more updates

This commit is contained in:
Chris PeBenito 2005-09-15 21:03:45 +00:00
parent 98a8ead4c5
commit 5493c2036b
40 changed files with 658 additions and 346 deletions

View File

@ -301,16 +301,7 @@ optional_policy(`kerberos.te',`
#
# can_ldap(): complete
#
optional_policy(`ldap.te',`
allow $1 self:tcp_socket create_socket_perms;
corenet_tcp_sendrecv_all_if($1)
corenet_raw_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_bind_all_nodes($1)
sysnet_read_config($1)
')
sysnet_use_ldap($1)
#
# can_loadpol(): complete
@ -420,19 +411,15 @@ dontaudit $1 $2:process ptrace;
allow $1 $2:process ptrace;
allow $2 $1:process sigchld;
#
# can_portmap():
#
sysnet_use_portmap($1)
#
# can_resolve(): complete
#
tunable_policy(`use_dns',`
allow $1 self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if($1)
corenet_raw_sendrecv_all_if($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_udp_sendrecv_dns_port($1)
corenet_udp_bind_all_nodes($1)
sysnet_read_config($1)
')
sysnet_dns_name_resolve($1)
#
# can_setbool(): complete
@ -790,7 +777,7 @@ optional_policy(`nscd.te',`
#
# legacy_domain(): complete
#
allow $1_t self:process execmem;
allow $1_t self:process { execmem execstack };
libs_legacy_use_shared_libs($1_t)
libs_legacy_use_ld_so($1_t)
@ -826,6 +813,30 @@ create_dir_file($1, $2)
can_exec($1, $2)
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
#
# polyinstantiater():
#
ifdef(`support_polyinstantiation', `
# Need to give access to /selinux/member
selinux_compute_member($1)
# Need sys_admin capability for mounting
allow $1 self:capability sys_admin;
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { getattr mounton add_name create setattr write search };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir {getattr search };
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
# Need to give permission to create directories where applicable
allow $1 polymember: dir { create setattr };
allow $1 polydir: dir { write add_name };
allow $1 self:process setfscreate;
allow $1 polyparent:dir { write add_name };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
')
#
# pty_slave_label():
#

View File

@ -1,3 +1,206 @@
1.26 2005-09-06
* Updated version for release.
1.25.4 2005-08-10
* Merged small patches from Russell Coker for the restorecon,
kudzu, lvm, radvd, and spamassasin policies.
* Added fs_use_trans rule for mqueue from Mark Gebhart to support
the work he has done on providing SELinux support for mqueue.
* Merged a patch from Dan Walsh. Removes the user_can_mount
tunable. Adds disable_evolution_trans and disable_thunderbird_trans
booleans. Adds the nscd_client_domain attribute to insmod_t.
Removes the user_ping boolean from targeted policy. Adds
hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
Allows getty to run sbin_t for pppd. Allows initrc to write to
default_t for booting. Allows Hotplug_t sys_rawio for prism54
card at boot. Other minor fixes.
1.25.3 2005-07-18
* Merged patch from Dan Walsh. Adds auth_bool attribute to allow
domains to have read access to shadow_t. Creates pppd_can_insmod
boolean to control the loading of modem kernel modules. Allows
nfs to export noexattrfile types. Allows unix_chpwd to access
cert files and random devices for encryption purposes. Other
minor cleanups and fixes.
1.25.2 2005-07-11
* Merged patch from Dan Walsh. Added allow_ptrace boolean to
allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
audit_control and audit_write capabilities. Stops targeted policy
from transitioning from unconfined_t to netutils. Allows cupsd to
audit messages. Gives prelink the execheap, execmem, and execstack
permissions by default. Adds can_winbind boolean and functions to
better handle samba and winbind communications. Eliminates
allow_execmod checks around texrel_shlib_t libraries. Other minor
cleanups and fixes.
1.25.1 2005-07-05
* Moved role_tty_type_change, reach_sysadm, and priv_user macros
from user.te to user_macros.te as suggested by Steve.
* Modified admin_domain macro so autrace would work and removed
privuser attribute for dhcpc as suggested by Russell Coker.
* Merged rather large patch from Dan Walsh. Moves
targeted/strict/mls policies closer together. Adds local.te for
users to customize. Includes minor fixes to auditd, cups,
cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
that defines all ports in network.te. Ports are always defined
now, no ifdefs are used in network.te. Also includes Ivan
Gyurdiev's user home directory policy patches. These patches add
alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
iceauth, orbit, and thunderbird policy. They create read_content,
write_trusted, and write_untrusted macros in content.te. They
create network_home, write_network_home, read_network_home,
base_domain_ro_access, home_domain_access, home_domain, and
home_domain_ro macros in home_macros.te. They also create
$3_read_content, $3_write_content, and write_untrusted booleans.
1.24 2005-06-20
* Updated version for release.
1.23.18 2005-05-31
* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
* Removed devfsd policy as suggested by Russell Coker.
* Merged patch from Dan Walsh. Includes beginnings of Ivan
Gyurdiev's Font Config policy. Don't transition to fsadm_t from
unconfined_t (sysadm_t) in targeted policy. Add support for
debugfs in modutil. Allow automount to create and delete
directories in /root and /home dirs. Move can_ypbind to
chkpwd_macro.te. Allow useradd to create additional files and
types via the skell mechanism. Other minor cleanups and fixes.
1.23.17 2005-05-23
* Merged minor fixes by Petre Rodan to the daemontools, dante,
gpg, kerberos, and ucspi-tcp policies.
* Merged minor fixes by Russell Coker to the bluetooth, crond,
initrc, postfix, and udev policies. Modifies constraints so that
newaliases can be run. Modifies types.fc so that objects in
lost+found directories will not be relabled.
* Modified fc rules for nvidia.
* Added Chad Sellers policy for polyinstantiation support, which
creates the polydir, polyparent, and polymember attributes. Also
added the support_polyinstantiation tunable.
* Merged patch from Dan Walsh. Includes mount_point attribute,
read_font macros and some other policy fixes from Ivan Gyurdiev.
Adds privkmsg and secadmfile attributes and ddcprobe policy.
Removes the use_syslogng boolean. Many other minor fixes.
1.23.16 2005-05-13
* Added rdisc policy from Russell Coker.
* Merged minor fix to named policy by Petre Rodan.
* Merged minor fixes to policy from Russell Coker for kudzu,
named, screen, setfiles, telnet, and xdm.
* Merged minor fix to Makefile from Russell Coker.
1.23.15 2005-05-06
* Added tripwire and yam policy from David Hampton.
* Merged minor fixes to amavid and a clarification to the
httpdcontent attribute comments from David Hampton.
* Merged patch from Dan Walsh. Includes fixes for restorecon,
games, and postfix from Russell Coker. Adds support for debugfs.
Restores support for reiserfs. Allows udev to work with tmpfs_t
before /dev is labled. Removes transition from sysadm_t
(unconfined_t) to ifconfig_t for the targeted policy. Other minor
cleanups and fixes.
1.23.14 2005-04-29
* Added afs policy from Andrew Reisse.
* Merged patch from Lorenzo Hernández García-Hierro which defines
execstack and execheap permissions. The patch excludes these
permissions from general_domain_access and updates the macros for
X, legacy binaries, users, and unconfined domains.
* Added nlmsg_relay permisison where netlink_audit_socket class is
used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
* Merged some minor cleanups from Russell Coker and David Hampton.
* Merged patch from Dan Walsh. Many changes made to allow
targeted policy to run closer to strict and now almost all of
non-userspace is protected via SELinux. Kernel is now in
unconfined_domain for targeted and runs as root:system_r:kernel_t.
Added transitionbool to daemon_sub_domain, mainly to turn off
httpd_suexec transitioning. Implemented web_client_domain
name_connect rules. Added yp support for cups. Now the real
hotplug, udev, initial_sid_contexts are used for the targeted
policy. Other minor cleanups and fixes. Auditd fixes by Paul
Moore.
1.23.13 2005-04-22
* Merged more changes from Dan Walsh to initrc_t for removal of
unconfined_domain.
* Merged Dan Walsh's split of auditd policy into auditd_t for the
audit daemon and auditctl_t for the autoctl program.
* Added use of name_connect to uncond_can_ypbind macro by Dan
Walsh.
* Merged other cleanup and fixes by Dan Walsh.
1.23.12 2005-04-20
* Merged Dan Walsh's Netlink changes to handle new auditing pam
modules.
* Merged Dan Walsh's patch removing the sysadmfile attribute from
policy files to separate sysadm_t from secadm_t.
* Added CVS and uucpd policy from Dan Walsh.
* Cleanup by Dan Walsh to handle turning off unlimitedRC.
* Merged Russell Coker's fixes to ntpd, postgrey, and named
policy.
* Cleanup of chkpwd_domain and added permissions to su_domain
macro due to pam changes to support audit.
* Added nlmsg_relay and nlmsg_readpriv permissions to the
netlink_audit_socket class.
1.23.11 2005-04-14
* Merged Dan Walsh's separation of the security manager and system
administrator.
* Removed screensaver.te as suggested by Thomas Bleher
* Cleanup of typealiases that are no longer used by Thomas Bleher.
* Cleanup of fc files and additional rules for SuSE by Thomas
Bleher.
* Merged changes to auditd and named policy by Russell Coker.
* Merged MLS change from Darrel Goeddel to support the policy
hierarchy patch.
1.23.10 2005-04-08
* Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
1.23.9 2005-04-07
* Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
of x_client apps.
* Added dmidecode policy from Ivan Gyurdiev.
1.23.8 2005-04-05
* Added netlink_kobject_uevent_socket class.
* Removed empty files pump.te and pump.fc.
* Added NetworkManager policy from Dan Walsh.
* Merged Dan Walsh's major restructuring of Apache's policy.
1.23.7 2005-04-04
* Merged David Hampton's amavis and clamav cleanups.
* Added David Hampton's dcc, pyzor, and razor policy.
1.23.6 2005-04-01
* Merged cleanup of the Makefile and other stuff from Dan Walsh.
Dan's patch includes some desktop changes from Ivan Gyurdiev.
* Merged Thomas Bleher's patches which increase the usage of
lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
possible.
* Merged Greg Norris's cleanup of fetchmail.
1.23.5 2005-03-23
* Added name_connect support from Dan Walsh.
* Added httpd_unconfined_t from Dan Walsh.
* Merged cleanup of assert.te to allow unresticted full access
from Dan Walsh.
1.23.4 2005-03-21
* Merged diffs from Dan Walsh:
* Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
Gyurdiev.
* Added syslogng support to syslog.te.
1.23.3 2005-03-15
* Added policy for nx_server from Thomas Bleher.
* Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
publicfile from Petre Rodan.
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.

