Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
Dan Walsh
commit
4d71bc3534
@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
|
||||
mta_send_mail(logrotate_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
|
||||
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
|
||||
# for savelog
|
||||
can_exec(logrotate_t, logrotate_exec_t)
|
||||
|
||||
|
||||
@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
|
||||
|
||||
kernel_read_system_state(prelink_t)
|
||||
kernel_read_kernel_sysctls(prelink_t)
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
#
|
||||
interface(`pulseaudio_role',`
|
||||
gen_require(`
|
||||
type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
|
||||
type pulseaudio_t, pulseaudio_exec_t;
|
||||
class dbus { acquire_svc send_msg };
|
||||
')
|
||||
|
||||
|
||||
@ -336,7 +336,7 @@ interface(`term_relabel_console',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 console_device_t:chr_file { relabelfrom relabelto };
|
||||
allow $1 console_device_t:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { relabelfrom relabelto };
|
||||
allow $1 tty_device_t:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 ttynode:chr_file { relabelfrom relabelto };
|
||||
allow $1 ttynode:chr_file relabel_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -71,6 +71,7 @@ interface(`abrt_read_state',`
|
||||
type abrt_t;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
ps_process_pattern($1, abrt_t)
|
||||
')
|
||||
|
||||
|
||||
@ -138,7 +138,7 @@ interface(`accountsd_admin',`
|
||||
type accountsd_t;
|
||||
')
|
||||
|
||||
allow $1 accountsd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 accountsd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, accountsd_t)
|
||||
|
||||
accountsd_manage_lib_files($1)
|
||||
|
||||
@ -97,8 +97,8 @@ interface(`afs_admin',`
|
||||
type afs_t, afs_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 afs_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, afs_t, afs_t)
|
||||
allow $1 afs_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, afs_t)
|
||||
|
||||
# Allow afs_admin to restart the afs service
|
||||
afs_initrc_domtrans($1)
|
||||
|
||||
@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
|
||||
type arpwatch_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 arpwatch_t:process { ptrace signal_perms getattr };
|
||||
allow $1 arpwatch_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, arpwatch_t)
|
||||
|
||||
arpwatch_initrc_domtrans($1)
|
||||
|
||||
@ -64,7 +64,7 @@ interface(`asterisk_admin',`
|
||||
type asterisk_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 asterisk_t:process { ptrace signal_perms getattr };
|
||||
allow $1 asterisk_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, asterisk_t)
|
||||
|
||||
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
|
||||
|
||||
@ -68,7 +68,8 @@ interface(`automount_read_state',`
|
||||
type automount_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, automount_t, automount_t)
|
||||
kernel_search_proc($1)
|
||||
ps_process_pattern($1, automount_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -149,7 +150,7 @@ interface(`automount_admin',`
|
||||
type automount_var_run_t, automount_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 automount_t:process { ptrace signal_perms getattr };
|
||||
allow $1 automount_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, automount_t)
|
||||
|
||||
init_labeled_script_domtrans($1, automount_initrc_exec_t)
|
||||
|
||||
@ -138,8 +138,8 @@ interface(`boinc_admin',`
|
||||
type boinc_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 boinc_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, boinc_t, boinc_t)
|
||||
allow $1 boinc_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, boinc_t)
|
||||
|
||||
boinc_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -191,8 +191,8 @@ interface(`cobblerd_admin',`
|
||||
type httpd_cobbler_content_rw_t;
|
||||
')
|
||||
|
||||
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, cobblerd_t, cobblerd_t)
|
||||
allow $1 cobblerd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cobblerd_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, cobbler_etc_t)
|
||||
|
||||
@ -42,7 +42,6 @@ template(`courier_domain_template',`
|
||||
manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
|
||||
manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
|
||||
manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
|
||||
files_search_pids(courier_$1_t)
|
||||
files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
|
||||
|
||||
kernel_read_system_state(courier_$1_t)
|
||||
|
||||
@ -13,7 +13,8 @@
|
||||
#
|
||||
template(`cron_common_crontab_template',`
|
||||
gen_require(`
|
||||
type crond_t, crond_var_run_t;
|
||||
type crond_t, crond_var_run_t, crontab_exec_t;
|
||||
type cron_spool_t, user_cron_spool_t;
|
||||
')
|
||||
|
||||
##############################
|
||||
@ -673,7 +674,6 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
|
||||
gen_require(`
|
||||
type system_cronjob_tmp_t;
|
||||
type cron_var_run_t;
|
||||
type system_cronjob_var_run_t;
|
||||
