 hotplug_t:fd use;
|
||||
allow hotplug_t $1:fd use;
|
||||
allow hotplug_t $1:fifo_file rw_file_perms;
|
||||
allow hotplug_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`hotplug_transition_depend',`
|
||||
type hotplug_t, hotplug_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -99,3 +110,5 @@ class file { read getattr lock ioctl };
|
||||
class dir { read getattr lock search ioctl };
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -13,13 +13,18 @@ allow init_t $1:process transition;
|
||||
allow init_t $2:file { getattr read execute };
|
||||
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition init_t $2:process $1;
|
||||
allow $1 init_t:fd use;
|
||||
allow init_t $1:fd use;
|
||||
allow $1 init_t:fifo_file rw_file_perms;
|
||||
allow $1 init_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`init_make_init_domain_depend',`
|
||||
type init_t;
|
||||
class file { getattr read execute };
|
||||
class fd use;
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class fifo_file rw_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
role system_r;
|
||||
')
|
||||
|
||||
@ -36,17 +41,16 @@ allow initrc_t $1:process transition;
|
||||
allow initrc_t $2:file { getattr read execute };
|
||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition initrc_t $2:process $1;
|
||||
allow initrc_t $1:fd use;
|
||||
allow $1 initrc_t:fd use;
|
||||
# backchannels:
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
# cjp: probably for logging
|
||||
allow $1 initrc_t:fifo_file { getattr write };
|
||||
')
|
||||
|
||||
define(`init_make_daemon_domain_depend',`
|
||||
type initrc_t;
|
||||
class file { getattr read execute };
|
||||
class fifo_file { getattr write };
|
||||
class fifo_file rw_file_perms;
|
||||
class fd use;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
role system_r;
|
||||
@ -65,18 +69,17 @@ allow initrc_t $1:process transition;
|
||||
allow initrc_t $2:file { getattr read execute };
|
||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition initrc_t $2:process $1;
|
||||
allow initrc_t $1:fd use;
|
||||
allow $1 initrc_t:fd use;
|
||||
# backchannels:
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
# cjp: probably for logging
|
||||
allow $1 initrc_t:fifo_file { getattr write };
|
||||
')
|
||||
|
||||
define(`init_make_system_domain_depend',`
|
||||
type initrc_t;
|
||||
class file { getattr read execute };
|
||||
class fd use;
|
||||
class fifo_file { getattr write };
|
||||
class fifo_file rw_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
role system_r;
|
||||
')
|
||||
@ -91,12 +94,18 @@ allow $1 init_exec_t:file { getattr read execute };
|
||||
allow $1 init_t:process transition;
|
||||
type_transition $1 init_exec_t:process init_t;
|
||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 init_t:fd use;
|
||||
allow init_t $1:fd use;
|
||||
allow init_t $1:fifo_file rw_file_perms;
|
||||
allow init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`init_transition_depend',`
|
||||
type init_t, init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -222,12 +231,18 @@ allow $1 initrc_exec_t:file { getattr read execute };
|
||||
allow $1 initrc_t:process transition;
|
||||
type_transition $1 initrc_exec_t:process init_t;
|
||||
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 initrc_t:fd use;
|
||||
allow initrc_t $1:fd use;
|
||||
allow initrc_t $1:fifo_file rw_file_perms;
|
||||
allow initrc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`init_script_transition_depend',`
|
||||
type initrc_t, initrc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -275,26 +290,6 @@ class lnk_file { read getattr };
|
||||
class process { getattr ptrace };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_direct_admin_transition(role,domain)
|
||||
#
|
||||
define(`init_script_direct_admin_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $2 initrc_exec_t:file { getattr read execute };
|
||||
allow $2 initrc_t:process transition;
|
||||
type_transition $2 initrc_exec_t:file init_t;
|
||||
role_transition $1 initrc_exec_t system_r;
|
||||
dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`init_script_direct_admin_transition_depend',`