View File

@ -60,7 +60,7 @@ POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
POLICYFILES += $(DEFCONTEXTFILES)
CONTEXTFILES = $(DEFCONTEXTFILES)
POLICY_DIRS = domains/program domains/misc
POLICY_DIRS = domains domains/program domains/misc macros macros/program
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@ -70,19 +70,19 @@ FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/pro
CONTEXTFILES += $(FCFILES)
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
all: policy
tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
tmp/valid_fc: $(LOADPATH) $(FC)
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(LOADPATH) $(FC)
@touch tmp/valid_fc
install: tmp/valid_fc $(USERPATH)/local.users
install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@ -91,61 +91,64 @@ $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
@m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
install -C -b -m 644 $< $@
install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
mkdir -p $(CONTEXTPATH)/files/
@mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
$(APPDIR)/port_types: policy.conf
@mkdir -p $(APPDIR)
@grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
install -m 644 tmp/port_types $@
$(APPDIR)/default_type: appconfig/default_type
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
mkdir -p $(APPDIR)
@mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
mkdir -p $(APPDIR)/users
@mkdir -p $(APPDIR)/users
install -m 644 $< $@
$(LOADPATH): policy.conf $(CHECKPOLICY)
mkdir -p $(POLICYPATH)
@echo "Compiling policy ..."
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
$(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
endif
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
@ -154,46 +157,39 @@ policy: $(POLICYVER)
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
ifneq ($(VERS),18)
$(CHECKPOLICY) -c 18 -o policy.18 policy.conf
endif
endif
@echo "Validating file_contexts ..."
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
reload tmp/load: $(FCPATH) $(LOADPATH)
ifeq ($(VERS), $(KERNVERS))
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
$(LOADPOLICY) $(LOADPATH)
else
$(LOADPOLICY) $(POLICYPATH)/policy.18
endif
touch tmp/load
load: tmp/load
load: tmp/load $(FCPATH)
enableaudit: policy.conf
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
mkdir -p tmp
@echo "Building policy.conf ..."
@mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
mv $@.tmp $@
@mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
mkdir -p $(SRCPATH)/policy
@mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
mkdir -p tmp
@mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
@ -205,20 +201,20 @@ relabel: $(FC) $(SETFILES)
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
mkdir -p file_contexts/misc
@mkdir -p file_contexts/misc
$(FCPATH): $(FC) $(USERPATH)/system.users
$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
@echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
install -m 644 $(FC) $(FCPATH)
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
install -m 644 $(FC) $(FCPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file_contexts ..."
@echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
@grep -v -e HOME -e ROLE $@.tmp > $@
@grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
@grep -v -e HOME -e ROLE -e USER $@.tmp > $@
@grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
@-rm $@.tmp
# Create a tags-file for the policy:
@ -239,7 +235,7 @@ tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
rm -f policy.conf $(POLICYVER) policy.18
rm -f policy.conf $(POLICYVER)
rm -f tags
rm -f tmp/*
rm -f $(FC)
@ -328,4 +324,7 @@ mlsconvert:
mv $$file.new $$file; \
done
@sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
@echo "Enabling MLS in the Makefile"
@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"