')
|
||||
|
||||
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
||||
|
||||
@ -165,13 +165,13 @@ interface(`devicekit_admin',`
|
||||
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 devicekit_t:process { ptrace signal_perms getattr };
|
||||
allow $1 devicekit_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, devicekit_t)
|
||||
|
||||
allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
|
||||
allow $1 devicekit_disk_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, devicekit_disk_t)
|
||||
|
||||
allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
|
||||
allow $1 devicekit_power_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, devicekit_power_t)
|
||||
|
||||
admin_pattern($1, devicekit_tmp_t)
|
||||
|
||||
@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
|
||||
#
|
||||
interface(`dhcpd_admin',`
|
||||
gen_require(`
|
||||
type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
|
||||
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
|
||||
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
|
||||
@ -235,8 +235,8 @@ interface(`exim_admin', `
|
||||
type exim_tmp_t, exim_spool_t, exim_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 exim_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, exim_t, exim_t)
|
||||
allow $1 exim_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, exim_t)
|
||||
|
||||
exim_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
|
||||
type fetchmail_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 fetchmail_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, fetchmail_t)
|
||||
|
||||
files_list_etc($1)
|
||||
|
||||
@ -51,6 +51,7 @@ interface(`hal_read_state',`
|
||||
type hald_t;
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
ps_process_pattern($1, hald_t)
|
||||
')
|
||||
|
||||
@ -382,7 +383,7 @@ interface(`hal_read_pid_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -457,7 +458,7 @@ interface(`hal_manage_pid_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -70,8 +70,4 @@ interface(`hddtemp_admin',`
|
||||
|
||||
admin_pattern($1, hddtemp_etc_t)
|
||||
files_search_etc($1)
|
||||
|
||||
allow $1 hddtemp_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@ -173,6 +173,7 @@ interface(`icecast_admin',`
|
||||
type icecast_t, icecast_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 icecast_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, icecast_t)
|
||||
|
||||
# Allow icecast_t to restart the apache service
|
||||
|
||||
@ -61,7 +61,7 @@ interface(`jabberd_read_lib_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -126,11 +126,10 @@ interface(`ldap_stream_connect',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 slapd_var_run_t:sock_file write;
|
||||
allow $1 slapd_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
|
||||
|
||||
optional_policy(`
|
||||
ldap_stream_connect_dirsrv($1)
|
||||
ldap_stream_connect_dirsrv($1)
|
||||
')
|
||||
')
|
||||
|
||||
@ -150,8 +149,7 @@ interface(`ldap_stream_connect_dirsrv',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 dirsrv_var_run_t:sock_file write;
|
||||
allow $1 dirsrv_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
|
||||
')
|
||||
|
||||
files_search_spool($1)
|
||||
allow $1 print_spool_t:file { relabelto relabelfrom };
|
||||
allow $1 print_spool_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -70,5 +70,6 @@ interface(`memcached_admin',`
|
||||
role_transition $2 memcached_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, memcached_var_run_t)
|
||||
')
|
||||
|
||||
@ -53,7 +53,6 @@ interface(`mpd_read_data_files',`
|
||||
type mpd_data_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
mpd_search_lib($1)
|
||||
read_files_pattern($1, mpd_data_t, mpd_data_t)
|
||||
')
|
||||
@ -73,8 +72,7 @@ interface(`mpd_read_tmpfs_files',`
|
||||
type mpd_tmpfs_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
mpd_search_lib($1)
|
||||
fs_search_tmpfs($1)
|
||||
read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
|
||||
')
|
||||
|
||||
@ -93,8 +91,7 @@ interface(`mpd_manage_tmpfs_files',`
|
||||
type mpd_tmpfs_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
mpd_search_lib($1)
|
||||
fs_search_tmpfs($1)
|
||||
manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
|
||||
manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
|
||||
')
|
||||
@ -114,7 +111,6 @@ interface(`mpd_manage_data_files',`
|
||||
type mpd_data_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
mpd_search_lib($1)
|
||||
manage_files_pattern($1, mpd_data_t, mpd_data_t)
|
||||
')
|
||||
@ -250,6 +246,7 @@ interface(`mpd_admin',`
|
||||
type mpd_data_t;
|
||||
type mpd_log_t;
|
||||
type mpd_var_lib_t;
|
||||
type mpd_tmpfs_t;
|
||||
')
|
||||
|
||||
allow $1 mpd_t:process { ptrace signal_perms };
|
||||
@ -271,4 +268,6 @@ interface(`mpd_admin',`
|
||||
|
||||
admin_pattern($1, mpd_log_t)
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
admin_pattern($1, mpd_tmpfs_t)
|
||||
')
|
||||
|
||||
@ -57,9 +57,8 @@ interface(`munin_stream_connect',`
|
||||
type munin_var_run_t, munin_t;
|
||||
')
|
||||
|
||||
allow $1 munin_t:unix_stream_socket connectto;