|
||||
type initrc_t, initrc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
kernel_system_role_transition_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_use_file_descriptors(domain)
|
||||
|
||||
@ -17,12 +17,18 @@ allow $1 iptables_exec_t:file { getattr read execute };
|
||||
allow $1 iptables_t:process transition;
|
||||
type_transition $1 iptables_exec_t:process iptables_t;
|
||||
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 iptables_t:fd use;
|
||||
allow iptables_t $1:fd use;
|
||||
allow iptables_t $1:fifo_file rw_file_perms;
|
||||
allow iptables_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`iptables_transition_depend',`
|
||||
type iptables_t, iptables_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -19,12 +19,18 @@ allow $1 ldconfig_exec_t:file { getattr read execute };
|
||||
allow $1 ldconfig_t:process transition;
|
||||
type_transition $1 ldconfig_exec_t:process ldconfig_t;
|
||||
dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 ldconfig_t:fd use;
|
||||
allow ldconfig_t $1:fd use;
|
||||
allow ldconfig_t $1:fifo_file rw_file_perms;
|
||||
allow ldconfig_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`libraries_ldconfig_transition_depend',`
|
||||
type ldconfig_t, ldconfig_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -71,18 +77,18 @@ class chr_file { getattr read write ioctl };
|
||||
define(`libraries_use_dynamic_loader',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_read_general_system_config_directory($1)
|
||||
allow $1 lib_t:dir { getattr search read };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 ld_so_t:lnk_file { getattr read };
|
||||
allow $1 ld_so_t:file { getattr read execute };
|
||||
allow $1 ld_so_cache_t:file { getattr read };
|
||||
allow $1 lib_t:dir r_dir_perms;
|
||||
allow $1 lib_t:lnk_file r_file_perms;
|
||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||
allow $1 ld_so_t:file rx_file_perms;
|
||||
allow $1 ld_so_cache_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`libraries_use_dynamic_loader_depend',`
|
||||
type lib_t, ld_so_t, ld_so_cache_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file rx_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -127,17 +133,17 @@ class file { execute execmod };
|
||||
#
|
||||
define(`libraries_execute_dynamic_loader',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lib_t:dir { getattr search read };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 ld_so_t:lnk_file { getattr read };
|
||||
allow $1 ld_so_t:file { getattr read execute execute_no_trans };
|
||||
allow $1 lib_t:dir r_dir_perms;
|
||||
allow $1 lib_t:lnk_file r_file_perms;
|
||||
allow $1 ld_so_t:lnk_file r_file_perms;
|
||||
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`libraries_execute_dynamic_loader_depend',`
|
||||
type lib_t, ld_so_t;
|
||||
class dir { getattr search read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute execute_no_trans };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file { r_file_perms execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -227,17 +233,17 @@ class file { getattr read execute execute_no_trans };
|
||||
define(`libraries_use_shared_libraries',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_general_application_resources_dir($1)
|
||||
allow $1 lib_t:dir { getattr search read };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
|
||||
allow $1 { shlib_t texrel_shlib_t }:file { getattr read execute };
|
||||
allow $1 lib_t:dir r_dir_perms;
|
||||
allow $1 lib_t:lnk_file r_file_perms;
|
||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
|
||||
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
|
||||
')
|
||||
|
||||
define(`libraries_use_shared_libraries_depend',`
|
||||
type lib_t, shlib_t, texrel_shlib_t;
|
||||
class dir { getattr searc read };
|
||||
class lnk_file { getattr read };
|
||||
class file { getattr read execute };
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file rx_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -66,11 +66,16 @@ devices_get_pseudorandom_data(local_login_t)
|
||||
|
||||