View File

@ -1 +1 @@
1.23.2-1
1.26

View File

@ -110,6 +110,10 @@ attribute privlog;
# and an allow rule to permit it
attribute privmodule;
# The privsysmod attribute identifies every domain that can have the
# sys_module capability
attribute privsysmod;
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
@ -117,6 +121,13 @@ attribute privmodule;
# tagged with this attribute.
attribute privmem;
# The privkmsg attribute identifies every domain that can
# read kernel messages (/proc/kmsg)
# This attribute is used in the TE assertions to verify
# that such access is limited to domains that are explicitly
# tagged with this attribute.
attribute privkmsg;
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
@ -251,6 +262,12 @@ attribute sysadmfile;
# overall filesystem statistics.
attribute fs_type;
# The mount_point attribute identifies all types that can serve
# as a mount point (for the mount binary). It is used in the mount
# policy to grant mounton permission, and in other domains to grant
# getattr permission over all the mount points.
attribute mount_point;
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
@ -413,7 +430,11 @@ attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
# For labeling of content for httpd
# For labeling of content for httpd. This attribute is only used by
# the httpd_unified domain, which says treat all httpdcontent the
# same. If you want content to be served in a "non-unified" system
# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
# your policy.
attribute httpdcontent;
# For labeling of domains whos transition can be disabled

View File

@ -61,6 +61,10 @@ ifdef(`crond.te', `
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
or (t1 == priv_system_role and r2 == system_r )
);

View File

@ -86,6 +86,8 @@ allow crond_t rpm_log_t: file create_file_perms;
system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
#read ahead wants to read this
allow initrc_t system_cron_spool_t:file { getattr read };
')
')

View File

@ -64,6 +64,9 @@ allow ping_t hotplug_t:fd use;
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
', `
allow dhcpc_t self:capability setuid;
allow dhcpc_t self:rawip_socket create_socket_perms;
') dnl end if ping
ifdef(`dhcpd.te', `', `
@ -116,7 +119,7 @@ allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
allow dhcpc_t bin_t:dir search;
allow dhcpc_t bin_t:dir { getattr search };
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })

View File

@ -65,7 +65,7 @@ allow hotplug_t usbfs_t:file { getattr read };
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
allow hotplug_t kernel_t:process sigchld;
allow hotplug_t kernel_t:process { sigchld setpgid };
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
@ -128,9 +128,9 @@ dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
allow hotplug_t self:capability { net_admin sys_tty_config mknod };
allow hotplug_t sysfs_t:dir { getattr read search };
allow hotplug_t sysfs_t:file { getattr read };
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
@ -156,10 +156,7 @@ ifdef(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
allow restorecon_t hotplug_t:fd use;
allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`unlimitedUtils', `
unconfined_domain(hotplug_t)
')
allow kernel_t hotplug_etc_t:dir search;
dontaudit hotplug_t selinux_config_t:dir search;

View File

@ -185,9 +185,8 @@ allow ipsec_t etc_t:file { read getattr };
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
allow ipsec_t null_device_t:chr_file rw_file_perms;
# Allow scripts to use /var/locl/subsys/ipsec
allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
allow ipsec_mgmt_t var_lock_t:file create_file_perms;
# Allow scripts to use /var/lock/subsys/ipsec
lock_domain(ipsec_mgmt)
# allow tncfg to create sockets
allow ipsec_mgmt_t self:udp_socket { create ioctl };

View File

@ -43,3 +43,6 @@ allow klogd_t kernel_t:system { syslog_mod syslog_console };
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
ifdef(`targeted_policy', `
allow klogd_t unconfined_t:system syslog_mod;
')

View File

@ -11,6 +11,7 @@
type load_policy_t, domain;
role sysadm_r types load_policy_t;
role secadm_r types load_policy_t;
role system_r types load_policy_t;
type load_policy_exec_t, file_type, exec_type, sysadmfile;
@ -19,7 +20,7 @@ type load_policy_exec_t, file_type, exec_type, sysadmfile;
#
# Rules
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
allow load_policy_t console_device_t:chr_file { read write };

View File

@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
define(`login_domain', `
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
@ -83,6 +83,9 @@ if (use_samba_home_dirs) {
r_dir_file($1_login_t, cifs_t)
}
# Login can polyinstantiate
polyinstantiater($1_login_t)
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
@ -166,9 +169,7 @@ dontaudit local_login_t mnt_t:dir r_dir_perms;
# Create lock file.
allow local_login_t var_lock_t:dir rw_dir_perms;
allow local_login_t var_lock_t:file create_file_perms;
lock_domain(local_login)
# Read and write ttys.
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };

View File

@ -46,7 +46,7 @@ allow logrotate_t etc_runtime_t:file r_file_perms;
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
# create lock files
rw_dir_create_file(logrotate_t, var_lock_t)
lock_domain(logrotate)
# Create temporary files.
tmp_domain(logrotate)

View File

@ -71,7 +71,7 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
# Rules for the insmod_t domain.
#
type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
;
role system_r types insmod_t;
role sysadm_r types insmod_t;