|
||||
allow $1 munin_var_run_t:sock_file { getattr write };
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
|
||||
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
|
||||
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
|
||||
')
|
||||
|
||||
@ -106,9 +106,9 @@ interface(`nslcd_admin',`
|
||||
role_transition $2 nslcd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, nslcd_conf_t)
|
||||
|
||||
manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
||||
manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
||||
manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
||||
')
|
||||
|
||||
@ -144,7 +144,7 @@ interface(`ntp_admin',`
|
||||
type ntpd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ntpd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 ntpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ntpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
|
||||
|
||||
@ -29,7 +29,7 @@ interface(`oddjob_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -39,6 +39,9 @@ interface(`pads_admin', `
|
||||
role_transition $2 pads_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, pads_var_run_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, pads_config_t)
|
||||
')
|
||||
|
||||
@ -249,12 +249,14 @@ interface(`plymouthd_admin', `
|
||||
type plymouthd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 plymouthd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, plymouthd_t, plymouthd_t)
|
||||
allow $1 plymouthd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, plymouthd_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, plymouthd_spool_t)
|
||||
|
||||
admin_pattern($1, plymouthd_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, plymouthd_var_run_t)
|
||||
')
|
||||
|
||||
@ -105,8 +105,8 @@ interface(`portreserve_admin', `
|
||||
type portreserve_initrc_exec_t, portreserve_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 portreserve_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, portreserve_t, portreserve_t)
|
||||
allow $1 portreserve_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, portreserve_t)
|
||||
|
||||
portreserve_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -691,26 +691,26 @@ interface(`postfix_admin', `
|
||||
type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
|
||||
')
|
||||
|
||||
allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
|
||||
allow $1 postfix_bounce_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_bounce_t)
|
||||
|
||||
allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
|
||||
allow $1 postfix_cleanup_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_cleanup_t)
|
||||
|
||||
allow $1 postfix_local_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_local_t, postfix_local_t)
|
||||
allow $1 postfix_local_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_local_t)
|
||||
|
||||
allow $1 postfix_master_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_master_t, postfix_master_t)
|
||||
allow $1 postfix_master_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_master_t)
|
||||
|
||||
allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
|
||||
allow $1 postfix_pickup_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_pickup_t)
|
||||
|
||||
allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
|
||||
allow $1 postfix_qmgr_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_qmgr_t)
|
||||
|
||||
allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
|
||||
allow $1 postfix_smtpd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postfix_smtpd_t)
|
||||
|
||||
postfix_run_map($1,$2)
|
||||
postfix_run_postdrop($1,$2)
|
||||
|
||||
@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 postgresql_t:unix_stream_socket connectto;
|
||||
allow $1 postgresql_var_run_t:sock_file write;
|
||||
# Some versions of postgresql put the sock file in /tmp
|
||||
allow $1 postgresql_tmp_t:sock_file write;
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -441,10 +439,13 @@ interface(`postgresql_admin',`
|
||||
|
||||
admin_pattern($1, postgresql_var_run_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, postgresql_db_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, postgresql_etc_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, postgresql_log_t)
|
||||
|
||||
admin_pattern($1, postgresql_tmp_t)
|
||||
|
||||
@ -360,7 +360,7 @@ interface(`ppp_admin',`
|
||||
type pppd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 pppd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 pppd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pppd_t)
|
||||
|
||||
ppp_initrc_domtrans($1)
|
||||
@ -386,7 +386,7 @@ interface(`ppp_admin',`
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, pppd_var_run_t)
|
||||
|
||||
allow $1 pptp_t:process { ptrace signal_perms getattr };
|
||||
allow $1 pptp_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pptp_t)
|
||||
|
||||
admin_pattern($1, pptp_log_t)
|
||||
|
||||
@ -136,9 +136,16 @@ interface(`prelude_admin',`
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, prelude_spool_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, prelude_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, prelude_var_run_t)