terminal_use_all_private_physical_terminals(local_login_t)
|
||||
terminal_use_general_physical_terminal(local_login_t)
|
||||
terminal_relabel_general_physical_terminal(local_login_t)
|
||||
terminal_relabel_all_private_physical_terminals(local_login_t)
|
||||
terminal_set_all_private_physical_terminal_attributes(local_login_t)
|
||||
terminal_set_general_physical_terminal_attributes(local_login_t)
|
||||
|
||||
authlogin_check_password_transition(local_login_t)
|
||||
authlogin_ignore_read_shadow_passwords(local_login_t)
|
||||
authlogin_modify_login_records(local_login_t)
|
||||
authlogin_modify_last_login_log(local_login_t)
|
||||
authlogin_modify_login_failure_records(local_login_t)
|
||||
authlogin_pam_execute(local_login_t)
|
||||
authlogin_pam_console_manage_runtime_data(local_login_t)
|
||||
|
||||
@ -78,8 +83,8 @@ domain_read_all_entrypoint_programs(local_login_t)
|
||||
|
||||
files_read_general_system_config(local_login_t)
|
||||
files_read_runtime_system_config(local_login_t)
|
||||
files_list_home_directories(local_login_t)
|
||||
files_read_general_application_resources(local_login_t)
|
||||
files_manage_system_lock_files(var_lock_t)
|
||||
|
||||
init_script_modify_runtime_data(local_login_t)
|
||||
init_ignore_use_file_descriptors(local_login_t)
|
||||
@ -94,8 +99,14 @@ miscfiles_read_localization(local_login_t)
|
||||
selinux_read_config(local_login_t)
|
||||
selinux_read_default_contexts(local_login_t)
|
||||
|
||||
userdomain_all_users_explicit_transition(local_login_t)
|
||||
userdomain_signal_all_userdomains(local_login_t)
|
||||
userdomain_search_all_users_home_dirs(local_login_t)
|
||||
userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
|
||||
|
||||
# Search for mail spool file.
|
||||
mta_get_mail_spool_attributes(local_login_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
can_ypbind(local_login_t)
|
||||
@ -117,15 +128,9 @@ allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
||||
allow local_login_t readable_t:dir r_dir_perms;
|
||||
allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
||||
|
||||
# Read /var, /var/spool
|
||||
allow local_login_t { var_t var_spool_t }:dir search;
|
||||
|
||||
# for when /var/mail is a sym-link
|
||||
allow local_login_t var_t:lnk_file read;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow local_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
dontaudit local_login_t sysfs_t:dir search;
|
||||
|
||||
allow local_login_t autofs_t:dir { search read getattr };
|
||||
@ -140,18 +145,6 @@ ifdef(`crack.te', `
|
||||
allow local_login_t crack_db_t:file r_file_perms;
|
||||
')
|
||||
|
||||
# Permit login to search the user home directories.
|
||||
allow local_login_t home_root_t:dir search;
|
||||
allow local_login_t home_dir_type:dir search;
|
||||
|
||||
# Write to /var/log/btmp
|
||||
allow local_login_t faillog_t:file { append read write };
|
||||
|
||||
# Search for mail spool file.
|
||||
allow local_login_t mail_spool_t:dir r_dir_perms;
|
||||
allow local_login_t mail_spool_t:file getattr;
|
||||
allow local_login_t mail_spool_t:lnk_file read;
|
||||
|
||||
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
@ -159,10 +152,6 @@ unconfined_domain(local_login_t)
|
||||
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
||||
')
|
||||
|
||||
# But also permit other user domains to be entered by login.
|
||||
domain_trans(local_login_t, shell_exec_t, userdomain)
|
||||
allow local_login_t userdomain:process signal;
|
||||
|
||||
# Do not audit denied attempts to access devices.
|
||||
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
|
||||
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
||||
@ -177,18 +166,6 @@ dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
||||
# Do not audit denied attempts to access /mnt.
|
||||
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
||||
|
||||
# Create lock file.
|
||||
allow local_login_t var_lock_t:dir rw_dir_perms;
|
||||
allow local_login_t var_lock_t:file create_file_perms;
|
||||
|
||||
# Read and write ttys.
|
||||
allow local_login_t tty_device_t:chr_file setattr;
|
||||
allow local_login_t ttyfile:chr_file setattr;