View File

@ -11,7 +11,7 @@
type mount_exec_t, file_type, sysadmfile, exec_type;
mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
mount_loopback_privs(sysadm, mount)
role sysadm_r types mount_t;
role system_r types mount_t;
@ -39,20 +39,16 @@ allow mount_t file_t:file { getattr read unlink };
allow mount_t fs_type:filesystem mount_fs_perms;
allow mount_t mount_point:dir mounton;
allow mount_t nfs_t:dir search;
# nfsv4 has a filesystem to mount for its userspace daemons
allow mount_t var_lib_nfs_t:dir mounton;
# On some RedHat systems, /boot is a mount point
allow mount_t boot_t:dir mounton;
allow mount_t device_t:dir mounton;
# mount binfmt_misc on /proc/sys/fs/binfmt_misc
allow mount_t sysctl_t:dir { mounton search };
allow mount_t sysctl_t:dir search;
allow mount_t root_t:filesystem unmount;
can_portmap(mount_t)
ifdef(`portmap.te', `
# for nfs
can_network(mount_t)
allow mount_t port_type:tcp_socket name_connect;
can_ypbind(mount_t)
allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
@ -83,11 +79,7 @@ dontaudit mount_t kernel_t:fd use;
allow mount_t userdomain:fd use;
can_exec(mount_t, { sbin_t bin_t })
allow mount_t device_t:dir r_dir_perms;
ifdef(`distro_redhat', `
allow mount_t tmpfs_t:chr_file { read write };
allow mount_t tmpfs_t:dir mounton;
')
# tries to read /init
dontaudit mount_t root_t:file { getattr read };

View File

@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
type smtp_port_t, port_type, reserved_port_type;
# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
@ -25,6 +23,7 @@ ifdef(`targeted_policy', `
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
allow system_mail_t self:dir { search };
allow system_mail_t self:lnk_file read;
r_dir_file(system_mail_t, { proc_t proc_net_t })
allow system_mail_t fs_t:filesystem getattr;
allow system_mail_t { var_t var_spool_t }:dir getattr;
@ -59,15 +58,6 @@ allow { system_mail_t mta_user_agent } privmail:process sigchld;
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
ifdef(`arpwatch.te', `
# why is mail delivered to a directory of type arpwatch_data_t?
allow mta_delivery_agent arpwatch_data_t:dir search;
allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
ifdef(`hide_broken_symptoms', `
dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
')
')dnl end if arpwatch.te
allow mta_delivery_agent home_root_t:dir { getattr search };
# for /var/spool/mail
@ -81,4 +71,4 @@ allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
allow system_mail_t etc_runtime_t:file { getattr read };
allow system_mail_t urandom_device_t:chr_file read;
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };

View File

@ -10,15 +10,13 @@
#
# mysqld_exec_t is the type of the mysqld executable.
#
daemon_domain(mysqld)
daemon_domain(mysqld, `, nscd_client_domain')
type mysqld_port_t, port_type;
allow mysqld_t mysqld_port_t:tcp_socket name_bind;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
etcdir_domain(mysqld)
typealias mysqld_etc_t alias etc_mysqld_t;
type mysqld_db_t, file_type, sysadmfile;
log_domain(mysqld)
@ -36,7 +34,7 @@ allow initrc_t mysqld_var_run_t:sock_file write;
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
allow mysqld_t self:process getsched;
allow mysqld_t self:process { setsched getsched };
allow mysqld_t proc_t:file { getattr read };
@ -90,3 +88,4 @@ allow userdomain mysqld_var_run_t:sock_file write;
}
')
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;

View File

@ -10,11 +10,13 @@
#
# Rules for the named_t domain.
#
type rndc_port_t, port_type, reserved_port_type;
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
@ -54,11 +56,13 @@ allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
#Named can use network
can_network(named_t)
allow named_t port_type:tcp_socket name_connect;
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
@ -103,6 +107,7 @@ type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
@ -113,6 +118,7 @@ ifdef(`distro_redhat', `
allow { ndc_t initrc_t } named_conf_t:dir search;
# Allow init script to cp localtime to named_conf_t
allow initrc_t named_conf_t:file { setattr write };
allow initrc_t named_conf_t:dir create_dir_perms;
')
allow { ndc_t initrc_t } named_conf_t:file { getattr read };

View File

@ -17,3 +17,4 @@ newrole_domain(newrole)
allow newrole_t var_run_t:dir r_dir_perms;
allow newrole_t initrc_var_run_t:file rw_file_perms;
role secadm_r types newrole_t;

View File

@ -73,3 +73,6 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
allow nscd_t tun_tap_device_t:chr_file { read write };

View File

@ -43,6 +43,7 @@ can_network(ntpd_t)
allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow sysadm_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;

View File

@ -37,4 +37,9 @@ dontaudit pam_t self:capability sys_tty_config;
allow initrc_t pam_var_run_t:dir rw_dir_perms;
allow initrc_t pam_var_run_t:file { getattr read unlink };
dontaudit pam_t initrc_var_run_t:file { read write };
dontaudit pam_t initrc_var_run_t:file rw_file_perms;
# Supress xdm denial
ifdef(`xdm.te', `
dontaudit pam_t xdm_t:fd use;
') dnl ifdef

View File

@ -17,6 +17,7 @@ role system_r types ping_t;
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
ifdef(`targeted_policy', `', `
bool user_ping false;
if (user_ping) {
@ -25,6 +26,7 @@ if (user_ping) {
allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
}
')
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
@ -32,6 +34,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
uses_shlib(ping_t)
can_network_client(ping_t)
can_resolve(ping_t)
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;

View File

@ -28,18 +28,19 @@ can_exec_any(udev_t)
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:netlink_kobject_uevent_socket { create bind read };
allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
ifdef(`distro_redhat', `
allow udev_t tmpfs_t:dir rw_dir_perms;
allow udev_t tmpfs_t:sock_file create_file_perms;
allow udev_t tmpfs_t:dir create_dir_perms;
allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
allow udev_t tmpfs_t:dir search;
@ -53,7 +54,7 @@ allow udev_t { sbin_t bin_t }:lnk_file read;
allow udev_t bin_t:lnk_file read;
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
r_dir_file(udev_t, sysfs_t)
rw_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
# to read the file_contexts file
@ -138,3 +139,8 @@ file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
')
r_dir_file(udev_t, domain)
allow udev_t modules_dep_t:file r_file_perms;
ifdef(`unlimitedUtils', `
unconfined_domain(udev_t)
')
dontaudit hostname_t udev_t:fd use;

View File

@ -10,10 +10,15 @@ bool user_dmesg false;
# Support NFS home directories
bool use_nfs_home_dirs false;
# Allow execution of anonymous mappings, e.g. executable stack.
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
bool allow_execmem false;
# Support Share libraries with Text Relocation
# Allow making the stack executable via mprotect.
# Also requires allow_execmem.
bool allow_execstack false;
# Allow making a modified private file mapping executable (text relocation).
bool allow_execmod false;
# Support SAMBA home directories
@ -126,7 +131,16 @@ dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr
role_tty_type_change(sysadm, user)
role_tty_type_change(staff, sysadm)
role_tty_type_change(sysadm, staff)
role_tty_type_change(sysadm, secadm)
role_tty_type_change(staff, secadm)
# "ps aux" and "ls -l /dev/pts" make too much noise without this
dontaudit unpriv_userdomain ptyfile:chr_file getattr;
# to allow w to display everyone...
bool user_ttyfile_stat false;
if (user_ttyfile_stat) {
allow userdomain ttyfile:chr_file getattr;
}