|
||||
admin_pattern($1, prelude_audisp_var_run_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
admin_pattern($1, prelude_lml_tmp_t)
|
||||
|
||||
admin_pattern($1, prelude_lml_var_run_t)
|
||||
')
|
||||
|
||||
@ -24,7 +24,7 @@ interface(`privoxy_admin',`
|
||||
type privoxy_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 privoxy_t:process { ptrace signal_perms getattr };
|
||||
allow $1 privoxy_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, privoxy_t)
|
||||
|
||||
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
|
||||
|
||||
@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||
allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
|
||||
|
||||
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
||||
allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||
allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
|
||||
allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
||||
|
||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||
kernel_read_system_state(puppetmaster_t)
|
||||
|
||||
@ -179,8 +179,8 @@ interface(`qpidd_admin',`
|
||||
type qpidd_t;
|
||||
')
|
||||
|
||||
allow $1 qpidd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, qpidd_t, qpidd_t)
|
||||
allow $1 qpidd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, qpidd_t)
|
||||
|
||||
|
||||
gen_require(`
|
||||
|
||||
@ -38,7 +38,7 @@ interface(`radius_admin',`
|
||||
type radiusd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 radiusd_t:process { ptrace signal_perms getattr };
|
||||
allow $1 radiusd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, radiusd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
|
||||
|
||||
@ -174,7 +174,6 @@ template(`razor_manage_user_home_files',`
|
||||
type razor_home_t;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
userdom_search_user_home_dirs($1)
|
||||
manage_files_pattern($1, razor_home_t, razor_home_t)
|
||||
read_lnk_files_pattern($1, razor_home_t, razor_home_t)
|
||||
|
||||
@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
|
||||
type resmgrd_var_run_t, resmgrd_t;
|
||||
')
|
||||
|
||||
allow $1 resmgrd_t:unix_stream_socket connectto;
|
||||
allow $1 resmgrd_var_run_t:sock_file { getattr write };
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
|
||||
')
|
||||
|
||||
@ -118,7 +118,7 @@ interface(`rgmanager_admin',`
|
||||
')
|
||||
|
||||
allow $1 rgmanager_t:process { ptrace signal_perms };
|
||||
read_files_pattern($1, rgmanager_t, rgmanager_t)
|
||||
ps_process_pattern($1, rgmanager_t)
|
||||
|
||||
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -108,8 +108,7 @@ interface(`ricci_stream_connect_modclusterd',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 ricci_modcluster_var_run_t:sock_file write;
|
||||
allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||
allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
|
||||
allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 rpcbind_var_run_t:sock_file write;
|
||||
allow $1 rpcbind_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -145,4 +144,10 @@ interface(`rpcbind_admin',`
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 rpcbind_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, rpcbind_var_lib_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, rpcbind_var_run_t)
|
||||
')
|
||||
|
||||
@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
||||
allow virtd_t virt_image_type:file { relabelfrom relabelto };
|
||||
allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
|
||||
allow virtd_t virt_image_type:file relabel_file_perms;
|
||||
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
||||
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
||||
|
||||
@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 shadow_t:file { relabelfrom relabelto };
|
||||
allow $1 shadow_t:file relabel_file_perms;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
|
||||
@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
|
||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||
|
||||
logging_manage_all_logs($1)
|
||||
allow $1 logfile:dir { relabelfrom relabelto };
|
||||
allow $1 logfile:file { relabelfrom relabelto };
|
||||
allow $1 logfile:dir relabel_dir_perms;
|
||||
allow $1 logfile:file relabel_file_perms;
|
||||
|
||||
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
|
||||
@ -89,8 +89,7 @@ interface(`udev_read_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
allow $1 udev_t:file read_file_perms;
|
||||
allow $1 udev_t:lnk_file read_lnk_file_perms;
|
||||
ps_process_pattern($1, udev_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
|
||||
type user_home_t;
|
||||
')
|
||||
|
||||
allow $1 user_home_t:file { relabelto relabelfrom };
|
||||
allow $1 user_home_t:file relabel_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -251,7 +251,7 @@ interface(`xen_domtrans_xm',`
|
||||
#
|
||||
interface(`xen_stream_connect_xm',`
|
||||
gen_require(`
|
||||
type xm_t;
|
||||
type xm_t, xenstored_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user