|
||||
|
||||
# Relabel ttys.
|
||||
allow local_login_t tty_device_t:chr_file { relabelfrom relabelto };
|
||||
allow local_login_t ttyfile:chr_file { relabelfrom relabelto };
|
||||
|
||||
optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
')
|
||||
@ -241,6 +218,7 @@ selinux_read_default_contexts(sulogin_t)
|
||||
|
||||
authlogin_read_shadow_passwords(sulogin_t)
|
||||
|
||||
userdomain_sysadm_shell_transition(sulogin_t)
|
||||
userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
|
||||
|
||||
# suse and debian do not use pam with sulogin...
|
||||
@ -264,7 +242,6 @@ kernel_compute_selinux_reachable_user_contexts(sulogin_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
|
||||
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
||||
|
||||
can_ypbind(sulogin_t)
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
## <module name="lvm" layer="system">
|
||||
## <summary>Policy for logical volume management programs.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="lvm_transition">
|
||||
@ -17,12 +19,18 @@ allow $1 lvm_exec_t:file { getattr read execute };
|
||||
allow $1 lvm_t:process transition;
|
||||
type_transition $1 lvm_exec_t:process lvm_t;
|
||||
dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 lvm_t:fd use;
|
||||
allow lvm_t $1:fd use;
|
||||
allow lvm_t $1:fifo_file rw_file_perms;
|
||||
allow lvm_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`lvm_transition_depend',`
|
||||
type lvm_t, lvm_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -76,3 +84,4 @@ type lvm_t, lvm_exec_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
@ -65,7 +65,9 @@ allow $1 insmod_exec_t:file { getattr read execute };
|
||||
allow $1 insmod_t:process transition;
|
||||
type_transition $1 insmod_exec_t:process insmod_t;
|
||||
dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
|
||||
# backchannel:
|
||||
allow $1 insmod_t:fd use;
|
||||
allow insmod_t $1:fd use;
|
||||
allow insmod_t $1:fifo_file rw_file_perms;
|
||||
allow insmod_t $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -73,6 +75,8 @@ define(`modutils_insmod_transition_depend',`
|
||||
type insmod_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -138,12 +142,18 @@ allow $1 depmod_exec_t:file { getattr read execute };
|
||||
allow $1 depmod_t:process transition;
|
||||
type_transition $1 depmod_exec_t:process depmod_t;
|
||||
dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 depmod_t:fd use;
|
||||
allow depmod_t $1:fd use;
|
||||
allow depmod_t $1:fifo_file rw_file_perms;
|
||||
allow depmod_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`modutils_depmod_transition_depend',`
|
||||
type depmod_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -206,12 +216,18 @@ allow $1 update_modules_exec_t:file { getattr read execute };
|
||||
allow $1 update_modules_t:process transition;
|
||||
type_transition $1 update_modules_exec_t:process update_modules_t;
|
||||
dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 update_modules_t:fd use;
|
||||
allow update_modules_t $1:fd use;
|
||||
allow update_modules_t $1:fifo_file rw_file_perms;
|
||||
allow update_modules_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`modutils_update_modules_transition_depend',`
|
||||
type update_modules_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh signal };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -17,12 +17,18 @@ allow $1 mount_exec_t:file { getattr read execute };
|
||||
allow $1 mount_t:process transition;
|
||||
type_transition $1 mount_exec_t:process mount_t;
|
||||
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 mount_t:fd use;
|
||||
allow mount_t $1:fd use;
|
||||
allow mount_t $1:fifo_file rw_file_perms;
|
||||
allow mount_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`mount_transition_depend',`
|
||||
type mount_t, mount_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||
allow $1 checkpolicy_t:process transition;
|
||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 checkpolicy_t:fd use;
|
||||
allow checkpolicy_t $1:fd use;
|
||||
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
||||
allow checkpolicy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_checkpolicy_transition_depend',`
|
||||
type checkpolicy_t, checkpolicy_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute };
|
||||
allow $1 load_policy_t:process transition;
|
||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 load_policy_t:fd use;
|
||||
allow load_policy_t $1:fd use;
|
||||
allow load_policy_t $1:fifo_file rw_file_perms;
|
||||
allow load_policy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_load_policy_transition_depend',`
|
||||