View File

@ -8,6 +8,7 @@ fs_use_xattr ext2 system_u:object_r:fs_t;
fs_use_xattr ext3 system_u:object_r:fs_t;
fs_use_xattr xfs system_u:object_r:fs_t;
fs_use_xattr jfs system_u:object_r:fs_t;
fs_use_xattr reiserfs system_u:object_r:fs_t;
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
@ -25,6 +26,7 @@ fs_use_task sockfs system_u:object_r:fs_t;
fs_use_trans devpts system_u:object_r:devpts_t;
fs_use_trans tmpfs system_u:object_r:tmpfs_t;
fs_use_trans shm system_u:object_r:tmpfs_t;
fs_use_trans mqueue system_u:object_r:tmpfs_t;
# The separate genfs_contexts configuration can be used for filesystem
# types that cannot support persistent label mappings or use

View File

@ -91,8 +91,10 @@ genfscon nfs / system_u:object_r:nfs_t
genfscon nfs4 / system_u:object_r:nfs_t
genfscon afs / system_u:object_r:nfs_t
# reiserfs - until xattr security support works properly
genfscon reiserfs / system_u:object_r:nfs_t
genfscon debugfs / system_u:object_r:debugfs_t
genfscon inotifyfs / system_u:object_r:inotifyfs_t
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
genfscon mqueue / system_u:object_r:mqueue_t
# needs more work
genfscon eventpollfs / system_u:object_r:eventpollfs_t

View File

@ -35,7 +35,8 @@ r_dir_file($1_t, usercanread)
general_domain_access($1_t)
if (allow_execmem) {
# Allow loading DSOs that require executable stack.
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1_t self:process execmem;
}
@ -131,10 +132,6 @@ ifdef(`cardmgr.te', `
allow $1_t cardmgr_var_run_t:file { getattr read };
')
# Read and write /var/catman.
allow $1_t catman_t:dir rw_dir_perms;
allow $1_t catman_t:file create_file_perms;
# Modify mail spool file.
allow $1_t mail_spool_t:dir r_dir_perms;
allow $1_t mail_spool_t:file rw_file_perms;
@ -176,19 +173,38 @@ ifdef(`crontab.te', `crontab_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
ifdef(`thunderbird.te', `thunderbird_domain($1)')
ifdef(`samba.te', `samba_domain($1)')
ifdef(`games.te', `games_domain($1)')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
ifdef(`iceauth.te', `iceauth_domain($1)')
ifdef(`startx.te', `xserver_domain($1)')
ifdef(`lpr.te', `lpr_domain($1)')
ifdef(`ssh.te', `ssh_domain($1)')
ifdef(`irc.te', `irc_domain($1)')
ifdef(`using_spamassassin', `spamassassin_domain($1)')
ifdef(`pyzor.te', `pyzor_domain($1)')
ifdef(`razor.te', `razor_domain($1)')
ifdef(`uml.te', `uml_domain($1)')
ifdef(`cdrecord.te', `cdrecord_domain($1)')
ifdef(`mplayer.te', `mplayer_domains($1)')
fontconfig_domain($1)
# GNOME
ifdef(`gnome.te', `
gnome_domain($1)
ifdef(`games.te', `games_domain($1)')
ifdef(`gift.te', `gift_domains($1)')
ifdef(`evolution.te', `evolution_domains($1)')
ifdef(`ethereal.te', `ethereal_domain($1)')
')
# ICE communication channel
ice_domain($1, $1)
# ORBit communication channel (independent of GNOME)
orbit_domain($1, $1)
# Instantiate a derived domain for user cron jobs.
ifdef(`crond.te', `crond_domain($1)')
@ -213,7 +229,9 @@ dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
# Use the network.
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
can_ypbind($1_t)
can_winbind($1_t)
ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
@ -321,13 +339,12 @@ allow $1_t mnt_t:dir { getattr search };
# Get attributes of file systems.
allow $1_t fs_type:filesystem getattr;
allow $1_t removable_t:filesystem getattr;
# Read and write /dev/tty and /dev/null.
allow $1_t devtty_t:chr_file rw_file_perms;
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t zero_device_t:chr_file { rw_file_perms execute };
allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
#
# Added to allow reading of cdrom
#
@ -347,8 +364,11 @@ dontaudit $1_t wtmp_t:file write;
# Read the devpts root directory.
allow $1_t devpts_t:dir r_dir_perms;
allow $1_t src_t:dir r_dir_perms;
allow $1_t src_t:notdevfile_class_set r_file_perms;
r_dir_file($1_t, src_t)
# Allow user to read default_t files
# This is different from reading default_t content,
# because it also includes sockets, fifos, and links
if (read_default_t) {
allow $1_t default_t:dir r_dir_perms;
@ -368,8 +388,6 @@ dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
dontaudit $1_t self:socket create;
dontaudit $1_t sysctl_net_t:dir search;
dontaudit $1_t default_context_t:dir search;
ifdef(`rpcd.te', `
create_dir_file($1_t, nfsd_rw_t)
')

View File

@ -662,9 +662,9 @@ allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
#
define(`general_domain_access',`
# Access other processes in the same domain.
# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.
# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
# These must be granted separately if desired.
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;

View File

@ -60,7 +60,7 @@ allow $1 self:file { getattr read write };
# read_sysctl(domain)
#
# Permissions for reading sysctl variables.
# If the second parameter is 'full', allow
# If the second parameter is full, allow
# reading of any sysctl variables, else only
# sysctl_kernel_t.
#
@ -106,6 +106,7 @@ allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
allow $1 texrel_shlib_t:file execmod;
allow $1 ld_so_cache_t:file r_file_perms;
allow $1 device_t:dir search;
allow $1 null_device_t:chr_file rw_file_perms;
@ -156,7 +157,6 @@ allow $1 lib_t:file r_file_perms;
r_dir_file($1, locale_t)
')
###################################
#
# access_terminal(domain, typeprefix)
@ -253,7 +253,7 @@ allow $1_t self:process { signal_perms fork };
uses_shlib($1_t)
allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;
allow $1_t { self proc_t }:lnk_file { getattr read };
allow $1_t device_t:dir r_dir_perms;
ifdef(`udev.te', `
@ -293,6 +293,8 @@ domain_auto_trans(init_t, $1_exec_t, $1_t)
# Define a daemon domain with a base set of type declarations
# and permissions that are common to most daemons.
# attribs is the list of attributes which must start with "," if it is not empty
# nosysadm may be given as an optional third parameter, to specify that the
# sysadmin should not transition to the domain when directly calling the executable
#
# Author: Russell Coker <russell@coker.com.au>
#
@ -353,6 +355,14 @@ file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
allow $1_t var_t:dir search;
allow $1_t $1_var_run_t:dir rw_dir_perms;
')
#######################
# daemon_domain(domain_prefix, attribs)
#
# see daemon_base_domain for calling details
# daemon_domain defines some additional privileges needed by many domains,
# like pid files and locale support
define(`daemon_domain', `
ifdef(`targeted_policy', `
daemon_base_domain($1, `$2, transitionbool', $3)
@ -396,8 +406,19 @@ type $2_exec_t, file_type, sysadmfile, exec_type;
role system_r types $2_t;
ifelse(index(`$3',`transitionbool'), -1, `
domain_auto_trans($1, $2_exec_t, $2_t)
', `
bool $2_disable_trans false;
if (! $2_disable_trans) {
domain_auto_trans($1, $2_exec_t, $2_t)
}
');
# Inherit and use descriptors from parent.
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;
@ -422,16 +443,23 @@ ifelse($3, `',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
')
# grant access to /tmp. Do not perform an automatic transition.
define(`tmp_domain_notrans', `
type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
')
define(`tmpfs_domain', `
ifdef(`$1_tmpfs_t_defined',`', `
define(`$1_tmpfs_t_defined')
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
# Use this type when creating tmpfs/shm objects.
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
allow $1_tmpfs_t tmpfs_t:filesystem associate;
')
')
define(`var_lib_domain', `
type $1_var_lib_t, file_type, sysadmfile;
typealias $1_var_lib_t alias var_lib_$1_t;
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
allow $1_t $1_var_lib_t:dir rw_dir_perms;
')
@ -474,105 +502,6 @@ type $1_lock_t, file_type, sysadmfile, lockfile;
file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
')
####################################################################
# home_domain_ro_access(source, user, app)
#
# Gives source access to the read-only home
# domain of app for the given user type
#
define(`home_domain_ro_access', `
allow $1 home_root_t:dir search;
if (use_nfs_home_dirs) {
r_dir_file($1, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file($1, cifs_t)
}
allow $1 autofs_t:dir { search getattr };
r_dir_file($1, $2_$3_ro_home_t)
') dnl home_domain_ro_access
####################################################################
# home_domain_access(source, user, app)
#
# Gives source full access to the home
# domain of app for the given user type
#
define(`home_domain_access', `
allow $1 home_root_t:dir search;
if (use_nfs_home_dirs) {
create_dir_file($1, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1, cifs_t)
}
allow $1 autofs_t:dir { search getattr };
file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t)
') dnl home_domain_access
####################################################################
# home_domain (prefix, app)
#
# Creates a domain in the prefix home where an application can
# store its settings. It's accessible by the prefix domain.
#
define(`home_domain', `
# Declare home domain
# FIXME: the second alias is problematic because
# home_domain and home_domain_ro cannot be used in parallel
# Remove the second alias when compatibility is no longer an issue
type $1_$2_home_t, file_type, $1_file_type, sysadmfile;
typealias $1_$2_home_t alias $1_$2_rw_t;
typealias $1_$2_home_t alias $1_home_$2_t;
# User side access
create_dir_file($1_t, $1_$2_home_t)
allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# App side access
home_domain_access($1_$2_t, $1, $2)
')
####################################################################
# home_domain_ro (user, app)
#
# Creates a read-only domain in the user home where an application can
# store its settings. It's fully accessible by the user, but
# it's read-only for the application.
#
define(`home_domain_ro', `
# Declare home domain
# FIXME: the second alias is problematic because
# home_domain and home_domain_ro cannot be used in parallel
# Remove the second alias when compatibility is no longer an issue
type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
typealias $1_$2_ro_home_t alias $1_$2_ro_t;
typealias $1_$2_ro_home_t alias $1_home_$2_t;
# User side access
create_dir_file($1_t, $1_$2_ro_home_t)
allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
# App side access
home_domain_ro_access($1_$2_t, $1, $2)
')
#######################
# application_domain(domain_prefix)
#
@ -589,12 +518,6 @@ domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')
define(`user_application_domain', `
application_domain($1, `$2')
in_user_role($1_t)
domain_auto_trans(userdomain, $1_exec_t, $1_t)
')
define(`system_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
@ -603,23 +526,25 @@ uses_shlib($1_t)
allow $1_t etc_t:dir r_dir_perms;
')
# Do not flood message log, if the user does a browse
define(`file_browse_domain', `
# Dontaudit macros to prevent flooding the log
# Regular files/directories that are not security sensitive
define(`dontaudit_getattr', `
dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
dontaudit $1 file_type - secure_file_type:dir { read search };
dontaudit $1 unlabeled_t:dir_file_class_set getattr;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
')dnl end dontaudit_getattr
# /dev
dontaudit $1 dev_fs:dir_file_class_set getattr;
dontaudit $1 dev_fs:dir { read search };
# /proc
dontaudit $1 sysctl_t:dir_file_class_set getattr;
dontaudit $1 proc_fs:dir { read search };
')dnl end file_browse_domain
define(`dontaudit_search_dir', `
dontaudit $1 file_type - secure_file_type:dir search;
dontaudit $1 unlabeled_t:dir search;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
')dnl end dontaudit_search_dir
define(`dontaudit_read_dir', `
dontaudit $1 file_type - secure_file_type:dir read;
dontaudit $1 unlabeled_t:dir read;
dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
')dnl end dontaudit_read_dir
# Define legacy_domain for legacy binaries (java)
# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
@ -629,12 +554,46 @@ dontaudit $1 proc_fs:dir { read search };
# shlib_t and ld_so_t unlike non-legacy binaries.
define(`legacy_domain', `
allow $1_t self:process { execmem };
allow $1_t self:process { execmem execstack };
allow $1_t { texrel_shlib_t shlib_t }:file execmod;
allow $1_t ld_so_t:file execmod;
allow $1_t ld_so_cache_t:file execute;
')
# Allow domain to perform polyinstantiation functions
# polyinstantiater(domain)
define(`polyinstantiater', `
ifdef(`support_polyinstantiation', `
# Need to give access to /selinux/member
allow $1 security_t:security compute_member;
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { getattr mounton add_name create setattr write search };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir {getattr search };
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
# Need to give permission to create directories where applicable
allow $1 polymember: dir { create setattr };
allow $1 polydir: dir { write add_name };
allow $1 self:process setfscreate;
allow $1 polyparent:dir { write add_name };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
# Need sys_admin capability for mounting
allow $1 self:capability sys_admin;
')dnl end else support_polyinstantiation
')dnl end polyinstantiater
#
# Define a domain that can do anything, so that it is
# effectively unconfined by the SELinux policy. This
@ -679,6 +638,7 @@ can_sysctl($1)
allow $1 node_type:node *;
allow $1 netif_type:netif *;
allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
allow $1 port_type:tcp_socket name_connect;
# Bind to any network address.
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
@ -698,13 +658,24 @@ allow $1 domain:process ~{ transition dyntransition execmem };
allow $1 self:process transition;
if (allow_execmem) {
# Allow loading DSOs that require executable stack.
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
}
if (allow_execmem && allow_execstack) {
# Allow making the stack executable via mprotect.
allow $1 self:process execstack;
}
if (allow_execmod) {
# Allow text relocations on system shared libraries, e.g. libGL.
ifdef(`targeted_policy', `
allow $1 file_type:file execmod;
', `
allow $1 texrel_shlib_t:file execmod;
allow $1 home_type:file execmod;
')
}
# Create/access any System V IPC objects.
@ -737,3 +708,22 @@ allow $1 nscd_t:nscd *;
')
')dnl end unconfined_domain
define(`access_removable_media', `
can_exec($1, { removable_t noexattrfile } )
if (user_rw_noexattrfile) {
create_dir_file($1, noexattrfile)
create_dir_file($1, removable_t)
# Write floppies
allow $1 removable_device_t:blk_file rw_file_perms;
allow $1 usbtty_device_t:chr_file write;
} else {
r_dir_file($1, noexattrfile)
r_dir_file($1, removable_t)
allow $1 removable_device_t:blk_file r_file_perms;
}
allow $1 removable_t:filesystem getattr;
')