type load_policy_t, load_policy_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh };
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute };
|
||||
allow $1 newrole_t:process transition;
|
||||
type_transition $1 newrole_exec_t:process newrole_t;
|
||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 newrole_t:fd use;
|
||||
allow newrole_t $1:fd use;
|
||||
allow newrole_t $1:fifo_file rw_file_perms;
|
||||
allow newrole_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_newrole_transition_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute };
|
||||
allow $1 restorecon_t:process transition;
|
||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 restorecon_t:fd use;
|
||||
allow restorecon_t $1:fd use;
|
||||
allow restorecon_t $1:fifo_file rw_file_perms;
|
||||
allow restorecon_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_restorecon_transition_depend',`
|
||||
type restorecon_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:process run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 run_init_t:fd use;
|
||||
allow run_init_t $1:fd use;
|
||||
allow run_init_t $1:fifo_file rw_file_perms;
|
||||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute };
|
||||
allow $1 setfiles_t:process transition;
|
||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 setfiles_t:fd use;
|
||||
allow setfiles_t $1:fd use;
|
||||
allow setfiles_t $1:fifo_file rw_file_perms;
|
||||
allow setfiles_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_setfiles_transition_depend',`
|
||||
type setfiles_t, setfiles_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -19,12 +19,18 @@ allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||
allow $1 checkpolicy_t:process transition;
|
||||
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
||||
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 checkpolicy_t:fd use;
|
||||
allow checkpolicy_t $1:fd use;
|
||||
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
||||
allow checkpolicy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_checkpolicy_transition_depend',`
|
||||
type checkpolicy_t, checkpolicy_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -33,6 +39,7 @@ class process { transition noatsecure siginh rlimitinh };
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -89,12 +96,18 @@ allow $1 load_policy_exec_t:file { getattr read execute };
|
||||
allow $1 load_policy_t:process transition;
|
||||
type_transition $1 load_policy_exec_t:process load_policy_t;
|
||||
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 load_policy_t:fd use;
|
||||
allow load_policy_t $1:fd use;
|
||||
allow load_policy_t $1:fifo_file rw_file_perms;
|
||||
allow load_policy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_load_policy_transition_depend',`
|
||||
type load_policy_t, load_policy_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -103,6 +116,7 @@ class process { transition noatsecure siginh rlimitinh };
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -173,12 +187,18 @@ allow $1 newrole_exec_t:file { getattr read execute };
|
||||
allow $1 newrole_t:process transition;
|
||||
type_transition $1 newrole_exec_t:process newrole_t;
|
||||
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 newrole_t:fd use;
|
||||
allow newrole_t $1:fd use;
|
||||
allow newrole_t $1:fifo_file rw_file_perms;
|
||||
allow newrole_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_newrole_transition_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -293,12 +313,18 @@ allow $1 restorecon_exec_t:file { getattr read execute };
|
||||
allow $1 restorecon_t:process transition;
|
||||
type_transition $1 restorecon_exec_t:process restorecon_t;
|
||||
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 restorecon_t:fd use;
|
||||
allow restorecon_t $1:fd use;
|
||||
allow restorecon_t $1:fifo_file rw_file_perms;
|
||||
allow restorecon_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_restorecon_transition_depend',`
|
||||
type restorecon_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -363,12 +389,18 @@ allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:process run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 run_init_t:fd use;
|
||||
allow run_init_t $1:fd use;
|
||||
allow run_init_t $1:fifo_file rw_file_perms;
|
||||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -433,12 +465,18 @@ allow $1 setfiles_exec_t:file { getattr read execute };
|
||||
allow $1 setfiles_t:process transition;
|
||||
type_transition $1 setfiles_exec_t:process setfiles_t;
|
||||
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 setfiles_t:fd use;
|
||||
allow setfiles_t $1:fd use;
|
||||
allow setfiles_t $1:fifo_file rw_file_perms;
|
||||
allow setfiles_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_setfiles_transition_depend',`
|
||||
type setfiles_t, setfiles_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -10,12 +10,18 @@ allow $1 dhcpc_exec_t:file { getattr read execute };
|
||||
allow $1 dhcpc_t:process transition;
|
||||
type_transition $1 dhcpc_exec_t:process dhcpc_t;
|
||||
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 dhcpc_t:fd use;
|
||||
allow dhcpc_t $1:fd use;
|
||||
allow dhcpc_t $1:fifo_file rw_file_perms;
|
||||
allow dhcpc_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`sysnetwork_dhcpc_transition_depend',`
|
||||
type dhcpc_t, dhcpc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -35,12 +41,18 @@ allow $1 ifconfig_exec_t:file { getattr read execute };
|
||||
allow $1 ifconfig_t:process transition;
|
||||
type_transition $1 ifconfig_exec_t:process ifconfig_t;
|
||||
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||
allow $1 ifconfig_t:fd use;
|
||||
allow ifconfig_t $1:fd use;
|
||||
allow ifconfig_t $1:fifo_file rw_file_perms;
|
||||
allow ifconfig_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`sysnetwork_ifconfig_transition_depend',`
|
||||
type ifconfig_t, ifconfig_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -10,8 +10,9 @@ allow $1 udev_exec_t:file { getattr read execute };
|
||||
allow $1 udev_t:process transition;
|
||||
type_transition $1 udev_exec_t:process udev_t;
|
||||
dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
|
||||
# backchannels:
|
||||
allow $1 udev_t:fd use;
|
||||
allow udev_t $1:fd use;
|
||||
allow udev_t $1:fifo_file rw_file_perms;
|
||||
allow udev_t $1:process sigchld;
|
||||
')
|
||||
|
||||
@ -19,6 +20,8 @@ define(`udev_transition_depend',`
|
||||
type udev_t, udev_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -150,6 +150,7 @@ authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t
|
||||
|
||||
corecommands_execute_general_programs($1_t)
|
||||
corecommands_execute_system_programs($1_t)
|
||||
corecommands_execute_ls($1_t)
|
||||
|
||||
domain_execute_all_entrypoint_programs($1_t)
|
||||
domain_use_widely_inheritable_file_descriptors($1_t)
|
||||
@ -808,6 +809,28 @@ allow $1_t eventpollfs_t:file getattr;
|
||||
') dnl endif TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_all_users_explicit_transition">
|
||||
## <description>
|
||||
## Execute a shell in all user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`userdomain_all_users_explicit_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
corecommands_shell_explicit_transition($1,userdomain)
|
||||
')
|
||||
|
||||
define(`userdomain_all_users_explicit_transition_depend',`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_sysadm_shell_transition">
|
||||
## <description>
|
||||
@ -853,14 +876,36 @@ class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_read_all_users_data">
|
||||
## <interface name="userdomain_search_all_users_home_dirs">
|
||||
## <description>
|
||||
## Inherit the file descriptors from all user domains
|
||||
## Search all users home directories.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="read" weight="1"/>
|
||||
## <infoflow type="read" weight="7"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`userdomain_search_all_users_home_dirs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_list_home_directories($1)
|
||||
allow $1 { home_dir_type home_type }:dir search;
|
||||
')
|
||||
|
||||
define(`userdomain_search_all_users_home_dirs_depend',`
|
||||
attribute home_dir_type, home_type;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_read_all_users_data">
|
||||
## <description>
|
||||
## Read all files in all users home directories.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`userdomain_read_all_users_data',`
|
||||
@ -897,6 +942,27 @@ attribute userdomain;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_signal_all_userdomains">
|
||||
## <description>
|
||||
## Send general signals to all user domains.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="write" weight="1"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`userdomain_signal_all_userdomains',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 userdomain:process signal;
|
||||
')
|
||||
|
||||
define(`userdomain_signal_all_userdomains_depend',`
|
||||
attribute userdomain;
|
||||
class process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdomain_use_all_unprivileged_users_file_descriptors">
|
||||
## <description>
|
||||
@ -927,7 +993,7 @@ class fd use;
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="read" weight="1"/>
|
||||
## <infoflow type="none"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user