View File

@ -155,14 +155,23 @@ allow $1 mount_t:udp_socket rw_socket_perms;
')dnl end can_network definition
define(`can_resolve',`
ifdef(`use_dns',`
can_network_udp($1, `dns_port_t')
')
define(`can_portmap',`
can_network_client($1, `portmap_port_t')
allow $1 portmap_port_t:tcp_socket name_connect;
')
define(`can_ldap',`
ifdef(`slapd.te',`
can_network_client_tcp($1, `ldap_port_t')
')
allow $1 ldap_port_t:tcp_socket name_connect;
')
define(`can_winbind',`
ifdef(`winbind.te', `
allow $1 winbind_var_run_t:dir { getattr search };
allow $1 winbind_t:unix_stream_socket connectto;
allow $1 winbind_var_run_t:sock_file { getattr read write };
')
')

View File

@ -10,49 +10,80 @@
#
#
define(`games_domain', `
x_client_domain($1, `games', `, transitionbool')
type $1_games_t, domain, nscd_client_domain;
# Type transition
if (! disable_games_trans) {
domain_auto_trans($1_t, games_exec_t, $1_games_t)
}
can_exec($1_games_t, games_exec_t)
role $1_r types $1_games_t;
can_create_pty($1_games)
# X access, GNOME, /tmp files
x_client_domain($1_games, $1)
tmp_domain($1_games, `', { dir notdevfile_class_set })
gnome_application($1_games, $1)
gnome_file_dialog($1_games, $1)
# Games seem to need this
if (allow_execmem) {
allow $1_games_t self:process execmem;
}
allow $1_games_t texrel_shlib_t:file execmod;
allow $1_games_t var_t:dir { search getattr };
rw_dir_create_file($1_games_t, games_data_t)
allow $1_games_t sound_device_t:chr_file rw_file_perms;
r_dir_file($1_games_t, usr_t)
can_udp_send($1_games_t, $1_games_t)
can_tcp_connect($1_games_t, $1_games_t)
# Access /home/user/.gnome2
create_dir_file($1_games_t, $1_home_t)
allow $1_games_t $1_home_dir_t:dir search;
allow $1_games_t $1_home_t:dir { read getattr };
# FIXME: Change to use per app types
create_dir_file($1_games_t, $1_gnome_settings_t)
# FIXME: why is this necessary - ORBit?
# ORBit works differently now
create_dir_file($1_games_t, $1_tmp_t)
allow $1_games_t $1_tmp_t:sock_file create_file_perms;
can_unix_connect($1_t, $1_games_t)
can_unix_connect($1_games_t, $1_t)
dontaudit $1_games_t sysctl_t:dir search;
tmp_domain($1_games)
allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
ifdef(`xdm.te', `
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
allow $1_games_t xdm_var_lib_t:file { getattr read };
')dnl end if xdm.te
can_unix_connect($1_t, $1_games_t)
can_unix_connect($1_games_t, $1_t)
allow $1_games_t var_lib_t:dir search;
r_dir_file($1_games_t, man_t)
allow $1_games_t proc_t:file { read getattr };
allow $1_games_t { proc_t self }:dir search;
allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
ifdef(`mozilla.te', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
allow $1_games_t event_device_t:chr_file getattr;
allow $1_games_t mouse_device_t:chr_file getattr;
allow $1_games_t self:file { getattr read };
# kpat spews errors
dontaudit $1_games_t bin_t:dir getattr;
allow $1_games_t self:file { getattr read };
allow $1_games_t self:sem create_sem_perms;
allow $1_games_t { bin_t sbin_t }:dir { getattr search };
can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
allow $1_games_t bin_t:lnk_file read;
dontaudit $1_games_t var_run_t:dir search;
dontaudit $1_games_t initrc_var_run_t:file { read write };
dontaudit $1_games_t var_log_t:dir search;
can_network($1_games_t)
allow $1_games_t port_t:tcp_socket name_bind;
allow $1_games_t port_t:tcp_socket name_connect;
# Suppress .icons denial until properly implemented
dontaudit $1_games_t $1_home_t:dir read;
')dnl end macro definition

View File

@ -12,49 +12,34 @@
define(`gift_domain', `
# Connect to X
x_client_domain($1, gift, `')
# Transition
# Type transition
type $1_gift_t, domain, nscd_client_domain;
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
can_exec($1_gift_t, gift_exec_t)
role $1_r types $1_gift_t;
# Self permissions
allow $1_gift_t self:process getsched;
# Home files
# X access, Home files, GNOME, /tmp
x_client_domain($1_gift, $1)
gnome_application($1_gift, $1)
home_domain($1, gift)
file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
# Fonts, icons
r_dir_file($1_gift_t, usr_t)
r_dir_file($1_gift_t, fonts_t)
# Allow the user domain to signal/ps.
can_ps($1_t, $1_gift_t)
allow $1_t $1_gift_t:process signal_perms;
# Launch gift daemon
allow $1_gift_t self:process fork;
allow $1_gift_t bin_t:dir search;
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
# Connect to gift daemon
can_network($1_gift_t)
can_network_client_tcp($1_gift_t, giftd_port_t)
allow $1_gift_t giftd_port_t:tcp_socket name_connect;
# Read /proc/meminfo
allow $1_gift_t proc_t:dir search;
allow $1_gift_t proc_t:file { getattr read };
# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
allow $1_t $1_gift_tmp_t:sock_file write;
allow $1_gift_t $1_tmp_t:file { getattr read write lock };
allow $1_gift_t $1_tmp_t:sock_file { read write };
dontaudit $1_gift_t $1_tmp_t:dir setattr;
# Access random device
allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };
# giftui looks in .icons, .themes, .fonts-cache.
# giftui looks in .icons, .themes.
dontaudit $1_gift_t $1_home_t:dir { getattr read search };
dontaudit $1_gift_t $1_home_t:file { getattr read };
@ -79,26 +64,34 @@ allow $1_giftd_t self:unix_stream_socket create_socket_perms;
read_sysctl($1_giftd_t)
read_locale($1_giftd_t)
uses_shlib($1_giftd_t)
access_terminal($1_giftd_t, $1)
# Read /proc/meminfo
allow $1_giftd_t proc_t:dir search;
allow $1_giftd_t proc_t:file { getattr read };
# Read /etc/mtab
allow $1_giftd_t etc_runtime_t:file { getattr read };
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
# Allow networking
allow $1_giftd_t port_t:tcp_socket name_bind;
allow $1_giftd_t port_t:udp_socket name_bind;
# Serve content on various p2p networks. Ports can be random.
can_network_server($1_giftd_t)
can_network_client($1_giftd_t)
allow $1_giftd_t self:udp_socket listen;
allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
# FIXME: ???
dontaudit $1_giftd_t self:udp_socket listen;
# Connect to various p2p networks. Ports can be random.
can_network_client($1_giftd_t)
allow $1_giftd_t port_type:tcp_socket name_connect;
# Plugins
r_dir_file($1_giftd_t, usr_t)
# Connect to xdm
ifdef(`xdm.te', `
allow $1_giftd_t xdm_t:fd use;
allow $1_giftd_t xdm_t:fifo_file write;
can_pipe_xdm($1_giftd_t)
')
') dnl giftd_domain

View File

@ -76,8 +76,7 @@ allow $1_userhelper_t devpts_t:dir r_dir_perms;
allow $1_userhelper_t etc_t:file r_file_perms;
# Read /var.
allow $1_userhelper_t var_t:dir r_dir_perms;
allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms;
r_dir_file($1_userhelper_t, var_t)
# Read /dev directories and any symbolic links.
allow $1_userhelper_t device_t:dir r_dir_perms;
@ -97,7 +96,7 @@ can_getsecurity($1_userhelper_t)
allow $1_userhelper_t fs_t:filesystem getattr;
# for some PAM modules and for cwd
dontaudit $1_userhelper_t { home_root_t home_type }:dir search;
allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
allow $1_userhelper_t proc_t:dir search;
allow $1_userhelper_t proc_t:file { getattr read };
@ -120,8 +119,7 @@ role system_r types $1_userhelper_t;
r_dir_file($1_userhelper_t, nfs_t)
ifdef(`xdm.te', `
allow $1_userhelper_t xdm_t:fd use;
allow $1_userhelper_t xdm_t:fifo_file rw_file_perms;
can_pipe_xdm($1_userhelper_t)
allow $1_userhelper_t xdm_var_run_t:dir search;
')

View File

@ -1,10 +1,12 @@
define(`uncond_can_ypbind', `
dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
can_network($1)
r_dir_file($1,var_yp_t)
allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
dontaudit $1 self:capability net_bind_service;
dontaudit $1 reserved_port_type:tcp_socket name_connect;
dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
')
define(`can_ypbind', `

View File

@ -5,7 +5,7 @@
# appropriate ifdefs.
define(`distro_redhat')
dnl define(`distro_redhat')
dnl define(`distro_suse')

View File

@ -1,27 +1,27 @@
# Allow users to execute the mount command
define(`user_can_mount')
# Allow rpm to run unconfined.
#define(`unlimitedRPM')
dnl define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
#define(`unlimitedUtils')
dnl define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
#define(`unlimitedRC')
dnl define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not allow sysadm_t to be in the security manager domain
dnl define(`separate_secadm')
# Do not audit things that we know to be broken but which
# are not security risks
define(`hide_broken_symptoms')
dnl define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
define(`user_canbe_sysadm')
dnl define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
@ -29,3 +29,6 @@ dnl define(`unlimitedInetd')
# for ndc_t to be used for restart shell scripts
dnl define(`ndc_shell_script')
# Enable Polyinstantiation support
dnl define(`support_polyinstatiation')

View File

@ -13,7 +13,7 @@
# The nfs_*_t types are used for specific NFS
# servers in net_contexts or net_contexts.mls.
#
type nfs_t, fs_type;
type nfs_t, mount_point, fs_type;
#
# Allow NFS files to be associated with an NFS file system.

View File

@ -14,7 +14,7 @@
# proc_mdstat_t is the type of /proc/mdstat.
# proc_net_t is the type of /proc/net.
#
type proc_t, fs_type, proc_fs;
type proc_t, fs_type, mount_point, proc_fs;
type proc_kmsg_t, proc_fs;
type proc_kcore_t, proc_fs;
type proc_mdstat_t, proc_fs;
@ -35,7 +35,7 @@ type proc_net_t, proc_fs;
# These types are applied to both the entries in
# /proc/sys and the corresponding sysctl parameters.
#
type sysctl_t, sysctl_type;
type sysctl_t, mount_point, sysctl_type;
type sysctl_fs_t, sysctl_type;
type sysctl_kernel_t, sysctl_type;
type sysctl_modprobe_t, sysctl_type;